Obtaining Alerts and Monitoring Mimecast

Ability to obtain Email Intelligence and identify outcomes that can be used for alerting, automation triggers, etc.


This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.

Traditional Alerting Capabilities

API Endpoint
Information Example Included Data
Get Threat Feed This feed can be used to return identified malware threats at a customer or regional grid level Summary of all blocked malware threats seen by the customer
SHA256 hash, sender IP address, filename and type

The Threat Intel feature requires an additional set up – please contact our Service Delivery Support
Team to have this feature enabled

In the case of the customer-level feed, sender and recipient information is also available

Get TTP URL Logs This endpoint can be used to get messages containing information flagged by URL Protect
User clicked on URL in a mail and it was blocked due to malicious content on the page
User that clicked or received the URL, scan result, decoded URL, URL category, associated message direction, Mimecast definition applied
The confidence of the user relies on a customer’s use of Targeted Threat Protection
Authentication, which the customer is able to disable. If disabled, the user will be the recipient of the message, and may be a distribution list address
Get TTP Impersonation Protect Logs
This endpoint can be used to get messages containing information flagged by an Impersonation
Protection configuration
inbound email held due to identifying an impersonated sending address and suspicious
phrases in the message body
sender information, recipient, sender characteristic matches, content characteristic matches, number of match types, action taken, Message-ID
Impersonation logs are only available for inbound messages
Get Attachment Protection Logs
This endpoint can be used to get attachment information flagged by an Attachment Protection
Inbound or outbound email stopped due to an attached spreadsheet with a macro that runs a
malicious PowerShell command
sender, recipient, file type, SHA256 hash, scan result, scan information, message
direction, action taken, Message-ID
Get DLP Logs This endpoint can be used to retrieve messages that triggered a DLP or Content Examination policy
Outbound mail blocked due to containing credit card info  sender, recipient, policy applied, action taken
Get Archive Search Logs
This endpoint can be used to retrieve messages that have been archived
Has anyone been searching for the CEO’s emails – insider threat / compromised user
searching through the archive
User performing search, search term, search reason provided, mailboxes searched
Get Archive Message View Logs
This endpoint can be used to identify if the content of a message in the archive was viewed during an
archive search
Has anyone been reading the CEO’s emails – insider threat / compromised user pulling
attachments from the archive
User performing search, mailbox, if the content was viewed, if the search was part of a
discovery case
Get Audit Events This endpoint returns all registered audit events within a customer account
Number of failed logon attempts, policy changes, generation of api keys
Profile Group Logs, User Account and Role Logs, Service Monitor Logs, Awareness
Training Logs, Mimecast Access Logs, Reporting Logs, Account Logs, Policy Logs, Secure Messaging Logs, Journaling Logs, Integrations and APIs, Archive Service Logs, Case Review Logs, SAFE Cloud Threat Protection Logs, Continuity Services Logs, Branding Logs, Authentication Logs
There are approximately 20 Audit Event Types to select from, with an additional endpoint to identify all possible types

Additional Alerting Capabilities

API Endpoint
Example Included Data
Get Hold Message List
This API endpoint can be used to get information about held messages, including the reason, hold level,
sender and recipients. The ID can be used to act on a message using the Release Message or Reject
Message API endpoints
Find messages held for spam, suspected impersonation, malicious attachments, DLP policies
sender, recipient, hold reason, hold reason code, triggered policy, if attachments are present, ID to act on message (release, reject)
Get Message Hold Summary List
This API endpoint can be used to get counts of currently held messages for each hold reason. Hold
reasons can reference policy actions or definition names
Monitoring the count for a specific DLP policy to know when to fetch details about a new
hold policy, number of held items
Inbound and Outbound Queues
This endpoint can be used to get the count of the inbound and outbound email queues at specified
Watching for a spike in email queues to identify a disruptive change, or downed mail server
outbound email queue count, inbound email queue count
Get Journal Service
This endpoint returns journaling connectors, their configuration and status
Montoring to validate that the internal email service available and running
Journal connector configuration, modify timestamp, queue count
Get Directory Connection
This endpoint allows the synchronization and connection of the active directory
Monitor for an issue with directory synchronization, such as an authorization failure or
connection issue
Sync status, configuration, sync timestamp, if a sync is currently running
Get Remediation Incident
This endpoint can be used to get information about an existing incident
Identify who created a remediation incident, or identify that Mimecast Security Team has
triggered an automatic remediation based on reports
Incident creation criteria, remediation status counts and information to restore a
message, if needed
Get Message Release Logs
This endpoint can be used to identify messages that were released or rejected by a user, admin or
automatic process. The logs also include messages that expired in a held queue, and were dropped as a
Identify who released a potentially malicious message, that was initially caught by a specific
policy, but manually delivered to an internal user
Sender, recipient, subject, route, held reason, policy enforcing the hold action, release
or reject action, release or reject date, release or reject actor, spam information, sender validation information (RBL, SPF, DKIM, DMARC)
Get Message Rejection Logs This endpoint can be used to identify messages that were rejected by Mimecast, either by policy
application, or user intervention
Monitor for messages rejected based on RBL or failed sender validation checks
Sender, recipient, remote sender IP address, remote sender name, reason for rejection,
spam score
Due to the high volume of rejected messages, these logs only go back 7 days

Filtering Capabilities

You can also filter certain log types to provide a more focused experience and reduce the amount of data. Received from Mimecast.

Filtering capabilities are available for:

  • Attachment Protection – filter by route, date or scan result
  • Data leak Prevention - filter by sender and recipient, date, route or action
  • Impersonation Protection – filter by sender and recipient, date, scan result or action
  • URL Protect Log - filter by route, date or scan result
  • Audit Logs - filter by Profile Group changes, User account and Role modifications, user activity, account
    modifications, policy changes etc.

More Alerting and Monitoring Endpoints

For the full set of alerting and monitoring endpoints, you can visit the following documentation sections:

Back to Top