In this guide:
Description
This endpoint can be used to create a remediation incident, by messageId, file hash or a url contained in an email. A successful call will return the incident information, and will take the same actions as a manual remediation incident created in the Administration Console. Note: Currently this endpoint does not support image file hashes.
Pre-requisites
- In order to successfully use this endpoint the logged in user must be a Mimecast administrator with at least the Services | Threat Remediation | Edit permission.
URI
To use this endpoint you send a POST request to:
- api/ttp/remediation/create
Request Headers
The following request headers must be included in your request:
| Field | Description |
|---|---|
| Authorization | Please see the Authorization guide for more information on building the Authorization header. |
| x-mc-req-id |
A randomly generated GUID, for example, |
| x-mc-app-id | The Application ID provided with your Registered API Application. |
| x-mc-date |
The current date and time in the following format, for example, |
Request Body
{
"data": [
{
"reason": "Remediate by URL",
"searchBy": "url",
"start": "2022-01-20T00:00:00+00:00",
"hashOrMessageId": "c6617708516e3...",
"end": "2022-01-22T00:00:00+00:00",
"url": "https://www.domain.tld/path/to/unwanted/content"
}
]
}Data
| Field | Type | Required | Description |
|---|---|---|---|
| reason | String | Required | The reason for creating the remediation incident. |
| searchBy | String | Optional | The message component in which to search by. Must be one of 'hash', 'messageId' or 'url'. When using 'messageId', the '<' '>' delimiters are required. |
| start | Date String | Optional | Timestamp of the earliest messages to remediate. If none is provided, will default to last calendar month. |
| hashOrMessageId | String | Optional | File hash or message ID, depending on the value of the 'searchBy' field. Exclude if searching by url. |
| end | Date String | Optional | Timestamp of the most recent message to remediate. If none is provided, will default to the current timestamp. |
| url | String | Optional | URL present in an email that should be remediated. This field is required when setting searchBy field to url. Should be a decoded, non-Mimecast rewritten URL. |
Response
{
"fail": [],
"meta": {
"status": 200
},
"data": [
{
"reason": "Remediate by URL",
"fileRemediationExpiryTime": "2022-02-22T00:00:00+00:00",
"fileRemediationCanBeCancelled": true,
"code": "TR-CDEV1A705803-00546-M",
"SearchCriteria Object": {
"subject": "Need a favor ASAP!",
"unremediateCode": "eNp1jssKgkAYRt9ltiWNOaa...",
"start": "2021-12-20T00:00:00+00:00",
"fileHash": "c6617708516e39a0b28b288304f1...",
"messageId": "<783E9C60-236B@domain.tld>",
"restoreCode": "eNp1jssKgkAYRt9ltiWNOaa...",
"from": "sender@domain.tld",
"end": "2022-01-22T00:00:00+00:00",
"to": "recipient@domain.tld",
"url": "https://www.domain.tld/path/to/unwanted/content"
},
"failed": 0,
"type": "manual",
"removeFromDevice": "all",
"remediatedBy": "admin@domain.tld",
"identified": 0,
"fileRemediationCancelled": "2022-01-20T00:00:00+00:00",
"create": "2022-01-20T00:00:00+00:00",
"modified": "2022-01-20T00:00:00+00:00",
"restored": 0,
"id": "eNp1jssKgkAYRt9ltiWNOaa2MwvGRI3MKAhExp-cvOaNMH...",
"successful": 0
}
]
}meta
| Field | Type | Description |
|---|---|---|
| status | Number | The function level status of the request. |
data
| Field | Type | Description |
|---|---|---|
| reason | String | The reason provided at the creation of the remediation incident. |
| fileRemediationExpiryTime | Date String | Timestamp of a file-bases remediation should expiration in ISO 8601 format. |
| fileRemediationCanBeCancelled | Boolean | Indicates whether the file remediation incident can still be cancelled. |
| code | String | The incident code generated at creation, to be used as a reference for the remediation incident lookup. |
| SearchCriteria Object | Object | The search criteria used to identify messages. |
| failed | Number | The number of messages that failed to remediate. |
| type | String | Type of incident. Possible values are 'notify_only', 'automatic', 'manual' or 'restored'. |
| removeFromDevice | String | The devices where the downloaded file should be removed from. Possible values are 'recipient' or 'all'. |
| remediatedBy | String | Email address of the user who created the remediation incident. |
| identified | Number | Number of messages identified with provided search criteria. |
| fileRemediationCancelled | Date String | Timestamp of an incident cancellation, if it has been cancelled, in ISO 8601 format. |
| create | Date String | Timestamp of the incident creation in ISO 8601 format |
| modified | Date String | Timestamp of the incident's last modification date in ISO 8601 format |
| restored | Number | The number of messages that were restored, if incident was a restore. |
| id | String | The Mimecast secure ID of the remediation incident. |
| successful | Number | The number successfully remediated messages. |
Search Criteria
| Field | Type | Description |
|---|---|---|
| subject | String | Message subject line of the remediated message. |
| unremediateCode | String | The Mimecast code used to restore a previously remediated message. |
| start | Date String | The start date of messages included in ISO 8601 format. |
| fileHash | String | The file hash used in creation of the remediation incident. |
| messageId | String | The message id use in creation of the remediation incident. |
| restoreCode | String | The restore code used if the incident type is restore. |
| from | String | The sender address of the message. |
| end | String | The end date of messages included in ISO 8601 format. |
| to | String | The recipient email address of the message. |
| url | String | URL used to create the remediation incident, if remediation type is URL. |
Sample Code
Sample code is provided to demonstrate how to use the API and is not representative of a production application. To use the sample code; complete the required variables as described, populate the desired values in the request body, and execute in your favorite IDE. Please see the Global Base URL's page to find the correct base URL to use for your account.
POST {base_url}api/ttp/remediation/create
Authorization: MC {accesskKey}:{Base64 encoded signed Data To Sign}
x-mc-date: {dateTime}
x-mc-req-id: {unique id}
x-mc-app-id: {applicationId}
Content-Type: application/json
Accept: application/json
{
"data": [
{
"reason": "Remediate by URL",
"searchBy": "url",
"start": "2022-01-20T00:00:00+00:00",
"hashOrMessageId": "c6617708516e3...",
"end": "2022-01-22T00:00:00+00:00",
"url": "https://www.domain.tld/path/to/unwanted/content"
}
]
}
import base64
import hashlib
import hmac
import uuid
import datetime
import requests
# Setup required variables
base_url = "https://xx-api.mimecast.com"
uri = "api/ttp/remediation/create"
url = base_url + uri
access_key = "YOUR ACCESS KEY"
secret_key = "YOUR SECRET KEY"
app_id = "YOUR APPLICATION ID"
app_key = "YOUR APPLICATION KEY"
# Generate request header values
request_id = str(uuid.uuid4())
hdr_date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S") + " UTC"
# DataToSign is used in hmac_sha1
dataToSign = ':'.join([hdr_date, request_id, uri, app_key])
# Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
hmac_sha1 = hmac.new(base64.b64decode(secret_key), dataToSign.encode(), digestmod=hashlib.sha1).digest()
# Use the HMAC SHA1 value to sign the hdrDate + ":" requestId + ":" + URI + ":" + appkey
sig = base64.b64encode(hmac_sha1).rstrip()
# Create request headers
headers = {
'Authorization': 'MC ' + access_key + ':' + sig.decode(),
'x-mc-app-id': app_id,
'x-mc-date': hdr_date,
'x-mc-req-id': request_id,
'Content-Type': 'application/json'
}
payload = {
'data': [
{
'reason': 'Remediate by URL',
'searchBy': 'url',
'start': '2022-01-20T00:00:00+00:00',
'hashOrMessageId': 'c6617708516e3...',
'end': '2022-01-22T00:00:00+00:00',
'url': 'https://www.domain.tld/path/to/unwanted/content'
}
]
}
r = requests.post(url=url, headers=headers, data=str(payload))
print(r.text)static void Main(string[] args)
{
//Setup required variables
string baseUrl = "https://xx-api.mimecast.com";
string uri = "api/ttp/remediation/create";
string accessKey = "YOUR ACCESS KEY";
string secretKey = "YOUR SECRET KEY";
string appId = "YOUR APPLICATION ID";
string appKey = "YOUR APPLICATION KEY";
//Generate request header values
string hdrDate = System.DateTime.Now.ToUniversalTime().ToString("R");
string requestId = System.Guid.NewGuid().ToString();
//Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
System.Security.Cryptography.HMAC h = new System.Security.Cryptography.HMACSHA1(System.Convert.FromBase64String(secretKey));
//Use the HMAC SHA1 value to sign the hdrDate + ":" requestId + ":" + URI + ":" + appkey
byte[] hash = h.ComputeHash(System.Text.Encoding.Default.GetBytes(hdrDate + ":" + requestId + ":" + uri + ":" + appKey));
//Build the signature to be included in the Authorization header in your request
string signature = "MC " + accessKey + ":" + System.Convert.ToBase64String(hash);
//Build Request
System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(baseUrl + uri);
request.Method = "POST";
request.ContentType = "application/json";
//Add Headers
request.Headers[System.Net.HttpRequestHeader.Authorization] = signature;
request.Headers.Add("x-mc-date", hdrDate);
request.Headers.Add("x-mc-req-id", requestId);
request.Headers.Add("x-mc-app-id", appId);
//Add request body
//Create and write data to stream
string postData = @"{
""data"": [
{
""reason"": ""Remediate by URL"",
""searchBy"": ""url"",
""start"": ""2022-01-20T00:00:00+00:00"",
""hashOrMessageId"": ""c6617708516e3..."",
""end"": ""2022-01-22T00:00:00+00:00"",
""url"": ""https://www.domain.tld/path/to/unwanted/content""
}
]
}";
byte[] payload = System.Text.Encoding.UTF8.GetBytes(postData);
System.IO.Stream stream = request.GetRequestStream();
stream.Write(payload, 0, payload.Length);
stream.Close();
//Send Request
System.Net.HttpWebResponse response = (System.Net.HttpWebResponse)request.GetResponse();
//Output response to console
System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream());
string responseBody = "";
string temp = null;
while ((temp = reader.ReadLine()) != null)
{
responseBody += temp;
};
System.Console.WriteLine(responseBody);
System.Console.ReadLine();
}#Setup required variables
$baseUrl = "https://xx-api.mimecast.com"
$uri = "api/ttp/remediation/create"
$url = $baseUrl + $uri
$accessKey = "YOUR ACCESS KEY"
$secretKey = "YOUR SECRET KEY"
$appId = "YOUR APPLICATION ID"
$appKey = "YOUR APPLICATION KEY"
#Generate request header values
$hdrDate = (Get-Date).ToUniversalTime().ToString("ddd, dd MMM yyyy HH:mm:ss UTC")
$requestId = [guid]::NewGuid().guid
#Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
$sha = New-Object System.Security.Cryptography.HMACSHA1
$sha.key = [Convert]::FromBase64String($secretKey)
$sig = $sha.ComputeHash([Text.Encoding]::UTF8.GetBytes($hdrDate + ":" + $requestId + ":" + $uri + ":" + $appKey))
$sig = [Convert]::ToBase64String($sig)
#Create Headers
$headers = @{"Authorization" = "MC " + $accessKey + ":" + $sig;
"x-mc-date" = $hdrDate;
"x-mc-app-id" = $appId;
"x-mc-req-id" = $requestId;
"Content-Type" = "application/json"}
#Create post body
$postBody = "{
""data"": [
{
""reason"": ""Remediate by URL"",
""searchBy"": ""url"",
""start"": ""2022-01-20T00:00:00+00:00"",
""hashOrMessageId"": ""c6617708516e3..."",
""end"": ""2022-01-22T00:00:00+00:00"",
""url"": ""https://www.domain.tld/path/to/unwanted/content""
}
]
}"
#Send Request
$response = Invoke-RestMethod -Method Post -Headers $headers -Body $postBody -Uri $url
#Print the response
$responsepublic static void main(String[] args) throws java.io.IOException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException {
//set up variables for request
String baseUrl = "https://xx-api.mimecast.com";
String uri = "api/ttp/remediation/create";
String url = "https://" + baseUrl + uri;
String accessKey = "YOUR ACCESS KEY";
String secretKey = "YOUR SECRET KEY";
String appId = "YOUR APPLICATION ID";
String appKey = "YOUR APPLICATION KEY";
//create URL object
java.net.URL obj = new java.net.URL(url);
// set guid for x-mc-req-id header
String guid = java.util.UUID.randomUUID().toString();
// set date for x-mc-date header
java.text.SimpleDateFormat sdf = new java.text.SimpleDateFormat("EEE, d MMM yyyy HH:mm:ss z");
sdf.setTimeZone(java.util.TimeZone.getTimeZone("UTC"));
String date = sdf.format(new java.util.Date());
//create signature for the Authorization header
String dataToSign = date + ":" + guid + ":" + uri + ":" + appKey;
String hmacSHA1 = "HmacSHA1";
javax.crypto.spec.SecretKeySpec signingKey = new javax.crypto.spec.SecretKeySpec(org.apache.commons.codec.binary.Base64.decodeBase64(secretKey.getBytes()), hmacSHA1);
javax.crypto.Mac mac = javax.crypto.Mac.getInstance(hmacSHA1);
mac.init(signingKey);
String sig = new String(org.apache.commons.codec.binary.Base64.encodeBase64(mac.doFinal(dataToSign.getBytes())));
// create request object
javax.net.ssl.HttpsURLConnection con = (javax.net.ssl.HttpsURLConnection) obj.openConnection();
//set request type to POST
con.setRequestMethod("POST");
con.setDoOutput(true);
//add reuqest headers
con.setRequestProperty("Authorization", "MC " + accessKey + ":" + sig);
con.setRequestProperty("x-mc-req-id", guid);
con.setRequestProperty("x-mc-app-id", appId);
con.setRequestProperty("x-mc-date", date);
con.setRequestProperty("Content-Type", "application/json");
con.setRequestProperty("Accept", "application/json");
//Add post body to the request
String postBody = "{\n" +
" \"data\": [\n" +
" {\n" +
" \"reason\": \"Remediate by URL\",\n" +
" \"searchBy\": \"url\",\n" +
" \"start\": \"2022-01-20T00:00:00+00:00\",\n" +
" \"hashOrMessageId\": \"c6617708516e3...\",\n" +
" \"end\": \"2022-01-22T00:00:00+00:00\",\n" +
" \"url\": \"https://www.domain.tld/path/to/unwanted/content\"\n" +
" }\n" +
" ]\n" +
"}";
java.io.OutputStream os = con.getOutputStream();
os.write(postBody.getBytes("UTF-8"));
os.close();
//process response
java.io.BufferedReader in = new java.io.BufferedReader(
new java.io.InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
//return result
java.lang.System.out.println(response.toString());
}