Enriching an Investigation with Data From Mimecast

Interrogate Mimecast when performing an investigation including capabilities such as searching, retrieving message details, downloading message attachments, etc.

Assumptions

This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.

Email Search Capabilities

API Endpoint
Information
Example
Included Data
Message Finder Search (30 days history)
Used to search and track specific messages based on transmission info, or basic
message information, in real time, without the message needing to be indexed
Searching for inbound emails based on sender domain or IP address in the last 10 minutes
Sender recipient, timestamp, delivery status, sending IP address, spam score, ID for
getting additional message information
Archive Search (archive up to 99 years)
Used to search the archive for any indexed message, based on any component
of the message
Searching for emails whose body or attachments contained a social security number over the
past 10 years
Sender, recipient, subject, timestamp, size, ID for getting additional message information

Email Retrieval Capabilities

API Endpoint
Information
Example
Included Data
Notes
Message Finder Info
Used to retrieve detailed information about a specific message
Retrieving message headers or SHA256 of attached files
Message transmission information, headers, sender verification results, applied policies,
spam and bulk scores
 
Get Message Part
Used to retrieve the message in varying formats, pre and post-modification
Getting an RFC822 version of the original message, or the HTML body after Mimecast has
applied a signature
The requested message format as a data stream
 
Get Message List
Used to get a list of messages from the archive search based on timestamp or
specific mailboxes
Get yesterday’s messages for a specific user
Sender, recipient, subject, if was sent as a Secure Message, read status (if sent as a
Secure Message), ID for getting additional message information
 
Get Message Detail
Used to get structured message details based on the ID from search, notably
for headers and attachments
Get specific header value of a message, or ID of attachment for download
Sender, recipient, timestamp, headers, attachment type, attachment SHA256 hash, attachment ID for download
 
Get File Attachment
Used to get a file attachment from the archive search
Retrieve the attachment of a held email for further analysis
Data stream of the attachment
 
Get Managed URL
Used to return all entries currently in an accounts Managed URL list, namely to
override a scan result by Mimecast
Get information about a manually blocked URL, or if a specific URL should not be rewritten
Domain or URL, action to take, enable or disable of URL rewriting, User Awareness, or
click logging

Optional filtering fields can also be used to return a specific URL or set of URLs

Each account has a maximum URL entry limit (typically 30,000). To get more information on your
accounts current limit, please reach out to your Customer Success Manager, or your regional Customer Success Desk

 

Search Hash
Used to identify if an account has seen a specific SHA256 file hash within
messages over the last year.
Identifying if a malicious attachment was transmitted via email
If the requested hash was part of an email

A maximum of 100 hashes can be submitted in a single call

 

Currently,this endpoint does not support image file hashes

Get incident
Used to get information about an existing incident – an incident is a request to
“search and destroy” an email based off of Message ID, URL or Hash, see below for further info
Getting information about automatic remediation events by Mimecast Security Team
Incident creation criteria, remediation status counts and information to restore a
message, if needed

Incident relates to the automatic removal of an email from a user / user’s mailboxes utilizing
Mimecast Remediation

 

Incidents can be created by the customer (manual) or by Mimecast Security Team (automatic)

Decode URL
Returns the original URL for an inbound message, as Mimecast rewrites all URLs on inbound emails by
default
Translate “https://protect-us.mimecast.com/s/3dFEHt53qefr” to “google.com/news”
Original URL, Boolean identifying if the URL was able to be decoded
Outbound emails through Mimecast will have any rewritten URL replaced with the original
Get URL Logs
 Used to get messages containing information flagged by URL Protect
configurations
User clicked on URL in a mail and it was blocked due to malicious content on the page
User that clicked or received the URL, scan result, decoded URL, URL category, associated
message direction, Mimecast definition applied
The confidence of the user relies on a customer’s use of Targeted Threat Protection Authentication, which the customer is able to disable. If disabled, the user will be the recipient of the message, and may be a distribution list address
Get Impersonation Protect Logs
Used to get messages containing information flagged by an Impersonation
Protection configuration
Inbound email held due to identifying an impersonated sending address and suspicious
phrases in the message body
Sender information, recipient, sender characteristic matches, content characteristic
matches, number of match types, action taken, Message-ID
Impersonation logs are only available for inbound messages
Get Attachment Protection Logs
Used to get attachment information flagged by an Attachment Protection
configuration
Inbound or outbound email stopped due to an attached spreadsheet with a macro that runs a
malicious PowerShell command
Sender, recipient, file type, SHA256 hash, scan result, scan information, message
direction, action taken, Message-ID
 
Message Release Logs
sed to identify messages that were released or rejected by a user, admin or
automatic process. The logs also include messages that expired in a held queue, and were dropped as a
result
Identify who released a potentially malicious message, that was initially caught by a specific
policy, but manually delivered to an internal user
Sender, recipient, subject, route, held reason, policy enforcing the hold action, release
or reject action, release or reject date, release or reject actor, spam information, sender validation information (RBL, SPF, DKIM, DMARC)
 
Message Rejection Logs
Used to identify messages that were rejected by Mimecast, either by policy
application, or user intervention
Monitor for messages rejected based on RBL or failed sender validation checks
Sender, recipient, remote sender IP address, remote sender name, reason for rejection,
spam score
Due to the high volume of rejected messages, these logs only go back 7 days
Additional Enrichment, Investigating & Threat Hunting Capabilities
Event Stream Service (Web Security Logs)
The event streaming service allows customer to subscribe and ingest specific Web Security events
Identifying when a device endpoint attempted to resolve a known command & control
domain
user, domain or URL, timestamp, local IP address, triggered policy, category, action taken
A specific event stream can have certain log types enabled or disabled within the Administration
Console, allowing for customization of log granularity

Awareness Training

API Endpoint
Information
Example
Included Data
Get Performance Details
Used to get Awareness Training user level Performance details by Department
and Performance Type
Get the dates that a user viewed their Awareness Training video, and the number of correct or
incorrect answers
User, number of questions answered correctly or incorrectly, their department, when a
specific campaign was lauched and how long they took to complete
Get Phishing Details
Used to get per-user results of a phishing campaign
Find users that clicked a link in the most recent phishing campaign
User, User department, phishing template, sent/viewed/clicked status, User active state
SAFE Score Details
Used to get per-user SAFE Scores
Find a specific user’s current risk score
User, email address, department, human error score, sentiment score, engagement
score, knowledge score, risk score
Training Details
Used to get user enrollment and completion information
Identify if a user has been keeping up with Awareness Training campaigns, and completing
them on in a timely manner
Assignmnt date, watch date, question answers, watchlist status, earned badges

Policy and Group Management (e.g. how/why did an email get through)

API Endpoint
Information
Example
Included Data
Notes
Get Blocked Sender Policy
Used to get the active configuration of the policy
Get application details of a specific blocked sender policy
Sender application, recipient application, IP range application, policy start and end dates,
description, override enforcement, bi-directional application
 
Find Groups
Used to get a list of groups associated with a configured policy
Identify the ID of the default Blocked Senders group
Group name, id, number of members, number of nested groups, parent group ID
 
Get Group Members
Used to get a list of the group’s direct members
Get all users in the Permitted Senders Group
Member email address, member domain name, entry type (sync’d or Mimecast native
entry), if member is internal or external
Only Mimecast native groups are returned, however these groups can consist of cloud-only or
directory synced users

Back to Top