Mimecast Email Incident Response - Introduction and Quickstart

Updated

This article provides a high-level overview of how Mimecast Email Incident Response (MEIR) works and how to get it up and running. It is intended for Administrators.

Quickstart

After MEIR is enabled on a customer account, you will need to configure the following items:

  1. Configure end user reporting to allow your end users to report messages directly to the Mimecast Threat Response Operations (TRO) team. More information: Reporting Messages.
  2. Configure Threat Remediation to allow TRO to remediate malicious messages.More information: Threat Remediation.

The following is optional but highly recommended:

  1. Configure Journaling to allow TRO to remediate internal malicious messages. More information: Journaling Guides.
  2. Configure End User Feedback so end users will receive the outcome of the investigation. More information: End User Feedback.

Workflow

Message Reporting 

Mimecast provides different methods of message reporting, which include:

  • For end users, we have a direct integration with Microsoft Outlook.
  • For end users, there is also a Microsoft Outlook add-in that can be deployed.
  • An administrator can report directly to us via the Mimecast Administration Console.

More information: MEIR in Analysis & Response - Reporting Messages.

Triaging & Investigation 

Mimecast has extensive automation in place to review reported messages in a timely fashion. Additionally, in cases where these tools are not certain, a TRO analyst is engaged to investigate. The analyst's investigation, in turn, strengthens Mimecast's automations.

Follow-up Actions

TRO follow-up actions are both preventative and remedial. Firstly, TRO uses Mimecast's Threat Remediation to remove any malicious reported messages and similar messages from your account. This prevents the attack from continuing. 

TRO also implements updates to Mimecast’s detection stack on a global level to prevent this message from coming in.

More information: MEIR in Analysis & Response - Mimecast TRO Actions.

Feedback

There are two methods of Feedback. Depending on the configuration, we can provide feedback directly to your end user. This is to let the end user know the outcome & engage the end user to keep reporting messages.

More information: MEIR in Analysis & Response - End User Feedback.

The second type of feedback is focused on sharing as much threat intel as possible with you. MEIR is integrated in Analysis & Response and enriches the information with information from MSOC. Similar information is provided via a Public API.

More information: MEIR in Analysis & Response - Dashboard and MEIR in Analysis & Response - Integrations & Public API.

Information that is not covered in the pages linked here may be found in MEIR in Analysis & Response - FAQ.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.