...
Mimecast is an cloud-based email management service for security, archiving, and continuity services to protect business mail.
Connecting with Mimecast with Devo SOAR
Navigate to Automations > Integrations.
Search for Mimecast.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Region: Region where your Mimecast account is hosted.
Application ID: Application ID of the registered application.
Application Key: Application key of registered application.
Access Key: Access key of registered application.
Secret Key: Secret key of registered application.
After you've entered all the details, click Connect.
Actions for Mimecast
Get Hold Message List
List of hold messages.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Start Time | Jinja Template for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
End Time | Jinja Template for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
Sender Name Column Name | Column name from the parent table that contains sender of the message. | Optional |
Recipient Name Column Name | Column name from the parent table that contains recipient of the message. | Optional |
Subject Name Column Name | Column name from the parent table that contains the subject of the message. | Optional |
Sender IP Name Column Name | Column name from the parent table that contains sender IP of the message. | Optional |
Held Reason Name Column Name | Column name from the parent table that contains held reason of message. | Optional |
Is Admin | Level of results to return. If false, only results for the currently authenticated user will be returned. If true, held messages for all recipients will be returned (default is True). | Optional |
Limit | Number of results to return (Default is 100 messages). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: List of messages.
...
Reject Message
Rejects hold the message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message IDs Column Name | Column name from the parent table that contains comma-separated ids for messages to be rejected. | Required |
Message Column Name | Rejection message to be returned to sender. | Required |
Reason Type Column Name | The reason code for rejecting the message. Possible values are: MESSAGE CONTAINS UNDESIRABLE CONTENT, MESSAGE CONTAINS CONFIDENTIAL INFORMATION, REVIEWER DISAPPROVES OF CONTENT, INAPPROPRIATE COMMUNICATION, MESSAGE GOES AGAINST EMAIL POLICIES. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure message.
...
Release Message
Releases a hold message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message ID Column Name | Column name from the parent table that contains the ID for messages to be released. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure message.
...
Get Message Details
Retrieve detailed information about a specific message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message ID Column Name | Column name from the parent table that contains the ID for messages to be released. | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Get TTP URL Logs
This action will bring TTP URL logs.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- |
| Oldest First | Orders results with the most recent first. (Default is false). | Required |
| Route | Filters logs by route, must be one of inbound, outbound, internal, or all. (Defaults is all). | Required |
| Scan Result | Filters logs by scan result, must be one of clean, malicious, or all. (Defaults is all). | Required |
| Start Time | [Jinja-template](doc:jinja-template) for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
| End Time | [Jinja-template](doc:jinja-template) for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
| Page Size | [Jinja-template](doc:jinja-template) containing page size. The number of results requested. (Default is 100000). | Required |
### Output
An array of TTP URL logs, with each log in different row.
``` {json}{
"userOverride": "None",
"subject": "[EXT] ME debt alert : DEBTWIRE (01/06/2021 07:50:00)",
"userEmailAddress": "test@example.com",
"scanResult": "clean",
"sendingIp": "104.130.123.234",
"url": "http://devo.com",
"emailPartsDescription": [
"Body"
],
"creationMethod": "User Click",
"fromUserEmailAddress": "test@devo.com",
"userAwarenessAction": "N/A",
"has_error": false,
"ttpDefinition": "Default URL Protection Definition",
"error": null,
"date": "2021-06-01T04:47:53+0000",
"messageId": "<20210601035725.1.935A8462449914AF@devo.com>",
"actions": "Allow",
"category": "Business",
"route": "inbound",
"action": "allow",
"adminOverride": "N/A"
} |
Get TTP Impersonation Protection Logs
This action will bring TTP impersonation protection logs.
Inputs Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Oldest First | Orders results with the most recent first. (Default is false). | |
Search Field | The field to search, must be one of: senderAddress, recipientAddress, subject, definition or all (meaning all of the preceding fields). (Defaults is all if a search string(query) is provided). | |
Query | Jinja-template containing query. Required if searchField is not null. A character string to search for in the logs. | |
Start Time | Jinja-template for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | |
End Time | Jinja-template for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | |
Page Size | Jinja-template containing page size. The number of results requested. (Default is 100000). |
Output
An array of TTP Impersonation Protection logs, with each log in different row.
...
| Code Block |
|---|
## Get TTP Attachment Protection Logs
This action will bring TTP attachment protection logs.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- |
| Oldest First | Orders results with the most recent first. (Default is false). | Required |
| Route | Filters logs by result, must be one of safe, malicious, timeout, error, unsafe, or all. (Defaults is all). | Required |
| Start Time | [Jinja-template](doc:jinja-template) for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
| End Time | [Jinja-template](doc:jinja-template) for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
| Page Size | [Jinja-template](doc:jinja-template) containing page size. The number of results requested. (Default is 100000). | Required |
### Output
An array of TTP Attachment Protection logs, with each log in different row.
``` {json}{
"subject": "Pharming GRP NV: Pharming Group to present at Jefferies Virtual Healthcare Conference - June 1",
"result": "safe",
"fileName": "body.txt",
"fileType": "message/rfc822",
"has_error": false,
"error": null,
"date": "2021-06-01T04:57:59+0000",
"messageId": "<60B5BE5600B3043C01D80001_0_194028@msclnypmsgsv03>",
"definition": "Default Attachment Protection Definition",
"details": "Safe \r\nTime taken: 0 hrs, 0 min, 2 sec",
"route": "inbound",
"senderAddress": "test@example.com",
"actionTriggered": "none, none",
"fileHash": "0dd7e40563915eea2f5f93694d3dddac714e3145f2595d80e787bb0e4980a720",
"recipientAddress": "ted@example.com"
} |
Find groups
This action will bring a list of groups/folders.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query | Jinja-templated text containing query. A character string to search for in the groups. | |
Example: {{query_column}} | Required | |
Source | The source of the groups. (Default is cloud). | Required |
Page Size | Jinja-templated text containing page size.The number of results requested. (Default is 100000) Example: {{page_size_column}}. | Required |
Output
A JSON object containing a list of groups.
...
| Code Block |
|---|
## Get group members
This action will bring a list of members.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Query | [Jinja-templated](doc:jinja-template) text containing query. A character string to search for in the groups.
Example: {{query_column}} | Required |
| ID | [Jinja-templated](doc:jinja-template) text containing the Mimecast ID of the group.
Example: {{id_column}} | Required |
### Output
A JSON object containing a list of members.
``` {json}{
"name":"",
"internal":false,
"domain":"fundmanager.io",
"emailAddress":"",
"has_error":false,
"error":null,
"type":""
} |
Add group member
This action can be used to add user email addresses or domains to a profile group.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
ID | Jinja-templated text containing the Mimecast ID of the group to add to. Example: {{id_column}} | Required |
Email Address | Jinja-templated text containing the email address of a user to add to a group. Example: {{email_address_column}} | Required |
Output
A JSON object containing multiple rows of result:
*meta:status
...
| Code Block |
|---|
## Remove group member
This action can be used to remove user email addresses or domains from a profile group.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------ | :------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| ID | [Jinja-templated](doc:jinja-template) text containing the Mimecast ID of the group to add to. Example: {{id_column}} | Required |
| Email Address | [Jinja-templated](doc:jinja-template) text containing the email address of a user to add to a group. Example: {{email_address_column}} | Required |
## Get Policy
This endpoint can be used to get Blocked Sender Policies.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :-------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Policy Id | [Jinja-templated](doc:jinja-template) text containing the policy id of blocked sender policy. If not provided, all policies will be returned. | Optional |
### Output
A JSON object containing a list of policies.
``` {json}{
"result": [{
"option": "block_sender",
"id": "fmbvdvbksndv",
"policy": {
"description": "Test Policy",
"fromPart": "header_from",
"from": {
"type": "individual_email_address",
"emailAddress": "abc@example.com"
},
"to": {
"type": "individual_email_address",
"emailAddress": "def@example.com"
},
"fromType": "individual_email_address",
"fromValue": "abc@example.com",
"toType": "individual_email_address",
"toValue": "def@example.com",
"fromEternal": true,
"toEternal": true,
"fromDate": "1900-01-01T00:00:00+0000",
"toDate": "2100-01-01T23:59:59+0000",
"override": false,
"bidirectional": true,
"conditions": {},
"enabled": true,
"enforced": false,
"createTime": "2022-05-12T06:22:43+0000",
"lastUpdated": "2022-05-12T06:22:43+0000"
}
}],
"error": null,
"has_error": false
} |
Create Policy
This endpoint creates new blocked sender policies, which can be used to manage a combination of sender and recipient restrictions.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Policy | Jinja-templated text containing the Policy in json format. Example : {{policy}} | Required |
Option | Jinja-templated text that defines a policy action, must be one of: no_action, block_sender. | Required |
Output
A JSON object:
{json}{ "fail": [], "data": [{ "option": "no_action", "id": "asfhabkjasbfl", "policy": { "description": "Test Policy", "fromPart": "header_from", "from": { "type": "individual_email_address", "emailAddress": "abc@example.com" }, "to": { "type": "individual_email_address", "emailAddress": "def@example.com" }, "fromType": "individual_email_address", "fromValue": "acb@example.com", "toType": "individual_email_address", "toValue": "def@example.com", "fromEternal": true, "toEternal": true, "fromDate": "1900-01-01T00:00:00+0000", "toDate": "2100-01-01T23:59:59+0000", "override": false, "bidirectional": true, "conditions": {}, "enabled": true, "enforced": false, "createTime": "2022-05-12T06:24:39+0000", "lastUpdated": "2022-05-12T06:24:39+0000" } }], "has_error": false, "meta": { "status": 200 }, "error": null }
Release Notes
v4.0.0- Updated architecture to support IO via filesystemv3.4.1- AddedGet PolicyandCreate Policyactions.
...