Threat Intelligence & Remediation - Removing / Restoring Messages

Updated

Incidents correspond to a Remediation event and display all the associated messages by the recipient. After viewing an incident, you can perform the following actions:

  • Remove an attachment/message from the user's mailbox if it's found to be malicious post-delivery.
  • Restore a removed message to the user's mailbox if it's found to be safe post-remediation.
  • Export incident data displayed in the queue, or the message data in an individual incident, to a file.

To Remove or Restore messages, your logon must have either the Super Administrator, Full Administrator, or Basic Administrator role. However, Basic Administrators are unable to see the content. See the Managing Administrator Roles page for full details.

Viewing Message Details

Viewing a message's details allows you to investigate a potential threat or the history of a message. The information displayed includes:

  • A summary of the message.
  • The message body.
  • Any associated attachments.
  • The current status of the message.
Threat Remediation Removing Restoring Messages

You can view the message details in an incident by using the following steps:

  1. Click on an Incident from the Incidents queue. Any associated messages are displayed with each message on a single row.
  2. Click on a Message in the list. The Message Details panel slides into view.
  3. Message information displays in the following tabs/sections:
Section Description
Message Details Use the left/right arrows in the top right corner to quickly switch between messages without leaving the Message Details panel.
Summary Displays a summary of the message, including the sender, recipient, and subject, and the time the email was sent and processed.
Attachments

Displays any associated attachments. If you need to download an attachment:

  • Click on the Three Dot Icon.
  • Click on the Download button. The attachment downloads to your machine's desktop.
Message Body

Displays the body of the message in HTML format by default. Optionally:

  • Click on the View drop-down menu to switch between HTML and Plain Text format.
  • Click on the Display Images button to display any images. These are hidden by default for security reasons.
Recipients / Message Status Displays all recipients of the message and the current message status. You can search for a particular user in the Search Recipients field.
  1. Click on the in the top right corner to exit the panel.
  2. To return to the main Remediation queue, click on the Threat Remediation link in the top menu as shown below:
Threat Remediation Removing Restoring Messages_1

Removing Messages

If you're Remediating saved attachments on end-user devices using the Mimecast Security Agent, see the Remediating Saved Attachments page.

If a message turns out to be a threat post delivery and you want to manually remove it from the user's mailbox, you can use the following steps:

  1. Click on the Incident from the Incidents queue. The associated messages display.
  2. Click on the Remove Messages button.
  3. Enter a Reason for the removal. This is a mandatory step and is logged.

  4. Click on the Remove button. The message is removed and the user is notified.

    It may take several minutes for the message to be removed. Once complete, the number of Removed Messages for the incident is updated in the Incidents queue. Even though the removed message is hidden from the user, it's still available to the Administrator and remains in the archive.

  5. A Remove incident is created, and a temporary popup box displays to confirm your request.
  6. Click on the View Incident button on the popup message to view the incident.

When an Administrator removes messages with Threat Remediation, the content remains in your Mimecast Archive for the duration of your Mimecast Account Retention in the event you wish to Restore those. Additionally, users will continue to see the message metadata in their end-user applications, such as the Mimecast Personal Portal, though the body will be replaced with the below:

Restoring Messages

If a removed message turns out to be safe and you want to manually restore it to the user's mailbox, you can use the following steps:

  1. Click on the Incident from the Incidents queue.

  2. Click on the Restore Messages button.

    Threat Remediation Removing Restoring Messages_2
  3. Enter a Reason for the restore in the confirmation dialog. This is mandatory and is logged in the new incident.
  4. Click on the Restore button. The messages are restored to the user's mailbox.
  5. A new restore incident is created, and a temporary popup box displays to confirm your request.
  6. Click on the View Incident button on the popup message to view the new restore incident.

A message must be in an Archived state before it can be restored. The restore process can only be attempted once per Remediation Incident, ensure the messages are Archived before attempting to restore.

See Also...

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.