Detections - Detection Engines

Updated

This article contains information on configuring URL rewriting and scanning in Mimecast Email Security Cloud Integrated, including user identification settings and auditing changes in to Detection Engines settings.

Configuring URLs in Subject Lines

You can configure the URLs in Subject Lines on the Mimecast Email Security Cloud Integrated platform, by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Policies | Click the Three-Dot Menu | Select View | Detection Engines | URL | Rewrite URLs in Subject Lines | Enable Rewrite URLs in Subject Lines so that deep threat scanning can be performed when a user clicks on a link within a subject.
  3. Click Save.

  • If Rewrite URLs in Emails are disabled, the Rewrite URLS in Subject Lines option will be disabled and hidden, as this feature is linked to URL rewriting being enabled.
  • Fully Qualified Domain Names (FQDN) are required for rewriting URLs in the subject line due to limitations imposed by mail providers. Since most email clients handle subject lines as plain text, Email Security Cloud Integrated relies on the presence of an FQDN to accurately identify and rewrite these URLs.

Rewriting URLs in Subject Lines - FAQs  

Q:How can I control if URLs found in Subject Lines are re-written?
A:To provide greater flexibility, customers will be able to control if URLs found within subject lines are re-written. This option will be found under the URL sections within Detection settings and this feature is enabled by default.
Q:What will happen if URLs are not rewritten consistently?
A:This is caused by the moderate URL detection within Cloud Integration, as the aggressive setting causes a large number of false positives or customer issues. 

Scanning URLs in Attachments

To Scan URLs in Attachments on the Email Security Cloud Integrated platform, use the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Policies | Click the Three-Dot Menu | Select View | Detection Engines | URL | Scan URLs in Attachments | Enable Scan URLs in Attachments so that deep scan URLs within supported attachment types that are more than 100MB in size are scanned.
  3. Click Save.

Configuring User Identification

You can configure the User Identification on the Email Security Cloud Integrated platform, by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Policies | Click the Three-Dot Menu | Select View | Detection Engines | URL | User Identification.
  3. Under the User Identification Panel, you can specify how you want users who click on the Rewritten URL to be identified by using one of the two options below: 
  •  
    • Basic: Users who click on the rewritten URL are identified as the recipients of the email.
    • Advanced Device Enrollment/O365 Authentication (Recommended): The user must be authenticated to attribute URL clicks correctly. If O365 Authentication is enabled, we will use that. Otherwise, we will use Device Enrollment
  1. Click Save.
 
  • This is a global setting.
  • For basic User Identification, the end user will be taken straight to the URL and not asked to Authenticate.
  • User Identification for Advanced Device EnrollmentMicrosoft 365 Authentication is retroactive.

End User Configuration

When users click on a link with Advanced User Identification enabled, they are first directed to a webpage to enter their email address.

image.png

This page discovers if they are enabled to SSO (Microsoft 365 login) and redirects to that authentication.
If redirected to Microsoft, the login token is valid for 7 days.

If an Identifying Cookie is not found, then a Magic link is sent to that email, and once clicked, an Identifying Cookie is installed in their Web Browser to identify them. The magic link token is valid for 90 days.

Users not members of the registered domain will also need to register their devices. Once the user logs in, they will be taken to the page in browser isolation.

Identifying End User URL Clicks:

You can identify End User URL clicks, by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Detections.
  3. Search for the required Message and click to view Message details.
  4. In the Detailed Analysis section, look for the User Field.
  •  
    • If Device Enrollment is disabled, you will be asked to enable URL Authentication to identify which user clicked on the dangerous links.
    • If Enabled, you will only see the end user's email ID.
image.png

Audit Logs 

The Audit Logs will show you any updates made to the configuration in the detection engines for User Identification

You can view Audit Logs, by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Audit Logs.
  3. Either Scroll to find the entry or go to Filter and Click on detection engines.
image.png

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.