Assumptions
This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.
Email Search Capabilities
| API Endpoint |
Information |
Example |
Included Data |
| Message Finder Search (30 days history) |
Used to search and track specific messages based on transmission info, or basic message information, in real time, without the message needing to be indexed |
Searching for inbound emails based on sender domain or IP address in the last 10 minutes |
Sender recipient, timestamp, delivery status, sending IP address, spam score, ID for getting additional message information |
| Archive Search (archive up to 99 years) |
Used to search the archive for any indexed message, based on any component of the message |
Searching for emails whose body or attachments contained a social security number over the past 10 years |
Sender, recipient, subject, timestamp, size, ID for getting additional message information |
Email Retrieval Capabilities
| API Endpoint |
Information |
Example |
Included Data |
Notes |
| Message Finder Info |
Used to retrieve detailed information about a specific message |
Retrieving message headers or SHA256 of attached files |
Message transmission information, headers, sender verification results, applied policies, spam and bulk scores |
|
| Get Message Part |
Used to retrieve the message in varying formats, pre and post-modification |
Getting an RFC822 version of the original message, or the HTML body after Mimecast has applied a signature |
The requested message format as a data stream |
|
| Get Message List |
Used to get a list of messages from the archive search based on timestamp or specific mailboxes |
Get yesterday’s messages for a specific user |
Sender, recipient, subject, if was sent as a Secure Message, read status (if sent as a Secure Message), ID for getting additional message information |
|
| Get Message Detail |
Used to get structured message details based on the ID from search, notably for headers and attachments |
Get specific header value of a message, or ID of attachment for download |
Sender, recipient, timestamp, headers, attachment type, attachment SHA256 hash, attachment ID for download |
|
| Get File Attachment |
Used to get a file attachment from the archive search |
Retrieve the attachment of a held email for further analysis |
Data stream of the attachment |
|
| Get Managed URL |
Used to return all entries currently in an accounts Managed URL list, namely to override a scan result by Mimecast |
Get information about a manually blocked URL, or if a specific URL should not be rewritten |
Domain or URL, action to take, enable or disable of URL rewriting, User Awareness, or click logging |
Optional filtering fields can also be used to return a specific URL or set of URLs Each account has a maximum URL entry limit (typically 30,000). To get more information on your
|
| Search Hash |
Used to identify if an account has seen a specific SHA256 file hash within messages over the last year. |
Identifying if a malicious attachment was transmitted via email |
If the requested hash was part of an email |
A maximum of 100 hashes can be submitted in a single call
Currently,this endpoint does not support image file hashes |
| Get incident |
Used to get information about an existing incident – an incident is a request to “search and destroy” an email based off of Message ID, URL or Hash, see below for further info |
Getting information about automatic remediation events by Mimecast Security Team |
Incident creation criteria, remediation status counts and information to restore a message, if needed |
Incident relates to the automatic removal of an email from a user / user’s mailboxes utilizing
Incidents can be created by the customer (manual) or by Mimecast Security Team (automatic) |
| Decode URL |
Returns the original URL for an inbound message, as Mimecast rewrites all URLs on inbound emails by default |
Translate “https://protect-us.mimecast.com/s/3dFEHt53qefr” to “google.com/news” |
Original URL, Boolean identifying if the URL was able to be decoded |
Outbound emails through Mimecast will have any rewritten URL replaced with the original |
| Get URL Logs |
Used to get messages containing information flagged by URL Protect configurations |
User clicked on URL in a mail and it was blocked due to malicious content on the page |
User that clicked or received the URL, scan result, decoded URL, URL category, associated message direction, Mimecast definition applied |
The confidence of the user relies on a customer’s use of Targeted Threat Protection Authentication, which the customer is able to disable. If disabled, the user will be the recipient of the message, and may be a distribution list address |
| Get Impersonation Protect Logs |
Used to get messages containing information flagged by an Impersonation Protection configuration |
Inbound email held due to identifying an impersonated sending address and suspicious phrases in the message body |
Sender information, recipient, sender characteristic matches, content characteristic matches, number of match types, action taken, Message-ID |
Impersonation logs are only available for inbound messages |
| Get Attachment Protection Logs |
Used to get attachment information flagged by an Attachment Protection configuration |
Inbound or outbound email stopped due to an attached spreadsheet with a macro that runs a malicious PowerShell command |
Sender, recipient, file type, SHA256 hash, scan result, scan information, message direction, action taken, Message-ID |
|
| Message Release Logs |
sed to identify messages that were released or rejected by a user, admin or automatic process. The logs also include messages that expired in a held queue, and were dropped as a result |
Identify who released a potentially malicious message, that was initially caught by a specific policy, but manually delivered to an internal user |
Sender, recipient, subject, route, held reason, policy enforcing the hold action, release or reject action, release or reject date, release or reject actor, spam information, sender validation information (RBL, SPF, DKIM, DMARC) |
|
| Message Rejection Logs |
Used to identify messages that were rejected by Mimecast, either by policy application, or user intervention |
Monitor for messages rejected based on RBL or failed sender validation checks |
Sender, recipient, remote sender IP address, remote sender name, reason for rejection, spam score |
Due to the high volume of rejected messages, these logs only go back 7 days Additional Enrichment, Investigating & Threat Hunting Capabilities |
| Event Stream Service (Web Security Logs) |
The event streaming service allows customer to subscribe and ingest specific Web Security events |
Identifying when a device endpoint attempted to resolve a known command & control domain |
user, domain or URL, timestamp, local IP address, triggered policy, category, action taken |
A specific event stream can have certain log types enabled or disabled within the Administration Console, allowing for customization of log granularity |
Awareness Training
| API Endpoint |
Information |
Example |
Included Data |
| Get Performance Details |
Used to get Awareness Training user level Performance details by Department and Performance Type |
Get the dates that a user viewed their Awareness Training video, and the number of correct or incorrect answers |
User, number of questions answered correctly or incorrectly, their department, when a specific campaign was lauched and how long they took to complete |
| Get Phishing Details |
Used to get per-user results of a phishing campaign |
Find users that clicked a link in the most recent phishing campaign |
User, User department, phishing template, sent/viewed/clicked status, User active state |
| SAFE Score Details |
Used to get per-user SAFE Scores |
Find a specific user’s current risk score |
User, email address, department, human error score, sentiment score, engagement score, knowledge score, risk score |
| Training Details |
Used to get user enrollment and completion information |
Identify if a user has been keeping up with Awareness Training campaigns, and completing them on in a timely manner |
Assignmnt date, watch date, question answers, watchlist status, earned badges |
Policy and Group Management (e.g. how/why did an email get through)
| API Endpoint |
Information |
Example |
Included Data |
Notes |
| Get Blocked Sender Policy |
Used to get the active configuration of the policy |
Get application details of a specific blocked sender policy |
Sender application, recipient application, IP range application, policy start and end dates, description, override enforcement, bi-directional application |
|
| Find Groups |
Used to get a list of groups associated with a configured policy |
Identify the ID of the default Blocked Senders group |
Group name, id, number of members, number of nested groups, parent group ID |
|
| Get Group Members |
Used to get a list of the group’s direct members |
Get all users in the Permitted Senders Group |
Member email address, member domain name, entry type (sync’d or Mimecast native entry), if member is internal or external |
Only Mimecast native groups are returned, however these groups can consist of cloud-only or directory synced users |