Threat Intelligence & Remediation - Threat Remediation

Updated

This article contains information on Mimecast Threat Remediation, including managing incidents, enabling remediation settings, searching for threats, removing or restoring messages, and navigating the Overview, Search, Incidents, and Logs tabs.

Threat Remediation forms part of Targeted Threat Protection - Internal Email Protect and helps protect your internal, outbound, and delivered messages from malware and sensitive content. Threat Remediation allows:

      • Automatic remediation of any newly found, zero-day attachment-based malware detected in your users' mailboxes, leveraging global threat intelligence to continuously monitor files post-delivery. This provides automatic protection if a delivered attachment turns out to be bad by actively searching your users' accounts for newly identified malicious attachments and instigating removal.
      • Notifying administrators of any newly identified malicious attachments found in your email environment allows you to remove the messages from the Administration Console manually.
      • A manual restore function allows you to "undo" remediation events.

How Threat Remediation Works

When an attachment is received, a unique hash is created before it's delivered to the user. If the attachment is later recognized as malicious, the hash is used to remediate the attachment from the user's mailbox, and the user is notified of the removal.

While this feature primarily removes malicious attachments, it also works by message ID, meaning a message can be identified as harmful. As a result, all attachments associated with the message are marked as threats. Depending on the settings chosen, Threat Remediation either initiates removal automatically or notifies the administrator to take action manually against the threat.

When a new threat is identified and automatic remediation is enabled, an email notification is sent to an administrator group.

The notification includes the Incident ID and the File Hash, which can later be used to locate the particular incident quickly.

To manage the incident:

  1. Click on the Manage Incident button in the notification.
  2. Log on to the Administration Console if you haven't done so already. The incident displays.
  3. Click on the Email Header to view the full details of the attachment/message. If the message is deemed threatening, you can manually remove it.

    See the Threat Remediation - Removing / Restoring Messages page for further information on actioning incidents.

Prerequisites

Threat Remediation requires:

  • A Basic Administrator role in Mimecast.
  • Global Administrator access in Microsoft 365.
  • A Connector. View the Managing Connectors page for more information.
  • You will need to grant the following permissions, to complete setup:
    Threat Remediation permissions

    MS Entra App Permission Common Name Application /Delegate Identifier Permission Description MS KB Permissions Reference
    full_access_as_app full_access_as_app 00000002-0000-0ff1-ce00-000000000000 Use Exchange Web Services (EWS) with full access to all mailboxes. N/A
    Domain.Read.All Read domains dbb9058a-0e50-45d7-ae91-66909b5d4664 Allows the app to read all domain properties without a signed-in user. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
    User.Read Sign in and read user profile e1fe6dd8-ba31-4d61-89e7-88639da4683d Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
  • An active Exchange 2013 (or later), Exchange Online platform, or an active Google Workspace account.
  • Your Mimecast account needs to have some level of retention. Threat Remediation searches against the data held in our stores. If your Mimecast account's maximum retention is 30 days, the results will span the last 30 days.

Google Workspace currently only supports automatic remediation of file attachments and manual remediation of entire messages.

Enabling Threat Remediation

Once enabled, end-user accounts are searched for newly identified malicious attachments in the user's archive.

To enable Threat Remediation:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Services | Threat Remediation.
  3. Click on the Settings tab.

    Alternatively, click on the Update Settings button in the pop-up message.

  4. Configure your Mailbox Settings:
 Field / Option Description
Status Toggle the status to enable or disable Threat Remediation.
Mode

Select what happens when we find a harmful attachment from the drop-down menu:

  • Notify Only: The administrator is notified that a threat is identified, and they need to take action manually.
  • Automatic: The identified messages are automatically removed, and the administrator is notified.

You can manually act on a message, whether you are in Notify Only or Automatic mode.
Notification Group

Click the Select Group button to select a user group to be notified when a harmful attachment is detected. A sliding panel is displayed that allows you to choose a group from one of the following tabs:

  • Active Directory Groups: Use the search field to find the group from your Active Directory.
  • Local Groups: Use the search field to find the group from your local directory.

Notifications aren't sent for manually created events.
Exclude Group From Remediation (Optional)

Optionally, click on the Select Group button to exclude a particular group of users from having Threat Remediation applied. You can select an active or local directory group, as shown above.
  1. Configure your Device Settings to remediate saved attachments on end-user devices using the Mimecast Security Agent.

These settings are only available if you've enabled Mimecast Web Security on your account. For further details, see the Remediating Saved Attachments page.

Field / Option Description
Saved Attachment Remediation The Mimecast Security Agent can remediate messages and file attachments stored on the end user's device if enabled.
Notifications End users are notified if a file is remediated from their device, if enabled.
  1. Click on the Save button.

The Threat Remediation Home Page

The Threat Remediation home page has the following additional tabs:

      • Overview: This default tab summarizes the latest remediation incidents and logs. It also allows you to search for a particular file or message if required.
      • Search: This tab allows you to search for particular messages and threats.
      • Incidents: This section summarizes the last five remediation events, including the number of identified, removed, failed, or restored messages.
      • Logs: This tab displays the last five actions taken against incidents. The bottom right corner includes a View All Logs link to access the full log queue.
      • Settings: Displays your Status and Mode settings. 

Overview Tab

This is the default tab. It displays a summary of the latest remediation incidents and logs and allows you to search for a particular file or message if necessary.

Search Tab

The Search Tab allows you to search for specific threats.

The Select All items feature works on a per-page basis. As such, selections do not persist across multiple pages. Navigating away from the currently viewed page will reset the selected items.

To search for a message by Data:

  1. Enter one or more of the following:
      • Enter an Email Address or Domain into the From field.
      • Enter a Subject line.
      • Enter a file hash in the Attachment File Hash field.

        The hash is displayed in the email notification sent to administrators or in the Message Details panel under the message body in Message Tracking.

      • Enter a URL in the URL field.

         Only URLs contained within the body of an email can be searched. Both Mimecast re-written and original URLs can be searched.

        Enter a URI (Uniform Resource Identifier) in the URL search box, such as https://www.mimecast.com.

        The first 150 URLs in an email are extracted and available for search.

        URLs within messages before the date the URL search feature is deployed will not be searchable.

        For existing customers who have Internal Email Protect, URLs within messages before the date of purchase of Internal Email Protect will not be searchable.

  1.  Use the drop-down to select a Date range to search within.
  2. Click on the Search button. The results display.

To search for a message by ID:

  1. Click on the Search by ID tab.
  2. Enter the Message ID.
  3. Click on the Search button. The results are displayed with each message recipient on a single row.
      • Remove Messages - The Remove Messages button cannot be used until you’ve selected one or more messages. To remove a message:
        • Select a message and click Remove Messages. A dialog appears, alerting you of any consequences of this option.
        • Enter a reason for the deletion. This is mandatory.
        • Click Remove.
      •  Export Results - This option allows you to export your results to an external document.

Click on a message to view further details. It opens into the side panel, Message Details, and has three columns:

Incidents Tab

By default, the Incidents pane within the Overview tab displays the last five remediation events. The information displayed includes the number of identified, removed, failed, or restored messages.

The pane also includes a View all Incidents link to access the full incident queue in the bottom right corner. Clicking the Incidents tab will also take you to the full Incident queue.

Recorded incidents use a specific Incident ID in the format TR-XXXX-00000-X: 

See the Viewing Incidents page for more information on viewing and exporting data from Incidents.

Logs Tab

By default, the Logs pane within the Overview tab displays a summary of the latest five actions taken against incidents. The tab also includes a View all logs link in the bottom right corner to access the full logs queue.

Clicking on the Logs Tab will also take you to the full logs queue.

The failure reason will be displayed in the Message status column of the logs table for any of the messages that failed to remediate or restore.

See the Viewing Logs page for more information on viewing and exporting data from Logs.

Settings Tab

Your current settings are displayed in the Settings widget at the bottom left corner of the Overview page. Click on the View all Settings link, or click on the Settings tab to edit your settings as outlined below:

Settings Description
Status Toggle the option to enable/disable Threat Remediation.
Mode Select a mode from the following options:
  • Notify Only - select this option only to be notified of an attachment threat post-delivery, with no further action taken.
  • Automatic - The identified messages are automatically removed, and the administrator is notified. 
Notification Group Click the Select Group button to select a user group to be notified of threat incidents detected post-delivery. 
Exclude Group From Remediation Click on the Select Group button to select a user group to be excluded from Threat Remediation
Saved Attachment Remediation Toggle the option to enable/disable Saved Attachment Remediation
Notifications Select to Notify Device Users
 

Message Details

Message Details for an Incident can be accessed in the Overview tab (via Incidents or Logs pane), by clicking on an Incident and the Messages tab, then clicking on "..." | View Details.

Data in Search, Incidents, and Logs Tabs, this can be accessed by clicking on "..." | View Details for an Incident, clicking on the Messages tab, and again clicking on "..." | View Details.

Picture 1.png
      • Message: This tab lists details about the message.
        • Summary: This is the default view, and displays the message's summary, including the envelope and header information, and when the message was sent/received. It includes the failure reason for any messages that failed to remediate or restore.
        • Attachments: This option displays any attachments. Click on the Show More link to display the full attachment list. Alternatively, click on the three-dot icon to preview or download an attachment.
        • Message Body: Displays the message's body in HTML by default. 
      • Header: This tab displays the message’s header information in plain text.
      • Status: This tab lists the message's recipients and status. This includes a failure reason if any of the messages failed to remediate or restore within the status view.
        A Search Bar allows you to find specific messages or recipients.
        Picture 3.png
      • The first block XXXX relates to your Mimecast customer account code.
      • The second block 00000, is the incremental incident number. This number remains the same when multiple actions are performed on the same incident.
      • The third "X" informs the action that was taken, as described below:
        • A: We removed the message automatically upon the discovery of a threat.
        • N: The message matches a threat we found, with the administrator notified.
        • M: The administrator manually removed the message.
        • R: The message was restored to the user's mailbox due to a remediation error or a false identification.

Related to

Was this article helpful?
0 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.