Performing Actions in Mimecast

Allows you to perform a particular task as a result of an investigation such as blocking or permitting based on a specific indicator, removing or restoring messages within an environment and make changes to mail flow for one or many users.

Assumptions

This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.

URL & Domain Management

API Endpoint
Information Example Included Data
Notes
Delete Managed URL
This API endpoint allows for the removal of an existing Managed URL entry.
Remove a blocked URL after verification that the destination is no longer malicious
Success or failure status of the URL removal  
Create Managed URL This endpoint can be used to add new managed URL entries for URL Protection. The common actions
are to manually block or permit a URL, however additional options include the ability to disable URL
rewriting and bypassing User Awareness.
Permit a known URL that has been blocked by Mimecast’s scanning engine, or prevent
rewriting of URLs that are only valid once
URL value, click-log enforcement, user awareness enforcement, action, URL matching
condition, enable or disable or URL rewrite, port enforcement
Each account has a maximum URL entry limit, which can be reached more quickly when
automating the addition of URLs. To get more information on your account’s current limit, please reach out to your Customer Success Manager, or your regional Customer Success Desk.
Create Policy This endpoint creates new blocked sender policies, which can be used to manage a combination of
sender and recipient restrictions.
Block a sender based on a combination of domain and IP range, or based on matching a
regular expression
Sender application, recipient application, IP range application, policy start and end
dates, description, override enforcement, bi-directional application
Groups can be used to apply policies based on a number of members, and are preferred over
creating a policy per-user when applicable. Groups also allow for easier modification, when policy application is temporary
Get Policy This endpoint retrieves the blocked sender policy details, which can be used to manage a
combination of sender and recipient restrictions.
 Find policy a that is blocking outbound emails for a specific user Sender application, recipient application, IP range application, policy start and end
dates, description, override enforcement, bi-directional application
 

Group Management

 API Endpoint

 Information Example  Included Data  Notes 
Add Group Member This endpoint can be used to add user email addresses or domains to a profile group Add a new domain to the Blocked Senders group Domain or email address added to the group, group ID, entry ID Groups do not support wildcard or regular expression entries. If either of these is needed, a
Blocked Sender Policy should be used
Create Group This API endpoint can be used to create new Profile Groups at the root level, or as a child-group.
Groups can be used to apply permissions and policies
Create a new group for an integration-specific set of policy applications or user login
restriction
Group name, group ID (used to reference when creating policies) parent group ID,
member count, sub-group count
 
Update Group This API endpoint can be used to update existing Profile Groups at the root level, or as a child-group Rename an existing group Group name, group ID (used to reference when creating policies) parent group ID,
member count, sub-group count
 
Delete Group This API endpoint can be used to remove an existing Profile Group Temporary group of restricted users is no longer needed Group deletion request status Groups must be empty of members and subgroups prior to deletion, and cannot have any
policies currently scoped to the group
Remove Group Member This API endpoint can be used to remove user email addresses or domains from a Profile Group.
Hash - Bring Your Own Threat Intelligence (e.g. block a Hash)
     

Bring Your Own Threat Intelligence (e.g., block a file hash)

API Endpoint
Information
Example
Create Batch
This endpoint can be used to import a single or batch of multiple indicators.
These indicators can be used to perform a specific action based on their presence. (E.g. a file-hash can
be added with a block action to prevent the delivery of a message with an attachment matching that
file-hash) 

Message Remediation (A.K.A., Search & Destroy)

API Endpoint
Information
Example
Notes
Search for File
Used to identify if an account has seen a specific file hash within messages over the last year.
Need to determine if any user has received a specific SHA-256 file hash

A maximum of 100 file hashes can be submitted in a single API call

Currently, this endpoint does not support image file hashes

Create Incident (Trigger removal of Email)
This endpoint can be used to create a remediation incident, by messaged or file hash.
Need to remove any message containing a specific URL, and hide the copy from users' view in Mimecast
A successful call will return the incident information and will take the same actions as a manual
remediation incident created in the Administration Console

User Action Capabilities

Policy Management

 API Endpoint  Information
 Permit or Block Sender  This API endpoint can be used manage sender by either permitting or blocking them.

Group Management

Group Management (Policies are applied to groups and the related endpoints allow the

management of group and users – e.g. add the email addresses of users for the group in which the policy will be applied to)







Back to Top