This article contains information on managing Mimecast Threat Remediation incidents, including viewing, searching, filtering, and exporting incidents, understanding failure reasons, and handling message tracking errors.
Incidents correspond to a Threat Remediation event and display all the associated messages by the recipient. This guide describes how to access and search the incident queue. For example, from the Incidents Tab, you can:
-
-
- View full details of remediation occurrences, including actions taken and the number of removed or restored messages.
- View individual message details in full to investigate a potential threat or the history of a message.
- Manually remove a malicious message from the user's mailbox or restore it if it's later deemed safe.
- Export a single or multiple incidents to a file.
-
See the Threat Remediation: Removing / Restoring Messages page for further details on actioning messages.
Viewing Incidents
Incident records are kept for up to one year.
You can view the incident queue using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Services | Threat Remediation menu item. The Threat Remediation home page is displayed.
- Either click on the:
-
-
- Incidents tab.
- View All Incidents link in the bottom right corner.
-
- Incidents are displayed in a queue by date order, with the following information displayed:
| Column | Description |
| Incident ID | The unique ID code that is assigned to the incident. For more information, view the Incident IDs section of the Targeted Threat Protection: Remediation Overview page. |
| Type |
Indicates the type of incident, dependent on the settings selected on the Settings page:
|
| Date Created | The date and time the incident first occurred. |
| Last Updated | The date and time of the incident were last updated. |
| File Hash / Message ID | The unique file hash is assigned to the message to identify potential threats. |
| Reason | The reason for the incident (e.g., "Restoring a message"). |
| Identified Messages | The number of identified/actioned messages in the incident. |
| Removed Messages | The number of messages identified as a threat and successfully removed from the user's mailbox. |
| Failed Messages | The number of messages identified as a threat that Mimecast couldn't remove from the user's mailbox. This could be due to various factors (the user has already deleted, e.g., connection issues, the message). |
| Restored Messages | The number of identified messages was confirmed safe and restored to the user's mailbox. |
Viewing Failure Reasons
When viewing incidents, you can also view Failure Reasons to do this:
Follow the above steps and then select an incident to view the summary. At the bottom of the summary, there will be a Failure Reason.
Other failure reasons that might appear are as follows:
-
-
- Message was not found in mailbox.
- Message was not restored.
- No recipient address was found on the email.
- No connections are configured for the mailbox.
- No connection for the user.
-
Searching Incidents
You can search for an incident or filter your results by the following steps:
- Click on the down arrow next to All and select one of the following options:
-
-
- Incident ID: Search by the known incident ID displayed in the Incidents or Logs tabs.
- Reason: Search for the incident by the known assigned cause (e.g., "Removing a restore," "Removing messages by ID").
-
- Enter any known message/data identifiers in the Search field.
- Click on the magnifying glass icon or press the Enter key. Your search results display.
Exporting Incidents
You can export incident data to a .csv file by the following steps:
- Click on the Export Data button from either:
-
-
- The Incidents queue to download the complete list.
- The page of an individual incident to download the message data for the particular incident.
-
- The Export Logs Data panel slides into view. Select the boxes of any data columns you want to include in the export.
- Click on the Download button. The CSV file downloads to your machine's desktop.
Filtering Incidents
To filter the Incidents queue, you can select from the following options:
- Date Range: Select a time from the drop-down menu. Optionally, click on Custom Range to display a date/time picker.
- Filters: All incident types display by default. Select from the following options:
-
-
- Notify Only: Displays incidents where the Administrator is notified, but no action has been taken.
- Automatic: Displays incidents that have been automatically removed, with the Administrator notified.
- Manual: Displays incidents on which the Administrator has manually acted.
- MEP Clawback: Displays incidents where Misaddressed Email Protect was used to remove misaddressed emails from internal users' local mailboxes.
- Restore: Displays incidents confirmed as safe and restored to the user's mailbox.
-
- Show: By default, 50 incidents are displayed in the queue per page. Select between 50 and 300 incidents per page.
- Custom Settings: Click the cogwheel icon in the top right corner to display a pop-out panel. Select the boxes of any columns you want to view and click the Apply button. Your custom selections display.
Message Tracking Error
If an administrator attempts to view details of a message made part of an incident before it reaches the archive, they will receive the following error within the Message Tracking Details panel.
Comments
Please sign in to leave a comment.