Assumptions
This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.
Traditional Alerting Capabilities
| API Endpoint |
Information | Example | Included Data |
Notes |
| Get Threat Feed | This feed can be used to return identified malware threats at a customer or regional grid level | Summary of all blocked malware threats seen by the customer |
SHA256 hash, sender IP address, filename and type |
The Threat Intel feature requires an additional set up – please contact our Service Delivery Support In the case of the customer-level feed, sender and recipient information is also available |
| Get TTP URL Logs | This endpoint can be used to get messages containing information flagged by URL Protect configurations |
User clicked on URL in a mail and it was blocked due to malicious content on the page |
User that clicked or received the URL, scan result, decoded URL, URL category, associated message direction, Mimecast definition applied |
The confidence of the user relies on a customer’s use of Targeted Threat Protection Authentication, which the customer is able to disable. If disabled, the user will be the recipient of the message, and may be a distribution list address |
| Get TTP Impersonation Protect Logs |
This endpoint can be used to get messages containing information flagged by an Impersonation Protection configuration |
inbound email held due to identifying an impersonated sending address and suspicious phrases in the message body |
sender information, recipient, sender characteristic matches, content characteristic matches, number of match types, action taken, Message-ID |
Impersonation logs are only available for inbound messages |
| Get Attachment Protection Logs |
This endpoint can be used to get attachment information flagged by an Attachment Protection configuration |
Inbound or outbound email stopped due to an attached spreadsheet with a macro that runs a malicious PowerShell command |
sender, recipient, file type, SHA256 hash, scan result, scan information, message direction, action taken, Message-ID |
|
| Get DLP Logs | This endpoint can be used to retrieve messages that triggered a DLP or Content Examination policy |
Outbound mail blocked due to containing credit card info | sender, recipient, policy applied, action taken |
|
| Get Archive Search Logs |
This endpoint can be used to retrieve messages that have been archived |
Has anyone been searching for the CEO’s emails – insider threat / compromised user searching through the archive |
User performing search, search term, search reason provided, mailboxes searched |
|
| Get Archive Message View Logs |
This endpoint can be used to identify if the content of a message in the archive was viewed during an archive search |
Has anyone been reading the CEO’s emails – insider threat / compromised user pulling attachments from the archive |
User performing search, mailbox, if the content was viewed, if the search was part of a discovery case |
|
| Get Audit Events | This endpoint returns all registered audit events within a customer account |
Number of failed logon attempts, policy changes, generation of api keys |
Profile Group Logs, User Account and Role Logs, Service Monitor Logs, Awareness Training Logs, Mimecast Access Logs, Reporting Logs, Account Logs, Policy Logs, Secure Messaging Logs, Journaling Logs, Integrations and APIs, Archive Service Logs, Case Review Logs, SAFE Cloud Threat Protection Logs, Continuity Services Logs, Branding Logs, Authentication Logs |
There are approximately 20 Audit Event Types to select from, with an additional endpoint to identify all possible types |
Additional Alerting Capabilities
| API Endpoint |
Information |
Example | Included Data |
Notes |
| Get Hold Message List |
This API endpoint can be used to get information about held messages, including the reason, hold level, sender and recipients. The ID can be used to act on a message using the Release Message or Reject Message API endpoints |
Find messages held for spam, suspected impersonation, malicious attachments, DLP policies |
sender, recipient, hold reason, hold reason code, triggered policy, if attachments are present, ID to act on message (release, reject) |
|
| Get Message Hold Summary List |
This API endpoint can be used to get counts of currently held messages for each hold reason. Hold reasons can reference policy actions or definition names |
Monitoring the count for a specific DLP policy to know when to fetch details about a new message |
hold policy, number of held items |
|
| Inbound and Outbound Queues |
This endpoint can be used to get the count of the inbound and outbound email queues at specified times |
Watching for a spike in email queues to identify a disruptive change, or downed mail server |
outbound email queue count, inbound email queue count |
|
| Get Journal Service |
This endpoint returns journaling connectors, their configuration and status |
Montoring to validate that the internal email service available and running |
Journal connector configuration, modify timestamp, queue count |
|
| Get Directory Connection |
This endpoint allows the synchronization and connection of the active directory |
Monitor for an issue with directory synchronization, such as an authorization failure or connection issue |
Sync status, configuration, sync timestamp, if a sync is currently running |
|
| Get Remediation Incident |
This endpoint can be used to get information about an existing incident |
Identify who created a remediation incident, or identify that Mimecast Security Team has triggered an automatic remediation based on reports |
Incident creation criteria, remediation status counts and information to restore a message, if needed |
|
| Get Message Release Logs |
This endpoint can be used to identify messages that were released or rejected by a user, admin or automatic process. The logs also include messages that expired in a held queue, and were dropped as a result |
Identify who released a potentially malicious message, that was initially caught by a specific policy, but manually delivered to an internal user |
Sender, recipient, subject, route, held reason, policy enforcing the hold action, release or reject action, release or reject date, release or reject actor, spam information, sender validation information (RBL, SPF, DKIM, DMARC) |
|
| Get Message Rejection Logs | This endpoint can be used to identify messages that were rejected by Mimecast, either by policy application, or user intervention |
Monitor for messages rejected based on RBL or failed sender validation checks |
Sender, recipient, remote sender IP address, remote sender name, reason for rejection, spam score |
Due to the high volume of rejected messages, these logs only go back 7 days |
Filtering Capabilities
You can also filter certain log types to provide a more focused experience and reduce the amount of data. Received from Mimecast.
Filtering capabilities are available for:
- Attachment Protection – filter by route, date or scan result
- Data leak Prevention - filter by sender and recipient, date, route or action
- Impersonation Protection – filter by sender and recipient, date, scan result or action
- URL Protect Log - filter by route, date or scan result
- Audit Logs - filter by Profile Group changes, User account and Role modifications, user activity, account
modifications, policy changes etc.
More Alerting and Monitoring Endpoints
For the full set of alerting and monitoring endpoints, you can visit the following documentation sections: