Mimecast v2
This Integration is part of the Mimecast Pack.#
Mimecast unified email management offers cloud email services for email security, continuity and archiving emails. Please read detailed instructions in order to understand how to set the integration's parameters.
Use Cases
- Mimecast account administration.
Detailed Description
- 1. In order to refresh token / discover auth types of the account / create new access & secret keys, you are required to provide: App ID, Account email address & password. These parameters support the following integration commands: mimecast-login -> fetches new access key & secret key mimecast-discover -> lists supported auth types of user mimecast-refresh-token -> refreshes the validity duration of access key & secret key (3 days)
- 2. In order to use the rest of the commands, you are required to provide: App ID, App Key, Access Key, and Secret Key. For detailed information about creating these fields, please refer to the Mimecast Documentation .
- 3. Fetch Incidents - the integration has the ability to fetch 3 types of incidents: url, attachment & impersonation. In order to activate them first tick "fetch incidents" box, then tick the relevant boxes for each fetch type you want.
Fetch Incidents
Populate this section with Fetch incidents data
Configure MimecastV2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for MimecastV2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- BaseUrl - API url including region, For example https://eu-api.mimecast.com
- App ID
- User Email Address (Use for auto token refresh)
- Password
- App key
- AccessKey
- SecretKey
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Fetch URL incidents
- Fetch attachment incidents
- Fetch impersonation incidents
- Incident type
- Hours before first fetch to retrieve incidents
- Click Test to validate the new instance.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Query mimecast emails: mimecast-query
- List all existing mimecast blocked sender policies: mimecast-list-blocked-sender-policies
- Get a blocked sender policy by ID: mimecast-get-policy
- Create a Blocked Sender Policy: mimecast-create-policy
- Delete a Blocked Sender Policy: mimecast-delete-policy
- Permit or block a specific sender: mimecast-manage-sender
- Get a list of all managed URLs: mimecast-list-managed-url
- Create a managed URL on Mimecast: mimecast-create-managed-url
- Get a list of messages for a given user: mimecast-list-messages
- Returns Attachment Protect logs for a Mimecast customer account: mimecast-get-attachment-logs
- Returns URL protect logs for a Mimecast customer account: mimecast-get-url-logs
- Returns Impersonation Protect logs for a Mimecast customer account: mimecast-get-impersonation-logs
- Decodes a given url from mimecast: mimecast-url-decode
- discover authentication types that are supported for your account and which base URL to use for the requesting user: mimecast-discover
- Refresh access key validity: mimecast-refresh-token
- Login to generate Access Key and Secret Key: mimecast-login
- Get the contents or metadata of a given message: mimecast-get-message
- Download attachments from a specified message: mimecast-download-attachments
- Returns the list of groups according to the specified query: mimecast-find-groups
- Returns the members list for the specified group: mimecast-get-group-members
- Adds a user to a group. The email_address and domain_adddress arguments are optional, but one of them must be supplied: mimecast-add-group-member
- Removes a user from a group. The email_address and domain_adddress arguments are optional, but one of them must be supplied: mimecast-remove-group-member
- Creates a new Mimecast group: mimecast-create-group
- Updates an existing Mimecast group: mimecast-update-group
- Creates a new Mimecast remediation incident: mimecast-create-remediation-incident
- Returns a Mimecast remediation incident: mimecast-get-remediation-incident
- Searches for one or more file hashes in the account. Maximum is 100: mimecast-search-file-hash
- Update a Blocked Sender Policy: mimecast-update-policy
1. mimecast-query
Query mimecast emails
Base Command
mimecast-query
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Archive/Search/Read.
- or Mimecast user with delegate permissions to address or user.
Input
| Argument Name | Description | Required |
|---|---|---|
| queryXml | The query string xml for the search using Mimecast Unified Search Experience (MUSE) - read more on https://community.mimecast.com/docs/DOC-2262, using this will override other query arguments | Optional |
| text | Search for this text in messages | Optional |
| dryRun | Will not execute the query, but just return the query string built | Optional |
| date | Search in specific dates only (default is all mails fomr) | Optional |
| dateFrom | Search emails from date, format YYYY-MM-DDTHH:MM:SZ (e.g. 2015-09-21T23:00:00Z) | Optional |
| dateTo | Search emails to date, format YYYY-MM-DDTHH:MM:SZ (e.g. 2015-09-21T23:00:00Z) | Optional |
| sentTo | Filter on messages to a specific address | Optional |
| sentFrom | Filter on messages from a specific address | Optional |
| subject | Search email by subject, will override the text argument | Optional |
| attachmentType | These are the attachment types available: optional - messages with and without attachments any - messages with any attachment documents - messages with doc, dot, docx, docm, dotx, dotm, pdf, rtf, html attachments spreadsheets - messages with xls, xlt, xlsx, xlsm, xltx, xltm, xlsb, xlam, csv attachments presentations - messages with ppt, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, thms, pps attachments text - messages with txt, text, html, log attachments images - messages with jpg, jpeg, png, bmp, gif, psd, tif, tiff attachments media - messages with mp3, mp4, m4a, mpg, mpeg, avi, wav, aac, wma, mov attachments zips - messages with zip, rar, cab, gz, gzip, 7z attachments none - No attachments are to be present in the results | Optional |
| attachmentText | Search for text in attachments | Optional |
| body | Search email by text in body, will override the text and subject arguments | Optional |
| pageSize | Sets the number of results to return per page (default 25) | Optional |
| startRow | Sets the result to start returning results (default 0) | Optional |
| active | Defines if the search should query recently received messages that are not fully processed yet (default false). You can search by mailbox and date time across active messages | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Message.ID | string | Message ID |
| Mimecast.Message.Subject | string | Message subject |
| Mimecast.Message.Sender | string | Message sender address |
| Mimecast.Message.Recipient | string | Message recipient address |
| Mimecast.Message.RecievedDate | date | Message received date |
| Mimecast.Message.Size | number | The size of the message in bytes |
| Mimecast.Message.AttachmentCount | number | Message attachments count |
| Mimecast.Message.Status | string | Message status |
Command Example
!mimecast-query
Human Readable Output
2. mimecast-list-blocked-sender-policies
List all existing mimecast blocked sender policies
Base Command
mimecast-list-blocked-sender-policies
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Gateway/Policies/Read.
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Policy.ID | string | Policy ID |
| Mimecast.Policy.Sender.Address | string | Block Sender by email address |
| Mimecast.Policy.Sender.Domain | string | Block Sender by domain |
| Mimecast.Policy.Sender.Group | string | Block Sender by group |
| Mimecast.Policy.Bidirectional | boolean | Blocked policy is Bidirectional or not |
| Mimecast.Policy.Receiver.Address | string | Block emails to Receiver type address |
| Mimecast.Policy.Receiver.Domain | string | Block emails to Receiver type domain |
| Mimecast.Policy.Receiver.Group | string | Block emails to Receiver type group |
| Mimecast.Policy.FromDate | date | Policy validation start date |
| Mimecast.Policy.ToDate | date | Policy expiration date |
| Mimecast.Policy.Sender.Type | string | Block emails to Sender type |
| Mimecast.Policy.Receiver.Type | string | Block emails to Receiver type |
Command Example
!mimecast-list-blocked-sender-policies
Human Readable Output
3. mimecast-get-policy
Get a blocked sender policy by ID
Base Command
mimecast-get-policy
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Gateway/Policies/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| policyID | Filter by policy ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Policy.ID | string | Policy ID |
| Mimecast.Policy.Sender.Address | string | Block Sender by email address |
| Mimecast.Policy.Sender.Domain | string | Block Sender by domain |
| Mimecast.Policy.Sender.Group | string | Block Sender by group |
| Mimecast.Policy.Bidirectional | boolean | Blocked policy is Bidirectional or not |
| Mimecast.Policy.Receiver.Address | string | Block emails to Receiver type address |
| Mimecast.Policy.Receiver.Domain | string | Block emails to Receiver type domain |
| Mimecast.Policy.Receiver.Group | string | Block emails to Receiver type group |
| Mimecast.Policy.Fromdate | date | Policy validation start date |
| Mimecast.Policy.Todate | date | Policy expiration date |
Command Example
!mimecast-get-policy policyID=XXXX
Human Readable Output
4. mimecast-create-policy
Create a Blocked Sender Policy
Base Command
mimecast-create-policy
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Gateway/Policies/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| description | Policy description | Required |
| fromPart | Addresses based on | Optional |
| fromType | Blocked Sender type | Required |
| fromValue | Required if fromType is one of email domain, profile group, individual email address. Expected values: If fromType is email_domain, a domain name without the @ symbol. If fromType is profile_group, the ID of the profile group. If fromType is individual_email_address, an email address. | Optional |
| toType | Receiver type | Required |
| toValue | Required if fromType is one of email domain, profile group, individual email address. Expected values: If toType is email_domain, a domain name without the @ symbol. If toType is profile_group, the ID of the profile group. If toType is individual_email_address, an email address. | Optional |
| option | The block option, must be one of: no_action, block_sender. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Policy.ID | string | Policy ID |
| Mimecast.Policy.Sender.Address | string | Block Sender by email address |
| Mimecast.Policy.Sender.Domain | string | Block Sender by domain |
| Mimecast.Policy.Sender.Group | string | Block Sender by group |
| Mimecast.Policy.Bidirectional | boolean | Blocked policy is Bidirectional or not |
| Mimecast.Policy.Receiver.Address | string | Block emails to Receiver type address |
| Mimecast.Policy.Receiver.Domain | string | Block emails to Receiver type domain |
| Mimecast.Policy.Receiver.Group | string | Block emails to Receiver type group |
| Mimecast.Policy.Fromdate | date | Policy validation start date |
| Mimecast.Policy.Todate | date | Policy expiration date |
Command Example
!mimecast-create-policy fromType=email_domain description="Description for group" option=block_sender toType=address_attribute_value
Human Readable Output
5. mimecast-delete-policy
Delete a Blocked Sender Policy
Base Command
mimecast-delete-policy
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Gateway/Policies/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| policyID | Policy ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Policy.ID | string | Policy ID |
Command Example
!mimecast-delete-policy policyID=XXXX
Human Readable Output
6. mimecast-manage-sender
Permit or block a specific sender
Base Command
mimecast-manage-sender
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Gateway/Managed Senders/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| sender | The email address of sender to permit or block | Required |
| recipient | The email address of recipient to permit or block | Required |
| action | Choose to either "permit" (to bypass spam checks) or "block" (to reject the email) | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Managed.Sender | string | The email address of the sender |
| Mimecast.Managed.Recipient | string | The email address of the recipient |
| Mimecast.Managed.Action | string | Chosen action |
| Mimecast.Managed.ID | string | The Mimecast secure ID of the managed sender object. |
Command Example
!mimecast-manage-sender action=block recipient=recipient@demisto.com sender=sender@demisto.com
Human Readable Output
7. mimecast-list-managed-url
Get a list of all managed URLs
Base Command
mimecast-list-managed-url
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Services/ Targeted Threat Protection - URL Protect /Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| url | Filter results by specific URL | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.URL.Domain | string | The managed domain |
| Mimecast.URL.Disablelogclick | boolean | If logging of user clicks on the URL is disabled |
| Mimecast.URL.Action | string | Either block of permit |
| Mimecast.URL.Path | string | The path of the managed URL |
| Mimecast.URL.matchType | string | Either explicit - applies to the full URL or domain - applies to all URL values in the domain |
| Mimecast.URL.ID | string | The Mimecast secure ID of the managed URL |
| Mimecast.URL.disableRewrite | boolean | If rewriting of this URL in emails is disabled |
Command Example
!mimecast-list-managed-url
Human Readable Output
8. mimecast-create-managed-url
Create a managed URL on Mimecast
Base Command
mimecast-create-managed-url
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Services/ Targeted Threat Protection - URL Protect /Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to block or permit. Do not include a fragment (#). | Required |
| action | Set to "block" to blacklist the URL, "permit" to whitelist it | Required |
| matchType | Set to "explicit" to block or permit only instances of the full URL. Set to "domain" to block or permit any URL with the same domain | Optional |
| disableRewrite | Disable rewriting of this URL in emails. Applies only if action = "permit". Default false | Optional |
| comment | Add a comment about the managed URL | Optional |
| disableUserAwareness | Disable User Awareness challenges for this URL. Applies only if action = "permit". Default false | Optional |
| disableLogClick | Disable logging of user clicks on the URL. Default is false | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.URL.Domain | string | The managed domain |
| Mimecast.URL.Action | string | Either block of permit |
| Mimecast.URL.disableLogClick | string | If logging of user clicks on the URL is disabled |
| Mimecast.URL.matchType | string | Either explicit - applies to the full URL or domain - applies to all URL values in the domain |
| Mimecast.URL.ID | string | The Mimecast secure ID of the managed URL |
| Mimecast.URL.disableRewrite | boolean | If rewriting of this URL in emails is disabled |
Command Example
!mimecast-create-managed-url action=block url="www.not-demisto.com"
Human Readable Output
9. mimecast-list-messages
Get a list of messages for a given user
Base Command
mimecast-list-messages
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Archive/Search/Read.
- or Mimecast user with delegate permissions to address or user.
Input
| Argument Name | Description | Required |
|---|---|---|
| mailbox | The email address to return the message list for | Optional |
| startTime | The start date of messages to return, in the following format, 2015-11-16T14:49:18+0000. Default is the last calendar month | Optional |
| endTime | The end date of messages to return, in the following format, 2015-11-16T14:49:18+0000. Default is the end of the current day | Optional |
| view | The message list type, must be one of: inbox or sent, default is inbox | Optional |
| subject | Filter by message subject | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Message.Subject | string | Message Subject |
| Mimecast.Message.ID | string | Message ID |
| Mimecast.Message.Size | number | The size of the message in bytes |
| Mimecast.Message.RecievedDate | date | The date the message was received |
| Mimecast.Message.From | string | The mail Sender |
| Mimecast.Message.AttachmentCount | string | The number of attachments on the message |
Command Example
!mimecast-list-messages
Human Readable Output
10. mimecast-get-attachment-logs
Returns Attachment Protect logs for a Mimecast customer account
Base Command
mimecast-get-attachment-logs
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Monitoring/Attachment Protection/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| resultsNumber | The number of results to request. Default is all | Optional |
| fromDate | Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day | Optional |
| toDate | End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request | Optional |
| resultType | Filters logs by scan result, default is malicious | Optional |
| limit | The maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.AttachmentLog.Result | string | The result of the attachment analysis: clean, malicious, unknown, or timeout |
| Mimecast.AttachmentLog.Date | date | The time at which the attachment was released from the sandbox |
| Mimecast.AttachmentLog.Sender | string | The sender of the attachment |
| Mimecast.AttachmentLog.FileName | string | The file name of the original attachment |
| Mimecast.AttachmentLog.Action | string | The action triggered for the attachment |
| Mimecast.AttachmentLog.Recipient | string | The address of the user that received the attachment |
| Mimecast.AttachmentLog.FileType | string | The file type of the attachment |
| Mimecast.AttachmentLog.Route | string | The route of the original email containing the attachment, either: inbound, outbound, internal, or external |
Command Example
!mimecast-get-attachment-logs
Human Readable Output
11. mimecast-get-url-logs
Returns URL protect logs for a Mimecast customer account
Base Command
mimecast-get-url-logs
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Monitoring/URL Protection/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| resultsNumber | The number of results to request. Default is all | Optional |
| fromDate | Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day | Optional |
| toDate | End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request | Optional |
| resultType | Filters logs by scan result, default is all | Optional |
| limit | The maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.UrlLog.Category | string | The category of the URL clicked |
| Mimecast.UrlLog.UserAddress | string | The email address of the user who clicked the link |
| Mimecast.UrlLog.URL | string | The url clicked |
| Mimecast.UrlLog.Awareness | string | The action taken by the user if user awareness was applied |
| Mimecast.UrlLog.AdminOverride | string | The action defined by the administrator for the URL |
| Mimecast.UrlLog.Date | date | The date that the URL was clicked |
| Mimecast.UrlLog.Result | string | The result of the URL scan |
| Mimecast.UrlLog.Action | string | The action that was taken for the click |
| Mimecast.UrlLog.Route | string | The route of the original email containing the attachment, either: inbound, outbound, internal, or external |
| Mimecast.UrlLog. userOverride | string | The action requested by the user. |
Command Example
!mimecast-get-url-logs
Human Readable Output
12. mimecast-get-impersonation-logs
Returns Impersonation Protect logs for a Mimecast customer account
Base Command
mimecast-get-impersonation-logs
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Monitoring/Impersonation Protection/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| resultsNumber | The number of results to request. Default is all | Optional |
| taggedMalicious | Filters for messages tagged malicious (true) or not tagged malicious (false). Omit for no tag filtering. default is true | Optional |
| searchField | The field to search,Defaults to all (meaning all of the preceding fields) | Optional |
| query | Required if searchField exists. A character string to search for in the logs. | Optional |
| identifiers | Filters logs by identifiers, can include any of newly_observed_domain, internal_user_name, repy_address_mismatch, and targeted_threat_dictionary. you can choose more then one identifier separated by comma. | Optional |
| fromDate | Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day | Optional |
| toDate | End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request | Optional |
| actions | Filters logs by action, you can choose more then one action separated by comma. | Optional |
| limit | The maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Impersonation.ResultCount | number | The total number of IMPERSONATION log lines found for the request |
| Mimecast.Impersonation.Hits | number | The number of identifiers that the message triggered |
| Mimecast.Impersonation.Malicious | boolean | Whether the message was tagged as malicious |
| Mimecast.Impersonation.SenderIP | string | The source IP address of the message |
| Mimecast.Impersonation.SenderAddress | string | The email address of the sender of the message |
| Mimecast.Impersonation.Subject | string | The subject of the email |
| Mimecast.Impersonation.Identifiers | string | The properties of the message that triggered the action: similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, and/or targeted_threat_dictionary |
| Mimecast.Impersonation.Date | date | The time at which the log was recorded |
| Mimecast.Impersonation.Action | string | The action triggered by the email |
| Mimecast.Impersonation.Policy | string | The name of the policy definition that triggered the log |
| Mimecast.Impersonation.ID | string | Impersonation Log ID |
| Mimecast.Impersonation.RecipientAddress | string | The email address of the recipient of the email |
| Mimecast.Impersonation.External | boolean | Whether the message was tagged as coming from an external address |
Command Example
!mimecast-get-impersonation-logs
Human Readable Output
13. mimecast-url-decode
Decodes a given url from mimecast
Base Command
mimecast-url-decode
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Account/Dashboard/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to decode | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| URL.Data | string | The encoded url to parse |
| URL.Mimecast.DecodedURL | string | Parsed url |
Command Example
!mimecast-url-decode url=XXXX
Human Readable Output
14. mimecast-discover
discover authentication types that are supported for your account and which base URL to use for the requesting user.
Base Command
mimecast-discover
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Authentication.AuthenticationTypes | string | List of authentication types available to the user |
| Mimecast.Authentication.EmailAddress | string | Email address of the request sender |
| Mimecast.Authentication.EmailToken | string | Email token of the request sender |
Command Example
!mimecast-discover
Human Readable Output
15. mimecast-refresh-token
Refresh access key validity
Base Command
mimecast-refresh-token
Input
There are no input arguments for this command.
Context Output
There are no context output for this command.
Command Example
!mimecast-refresh-token
Human Readable Output
16. mimecast-login
Login to generate Access Key and Secret Key
Base Command
mimecast-login
Input
There are no input arguments for this command.
Context Output
There are no context output for this command.
Command Example
!mimecast-login
Human Readable Output
17. mimecast-get-message
Get the contents or metadata of a given message
Base Command
mimecast-get-message
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Archive/Search Content View.
- or Mimecast user with delegate permissions to address or user.
Input
| Argument Name | Description | Required |
|---|---|---|
| messageID | Message ID | Required |
| context | Defines which copy of the message part to return, must be one of: "delievered" the copy that has been processed by the Mimecast MTA with policies such as URL rewriting applied, OR "received" - the copy of the message that Mimecast originally received. (Only relevant for part argument = message or all) | Required |
| type | The message type to return. (Only relevant for part argument = message or all) | Optional |
| part | Define what message part to return - download message, get metadata or both. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Message.ID | string | Message ID |
| Mimecast.Message.Subject | string | The message subject. |
| Mimecast.Message.HeaderDate | date | The date of the message as defined in the message headers. |
| Mimecast.Message.Size | number | The message size. |
| Mimecast.Message.From | string | Sender of the message as defined in the message header. |
| Mimecast.Message.To.EmailAddress | string | Recipient of the message. |
| Mimecast.Message.ReplyTo | string | The value of the Reply-To header. |
| Mimecast.Message.CC.EmailAddress | string | Each CC recipient of the message. |
| Mimecast.Message.EnvelopeFrom | string | Sender of the message as defined in the message envelope. |
| Mimecast.Message.Headers.Name | string | Header's name. |
| Mimecast.Message.Headers.Values | string | Header's value. |
| Mimecast.Message.Attachments.FileName | string | Message attachment's file name. |
| Mimecast.Message.Attachments.SHA256 | string | Message attachment's SHA256. |
| Mimecast.Message.Attachments.ID | string | Message attachment's ID. |
| Mimecast.Message.Attachments.Size | number | Message attachment's file size. |
| Mimecast.Message.Processed | date | The date the message was processed by Mimecast in ISO 8601 format. |
| Mimecast.Message.HasHtmlBody | boolean | If the message has an HTML body part. |
| File.Size | number | File Size |
| File.SHA1 | string | SHA1 hash of the file |
| File.SHA256 | string | SHA256 hash of the file |
| File.Name | string | The sample name |
| File.SSDeep | string | SSDeep hash of the file |
| File.EntryID | string | War-Room Entry ID of the file |
| File.Info | string | Basic information of the file |
| File.Type | string | File type e.g. "PE" |
| File.MD5 | string | MD5 hash of the file |
Command Example
!mimecast-get-message context=DELIVERED messageID=XXXX
Human Readable Output
18. mimecast-download-attachments
Download attachments from a specified message
Base Command
mimecast-download-attachments
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Archive/Search Content View.
- or Mimecast user with delegate permissions to address or user.
Input
| Argument Name | Description | Required |
|---|---|---|
| attachmentID | The Mimecast ID of the message attachment to return. (Can be retrieved from mimecast-get-message) | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.Size | number | File Size |
| File.SHA1 | string | SHA1 hash of the file |
| File.SHA256 | string | SHA256 hash of the file |
| File.Name | string | The sample name |
| File.SSDeep | string | SSDeep hash of the file |
| File.EntryID | string | War-Room Entry ID of the file |
| File.Info | string | Basic information of the file |
| File.Type | string | File type e.g. "PE" |
| File.MD5 | string | MD5 hash of the file |
Command Example
!mimecast-download-attachments attachmentID=XXXX
Human Readable Output
19. mimecast-find-groups
Returns the list of groups according to the specified query.
Base Command
mimecast-find-groups
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| query_string | The string to query. | Optional |
| query_source | The group source by which to filter. Can be "cloud" or "ldap". | Optional |
| limit | The maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Name | String | The name of the group. |
| Mimecast.Group.Source | String | The source of the group. |
| Mimecast.Group.ID | String | The Mimecast ID of the group. |
| Mimecast.Group.NumberOfUsers | Number | The number of members in the group. |
| Mimecast.Group.ParentID | String | The Mimecast ID of the group's parent. |
| Mimecast.Group.NumberOfChildGroups | Number | The number of child groups. |
Command Example
!mimecast-find-groups
Human Readable Output
20. mimecast-get-group-members
Returns the members list for the specified group.
Base Command
mimecast-get-group-members
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | The Mimecast ID of the group to return. | Required |
| limit | The maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Users.Name | String | The user's display name. |
| Mimecast.Group.Users.EmailAddress | String | The user's email address. |
| Mimecast.Group.Users.Domain | String | The domain name of the user's email address. |
| Mimecast.Group.Users.Type | String | The user type. |
| Mimecast.Group.Users.InternalUser | Boolean | Whether the user is internal. |
| Mimecast.Group.Users.IsRemoved | Boolean | Whether the user is part of the group. |
Command Example
!mimecast-get-group-members group_id=XXXX
Human Readable Output
21. mimecast-add-group-member
Adds a user to a group. The email_address and domain_adddress arguments are optional, but one of them must be supplied.
Base Command
mimecast-add-group-member
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | The Mimecast ID of the group to add the user to. | Required |
| email_address | The email address of the user to add to a group. | Optional |
| domain_address | A domain to add to a group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Users.EmailAddress | String | The user's email address. |
| Mimecast.Group.Users.IsRemoved | Boolean | Whether the user is part of the group. |
Command Example
!mimecast-add-group-member group_id=XXXX domain_address=YYYY
Human Readable Output
22. mimecast-remove-group-member
Removes a user from a group. The email_address and domain_adddress arguments are optional, but one of them must be supplied.
Base Command
mimecast-remove-group-member
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | The Mimecast ID of the group from which to remove the user. | Required |
| email_address | The email address of the user to remove from the group. | Optional |
| domain_address | A domain of the user to remove from a group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Users.EmailAddress | String | The user's email address. |
| Mimecast.Group.Users.IsRemoved | Boolean | Whether the user part of the group. |
Command Example
!mimecast-remove-group-member group_id=XXXX domain_address=YYYY
Human Readable Output
23. mimecast-create-group
Creates a new Mimecast group.
Base Command
mimecast-create-group
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| group_name | The name of the new group. | Required |
| parent_id | The Mimecast ID of the new group's parent. Default will be root level. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Name | String | The name of the group. |
| Mimecast.Group.Source | String | The source of the group. |
| Mimecast.Group.ID | String | The Mimecast ID of the group. |
| Mimecast.Group.NumberOfUsers | Number | The number of members in the group. |
| Mimecast.Group.ParentID | String | The Mimecast ID of the group's parent. |
| Mimecast.Group.NumberOfChildGroups | Number | The number of child groups. |
Command Example
!mimecast-create-group group_name=TTTT parent_id=XXXX
Human Readable Output
24. mimecast-update-group
Updates an existing Mimecast group.
Base Command
mimecast-update-group
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Directories/Groups/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| group_name | The new name for the group. | Optional |
| group_id | The Mimecast ID of the group to update. | Required |
| parent_id | The new parent group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Group.Name | String | The name of the group. |
| Mimecast.Group.ID | String | The Mimecast ID of the group. |
| Mimecast.Group.ParentID | String | The Mimecast ID of the group's parent. |
Command Example
!mimecast-update-group group_id=XXXX group_name=ZZZZ
Human Readable Output
25. mimecast-create-remediation-incident
Creates a new Mimecast remediation incident.
Base Command
mimecast-create-remediation-incident
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Services/Threat Remediation/Edit.
Input
| Argument Name | Description | Required |
|---|---|---|
| hash_message_id | The file hash or messageId value. | Required |
| reason | The reason for creating the remediation incident. | Required |
| search_by | The message component by which to search. Can be "hash" or "messagId". Default is "hash". | Optional |
| start_date | The startt date of messages to remediate. Default value is the previous month. (Format: yyyy-mm-ddThh:mm:ss+0000) | Optional |
| end_date | Theend date of messages to remediate. Default value is the end of the current day. (Format: yyyy-mm-ddThh:mm:ss+0000) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Incident.ID | String | The secure Mimecast remediation ID. |
| Mimecast.Incident.Code | String | The incident code generated at creation. |
| Mimecast.Incident.Type | String | The incident type. |
| Mimecast.Incident.Reason | String | The reason provided at the creation of the remediation incident. |
| Mimecast.Incident.IdentifiedMessages | Number | The number of messages identified based on the search criteria. |
| Mimecast.Incident.SuccessfullyRemediatedMessages | Number | The number successfully remediated messages. |
| Mimecast.Incident.FailedRemediatedMessages | Number | The number of messages that failed to remediate. |
| Mimecast.Incident.MessagesRestored | Number | The number of messages that were restored from the incident. |
| Mimecast.Incident.LastModified | String | The date and time that the incident was last modified. |
| Mimecast.Incident.SearchCriteria.From | String | The sender email address or domain. |
| Mimecast.Incident.SearchCriteria.To | String | The recipient email address or domain. |
| Mimecast.Incident.SearchCriteria.MessageID | String | The message ID used when creating the remediation incident. |
| Mimecast.Incident.SearchCriteria.FileHash | String | The file hash used when creating the remediation incident. |
| Mimecast.Incident.SearchCriteria.StartDate | String | The start date of included messages. |
| Mimecast.Incident.SearchCriteria.EndDate | String | The end date of included messages. |
Command Example
!mimecast-create-remediation-incident hash_message_id=XXXX reason=YYYY
Human Readable Output
26. mimecast-get-remediation-incident
Returns a Mimecast remediation incident.
Base Command
mimecast-get-remediation-incident
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Services/Threat Remediation/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The Mimecast ID for a remediation incident. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Incident.ID | String | The secure Mimecast remediation ID. |
| Mimecast.Incident.Code | String | The incident code generated at creation. |
| Mimecast.Incident.Type | String | The incident type. |
| Mimecast.Incident.Reason | String | The reason provided when the remediation incident was created. |
| Mimecast.Incident.IdentifiedMessages | Number | The number of messages identified based on the search criteria. |
| Mimecast.Incident.SuccessfullyRemediatedMessages | Number | The number of successfully remediated messages. |
| Mimecast.Incident.FailedRemediatedMessages | Number | The number of messages that failed to remediate. |
| Mimecast.Incident.MessagesRestored | Number | The number of messages that were restored from the incident. |
| Mimecast.Incident.LastModified | String | The date and time that the incident was last modified. |
| Mimecast.Incident.SearchCriteria.From | String | The sender email address or domain. |
| Mimecast.Incident.SearchCriteria.To | String | The recipient email address or domain. |
| Mimecast.Incident.SearchCriteria.MessageID | String | The message ID used when creating the remediation incident. |
| Mimecast.Incident.SearchCriteria.FileHash | String | The file hash used when creating the remediation incident. |
| Mimecast.Incident.SearchCriteria.StartDate | String | The start date of included messages. |
| Mimecast.Incident.SearchCriteria.EndDate | String | The end date of included messages. |
Command Example
!mimecast-get-remediation-incident incident_id=XXXX
Human Readable Output
27. mimecast-search-file-hash
Searches for one or more file hashes in the account. Maximum is 100.
Base Command
mimecast-search-file-hash
Required Permissions
The following permissions are required for this command.
- Mimecast administrator with at least one of the following permissions: Services/Threat Remediation/Read.
Input
| Argument Name | Description | Required |
|---|---|---|
| hashes_to_search | List of file hashes to check if they have been seen within an account. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Hash.HashValue | String | The file hash value. |
| Mimecast.Hash.Detected | Boolean | Whether the hash was found in the account. |
Command Example
!mimecast-search-file-hash hashes_to_search=XXXX
Human Readable Output
28. mimecast-update-policy
update policy
Base Command
mimecast-update-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_id | Policy id | Required |
| description | Policy description | Optional |
| fromType | Blocked Sender type. Most times you will have to change fromValue according to fromType | Optional |
| toType | Blocked Receiver type. Most times you will have to change fromValue according to fromType | Optional |
| option | The block option, must be one of: no_action, block_sender. | Optional |
| fromValue | Blocked Sender value. FromValue depends on fromType | Optional |
| toValue | Blocked Receiver value. ToValue depends on toType | Optional |
| fromPart | Addresses based on | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Mimecast.Policy.ID | string | Policy ID |
| Mimecast.Policy.Sender.Address | string | Block Sender by email address |
| Mimecast.Policy.Sender.Domain | string | Block Sender by domain |
| Mimecast.Policy.Sender.Group | string | Block Sender by group |
| Mimecast.Policy.Bidirectional | boolean | Blocked policy is Bidirectional or not |
| Mimecast.Policy.Receiver.Address | string | Block emails to Receiver type address |
| Mimecast.Policy.Receiver.Domain | string | Block emails to Receiver type domain |
| Mimecast.Policy.Receiver.Group | string | Block emails to Receiver type group |
| Mimecast.Policy.Fromdate | date | Policy validation start date |
| Mimecast.Policy.Todate | date | Policy expiration date |
| Mimecast.Policy.Sender.Type | String | The sender type |
| Mimecast.Policy.Receiver.Type | String | The Receiver type |
Command Example
!mimecast-update-policy policyID=XXXX toType=address_attribute_value
Human Readable Output
