This article contains information on using Mimecast's Threat Remediation tabs, including searching for threats, managing incidents, viewing logs, and configuring settings to identify, remove, or restore messages post-delivery.
Overview
Threat Remediation is a service that monitors your Mimecast Archive for previously unidentified threats. It can identify potentially malicious messages after initial transmission based on new threat intelligence or research. When a threat is detected, it generates notifications to help administrators identify potentially harmful messages.
With automatic remediation enabled, threats are removed automatically; otherwise you must take manual action through the tool, based on the notification.
The Threat Remediation home page has the following tabs:
-
Overview: This is the default tab and displays a summary of the latest remediation incidents and logs. It also allows you to search for a particular file or message if required. See the Overview Tab section below for more details.
-
Search: This tab allows you to search for particular messages and specific threats. See the Search Tab section below for more details.
-
Incidents: Displays a summary of the last five remediation events, including the number of identified, removed, failed, or restored messages. See the Incidents Tab section below for more details.
-
Logs: Displays the last five actions taken against incidents. The tab also includes a View All Logs link in the bottom right corner to access the full logs queue. See the Threat Remediation: Viewing Logs page for more information.
-
Settings: Displays your Status and Mode settings. See the Settings Tab section below for more details.
Additionally, there is a Drag and drop function that that allows you to drag a document onto the Search Message card. It will automatically calculate the hash. See the Drag and Drop section.
Overview Tab
Using the Search Messages widget, you can search for:
-
Instances of an attachment (defined by its SHA-256 hash).
-
Incidents by message ID (unique to the individual message).
-
To search for an attachment by data:
-
The Search by Data tab displays by default. Enter the file hash in the Attachment File Hash field. The hash is displayed in the email notification sent to administrators or in the Message Details panel under the message body.
-
Optionally enter an email address or domain into the From or To fields. This narrows your search to the sender and recipient email headers, respectively.
-
Click on the Search button. The results display.
To search for a message by ID:
-
Click on the Search by ID tab.
-
Enter the message ID in the Message ID field. The message ID can be copied from the email header of the message (e.g., when performing a message tracking or archive search).
-
Click on the Search button. Results display with each message recipient on a single row.
Search Tab
The Search Tab allows you to search for specific threats.
The Search capability is still accessible through the Overview tab, meaning both options can be used.
To search for a message by data:
-
Optionally enter the file hash in the Attachment File Hash field.
The hash is displayed in the email notification sent to administrators or in the Message Details panel under the message body in Message Tracking.
-
Optionally enter an Email Address or Domain into the From field.
-
Optionally enter in a Subject line and/or Date.
-
Click on the Search button. The results display.
To search for a message by ID:
-
Click on the Search by ID tab.
-
Enter the Message ID.
-
Click on the Search button. The results display.
The message ID can be copied from the email header of the message (e.g., when performing message tracking or an archive search).
-
Click on the Search button. The results display with each message recipient on a single row.
-
Remove Messages: The Remove Messages button cannot be used until you've selected one or more messages. To remove a message:
-
Select a message and click Remove Messages. A dialog appears alerting you of any consequences of this option.
-
Enter a reason for the deletion; this is mandatory.
-
Click Remove.
-
Export Results: This option allows you to export your results to an external document.
-
Click on a message to view further details. It opens into the side panel, Message Details and has three columns:
-
Message: This column lists details about the message.
-
Summary: Displays the message's summary, including the envelope and header information and the time the message was sent/received.
-
Attachments: Displays any attachments. Click on Show More link to display the full attachment list. Optionally click on the three-dot icon to preview or download an attachment.
-
Message Body: Displays the message's body in HTML by default.
-
-
-
Header: Displays the message's header information in plain text.
-
Status: This column lists the recipients of the message and the status. There is also a search bar allowing you to find specific messages or recipients.
-
Drag and Drop
Drag and Drop is a function that the Threat Remediation service has to help customers drag a document onto the Search Message card. It will automatically calculate the hash.
Main functionality:
-
The drag and drop calculates the hash of the file that was dropped into the web interface.
-
The hash populates the Attachment File Hash field.
-
It does not upload the file; it calculates the hash locally. There's no additional unpacking or analysis.
-
Multiple file drag and drop is not supported.
-
Incidents Tab
By default, this tab displays the last five remediation events. The information displayed includes the number of identified, removed, failed, or restored messages.
The tab also includes a View all incidents link in the bottom right corner to access the full incidents queue. Recorded incidents use a specific incident ID in the format TR-XXXX-00000-X:
-
The first block XXX" relates to your Mimecast customer account code.
-
The second block 00000 is the incremental incident number. This number remains the same when multiple actions are performed on the same incident.
-
The third X informs the action that was taken, as described below:
Indicator
Action
A
The message was removed automatically by us on the discovery of a threat.
N
The message matches a threat found by us, with the administrator notified.
M
The manual removal of the message by the administrator.
R
The message was restored to the user's mailbox due to a remediation error or a false positive identification.
-
See the Threat Remediation: Viewing Incidents page for more information on viewing and exporting data from incidents.
Logs Tab
By default, this tab displays a summary of the latest five actions taken against incidents. The tab also includes a View all Logs link in the bottom right corner to access the full logs queue. See the Threat Remediation: Viewing Incidents page for more information on viewing and exporting data from Logs.
Settings Tab
Your current settings display in the Settings widget, in the bottom left corner of the Overview page. Click on the View all Settings link, or click on the Settings tab to edit your settings as outlined below:
|
Settings |
Description |
|---|---|
|
Status |
Toggle the option to enable / disable Threat Remediation. |
|
Mode |
Select a mode from the following options:
|
|
Notification Group |
Click on the Select Group button to select a user group to be notified of threat incidents detected post-delivery. |
|
Exclude Group From Remediation |
Click on the Select Group button to select a user group to be excluded from threat remediation. |
Comments
Please sign in to leave a comment.