CyberGraph 2.0 - Troubleshooting Guide

Updated

This article contains information on configuring and troubleshooting CyberGraph 2.0, including banner application, testing, policy settings, image loading, dashboard data issues, SSO authentication, and Misaddressed Email Protection (MEP). Please be sure to reference all the feature articles in the CyberGraph 2.0 documentation set. Here CyberGraph 2.0 - Overview

The initial configuration should be applied to a sub-organization for testing and propagation. Once testing is complete, the configuration must be updated to apply to the entire organization.

Operational Issues

Why Does the Email Have a Banner or Not?

  •  
    •  
      • If the email doesn’t have a banner, check your settings to make sure the internal domains are not safe-listed. See: Cybergraph 2.0 - Settings Domain Safelist 
      • Perform a banner search to view the email to see if a banner rule should have been applied. See: CyberGraph - CyberGraph 2.0 - Dynamic Banner Search 
        • The most direct way to search is to use the Message ID of the email in question (making sure to set the appropriate date range to match the date the email was received). 
        • Otherwise, you may need to narrow down the email using multiple pieces of information, including the type of banner (info/warning/etc., or lack of banner), the sender and/or recipient addresses, or the subject line.
        • Once the appropriate email is found in Banner Search, the type of banner, if triggered, will show, and by hovering your cursor over the Rule(s) Triggered lozenge in the Reasons column, you can view what parts of the email triggered the banner. Note: It is possible for multiple rules to trigger a banner, and all causes would need to be addressed in future emails unless you choose to whitelist the sender.
        • If the email does not have a banner, the Reason column will state the determination on the email for not adding a banner. This can include a strong communication history with the sender, whitelisting of the sending domain, use of the Targeted Banner setting, etc. 
        • Check your Policies to make sure they are scoped correctly. See: CyberGraph 2.0 - Policy Configuration
        • This policy area determines if Cybergraph features apply to your users or not and which users are in the active set. If the policy for a certain user group is set to Disabled or Learning Mode, no banners will be applied to emails sent to the users defined in that policy. However, if you have a CyberGraph policy set up with Learning Mode enabled, and the Policy Override is also activated, the Override will take priority over the CyberGraph policy that is applied to specific users or groups.

  •  
    •  
      •  
        • Check your settings to see if Targeted or Broad is set within the Quantity of Banner Configuration area. See: Cybergraph 2.0 - Configuration Settings Banners
        • Targeted Bannering: CyberGraph uses machine learning/AI to decide if a banner is applied or not. In targeted bannering, CyberGraph assesses message risk based on the organization's social graph messaging history and doesn't display a banner if related activity in the organization indicates the sender is safe. This can reduce the quantity of banners by up to 40%.
        • Broad Bannering: All inbound emails will have a banner applied if they meet the rules criteria for a banner.

How Can I Test if the Banners Are Working?

You can send an Inbound Mail to your corporate account from Gmail or any other external domain. If you have not sent from that address since implementing CyberGraph, it should trigger the first mail inbound rule (blue banner). Or ask your Mimecast implementation consultant or technical account manager to send you such a mail. Mimecast employees can utilize internal tools to test banner displays. 

Testing the Banner Display Function with the Quantity of Banner configuration set to Targeted could result in the banner being suppressed. Only attempt this test with Broad as the setting.

How does CyberGraph treat messages sent to Distribution Lists when determining Banner Application?

Distribution List membership is resolved at the customer email server level, not by Mimecast. Therefore, if a banner is applied to an email sent to a distribution list, the entire list membership will receive the email containing the banner. This would also include external list members. If the banner is clicked and reported, that setting is treated as if it were reported by the entire distribution list, and if different reports were made by different members of the list, Cybergraph would treat that circumstance like a single user reporting differently over time.

 

Related to this, are complications with the bannering of messages addressed to Shared Mailboxes and users with mail aliases.
See CyberGraph 2.0 - FAQs for more information.

Body content not displaying correctly

When a user interacts (replies or forwards) with an email, the body of the message is sometimes malformed or appears missing. This happens when an HTML message is converted to plain text.

To fix this, customers can change the Outlook configuration to update Compose message in this format to HTML if possible to avoid losing out on table data.

If the customer is looking to use ABEC only, the customer can configure cybergraph learning if there is any restriction using plain text emails.

  1. Classic windows outlook
2025-11-07_11-45-26.png
  1. Outlook web
2025-11-07_11-51-50.png
  1. Outlook new (when replying or forwarding, use source formatting enabled from below screenshot)
2025-11-07_12-30-02.png

Removing the "Report or Mark Safe" text from the Banners in Settings.

To remove the text entirely, you must disable user reporting in the CyberGraph Policies area. The option to disable user reporting will only be visible if Dynamic Banners are set to Enabled within the policy. See: CyberGraph - CyberGraph 2.0 - Policy Configuration

Images not Loading in Emails.  

  •  
    •  
      • This could be a trusted site issue (see below) or a transient CyberGraph resource issue involving the CyberGraph Tracker feature (Image Tracker Removal). Tracker strips all externally hosted images and rehosts on Mimecast servers. This means any tracking information the sender gets is about Mimecast, not the end user. For more information on this feature, see CyberGraph - CyberGraph 2.0 - Trackers.
      • Otherwise, the rehosted images should be displayed on the email without issue. If they do not, and you've confirmed that Trusted Sites within Outlook are correctly configured, this is something that needs to be reported to Mimecast Support. Resource issues are rare and transient, but they can happen. If it happens only once or very rarely, and you cannot reproduce on demand, it will be difficult for Mimecast Support to investigate.

Banners or Images are not Displaying Correctly (seem to be present but not correctly displayed):

  •  
    •  
      • Check the email for a red X. This means that your trusted sites are not configured correctly. Usually, you’ll see a broken image icon or the red X if the problem stems from misconfigured trusted sites. See: CyberGraph - CyberGraph 2.0 - Trusted Sites. If you still have questions, please consult with Microsoft on how to use their Trusted Sites feature.
      • Other banner rendering issues, for example, banner blocking text or can't copy and paste.
      • Before calling Support, try to view the message in another email or on another computer to help isolate if it is a specific software or machine-level issue or broader. You can also try to switch from Dynamic Banners to static text banners to assess the impact.
      • Issues with banner interaction (clicking of banners and opening/connection of browser functions): These are rare, but if they occur, they could be caused by network issues, DNS issues, client-based web filter issues, or issues with browser caching.

The Dashboard doesn’t show any Data

  •  
    •  
      • Mimecast Support can help you to produce a HAR file/network capture. If support is not able to easily recreate this, it’s possible you have an advanced firewall blocking CyberGraph. This is usually caused by a tool like Cisco Umbrella/SSL Inspection. You need to allow CyberGraph IPs in these systems so that the dashboard can load the data.
      • Note: If the problem is limited to the most recent 24 hours, it may be due to the storage of CyberGraph data in UTC time, which results in a delay in the "Last 24 hours" of information display.

Authentication

  •  
    •  
      • Login less: The information relating to the reporting user is encrypted in the Reporting button's URL. No configuration is required for the CyberGraph administrator.
      • SSO: SSO problems may surface as repeated requests to end users to authenticate for banner reporting. CyberGraph 2.0 end-user SSO Authentication works through Mimecast Authentication Profiles. So, any Mimecast admin can troubleshoot SAML settings. Standard SAML troubleshooting processes apply, and SAML-related incidents are strongly likely to cause authentication failures in other parts of Cloud Gateway, not just in CyberGraph.  As such, SAML failures are unlikely to be an exclusive CyberGraph case type. For basic SSO setup guidance, see: CyberGraph - Cybergraph 2.0 - Single Sign-On

Misaddressed Email Protection (MEP)

Issues with MEP are rare. The most frequent questions are around false positive matching and holds. These would need to be analyzed by the engineering team. However, see the Admin Guide link that follows for an explanation of how names match and hold work. The holds should resolve themselves via strong Authentication establishment after a few emails. Misaddressed Email Protect Administrator Guide 

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.