Mimecast Service
- Jonas Gonzalez
Mimecast is an cloud-based email management service for security, archiving, and continuity services to protect business mail.
Connecting with Mimecast with Devo SOAR
Navigate to Automations > Integrations.
Search for Mimecast.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Region: Region where your Mimecast account is hosted.
Application ID: Application ID of the registered application.
Application Key: Application key of registered application.
Access Key: Access key of registered application.
Secret Key: Secret key of registered application.
After you've entered all the details, click Connect.
Actions for Mimecast
Get Hold Message List
List of hold messages.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Start Time | Jinja Template for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
End Time | Jinja Template for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
Sender Name Column Name | Column name from the parent table that contains sender of the message. | Optional |
Recipient Name Column Name | Column name from the parent table that contains recipient of the message. | Optional |
Subject Name Column Name | Column name from the parent table that contains the subject of the message. | Optional |
Sender IP Name Column Name | Column name from the parent table that contains sender IP of the message. | Optional |
Held Reason Name Column Name | Column name from the parent table that contains held reason of message. | Optional |
Is Admin | Level of results to return. If false, only results for the currently authenticated user will be returned. If true, held messages for all recipients will be returned (default is True). | Optional |
Limit | Number of results to return (Default is 100 messages). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: List of messages.
Reject Message
Rejects hold the message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message IDs Column Name | Column name from the parent table that contains comma-separated ids for messages to be rejected. | Required |
Message Column Name | Rejection message to be returned to sender. | Required |
Reason Type Column Name | The reason code for rejecting the message. Possible values are: MESSAGE CONTAINS UNDESIRABLE CONTENT, MESSAGE CONTAINS CONFIDENTIAL INFORMATION, REVIEWER DISAPPROVES OF CONTENT, INAPPROPRIATE COMMUNICATION, MESSAGE GOES AGAINST EMAIL POLICIES. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure message.
Release Message
Releases a hold message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message ID Column Name | Column name from the parent table that contains the ID for messages to be released. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure message.
Get Message Details
Retrieve detailed information about a specific message.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Message ID Column Name | Column name from the parent table that contains the ID for messages to be released. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Message Details.
``` {json}{ "status": "String", "retentionInfo": { "currentPurgeDate": "Date String", "originalPurgeDate": "String", "retentionAdjustmentDays": -1, "fbrExpireCheck": [], "fbrStamps": [], "audits": [], "litigationHoldInfo": [], "smartTags": [], "purgeBasedOn": "String" }, "recipientInfo": { "messageInfo": { "attachments": [], "cc": [ "String" ], "htmlBody": "String", "transmissionInfo": "String", "fromHeader": "String", "subject": "String", "textBody": "String", "to": [ "String" ], "processed": "Date String", "fromEnvelope": "String", "sent": "Date String" }, "recipientMetaInfo": { "remoteServerGreeting": "String", "encryptionInfo": "String", "receiptAcknowledgement": "String", "receiptEvent": "String", "transmissionEnd": "Date String", "spamEvent": "String", "messageExpiresIn": 3650, "processingServer": "String", "binaryEmailSize": 100, "transmissionSize": 100, "remoteHost": "String", "transmissionStart": "Date String", "remoteIp": "String", "components": [ { "mimeType": "String", "type": "String", "name": "String", "extension": "String", "size": 100 } ] } }, "deliveredMessage": { "user@domain.com": { "messageInfo": { "attachments": [], "cc": [ "String" ], "htmlBody": "String", "transmissionInfo": "String", "fromHeader": "String", "subject": "String", "route": "String", "textBody": "String", "to": [ "String" ], "processed": "Date String", "fromEnvelope": "String", "sent": "String" }, "policyInfo": [ { "policyName": "String", "policyType": "String", "inherited": false } ], "deliveryMetaInfo": { "remoteServerGreeting": "String", "encryptionInfo": "String", "receiptAcknowledgement": "String", "emailAddress": "String", "messageExpiresIn": 3650, "processingServer": "String", "transmissionSize": 100, "remoteHost": "String", "transmissionStart": "Date String", "remoteIp": "String", "components": [ { "mimeType": "text/plain", "type": "Email Primary Body Plain Text", "name": "body.txt", "extension": "txt", "size": 4075 } ], "transmissionEnd": "Date String", "deliveryEvent": "String" } } }, "spamInfo": { "spamScore": 0, "detectionLevel": "moderate", "spamProcessingDetail": { "rbl": { "allow": true, "info": "String" }, "greyEmail": true, "spf": { "allow": true, "info": "String" }, "dkim": { "allow": true, "info": "String" }, "dmarc": { "allow": true, "info": "String" }, "permittedSender": { "allow": true, "info": "String" }, "managedSender": { "allow": true, "info": "String" }, "symbolGroups": [ { "name": "String", "description": "String" } ], "verdict": { "decision": "String", "description": "String", "risk": "negligible", "categories": [ { "name": "String", "risk": "String", "subcategories": [ { "name": "String", "risk": "String", "augmentations": [ { "name": "String", "risk": "String" } ] } ] } ] } }, "id": "String" } }
## Get TTP URL Logs
This action will bring TTP URL logs.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- |
| Oldest First | Orders results with the most recent first. (Default is false). | Required |
| Route | Filters logs by route, must be one of inbound, outbound, internal, or all. (Defaults is all). | Required |
| Scan Result | Filters logs by scan result, must be one of clean, malicious, or all. (Defaults is all). | Required |
| Start Time | [Jinja-template](doc:jinja-template) for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
| End Time | [Jinja-template](doc:jinja-template) for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
| Page Size | [Jinja-template](doc:jinja-template) containing page size. The number of results requested. (Default is 100000). | Required |
### Output
An array of TTP URL logs, with each log in different row.
``` {json}{
"userOverride": "None",
"subject": "[EXT] ME debt alert : DEBTWIRE (01/06/2021 07:50:00)",
"userEmailAddress": "test@example.com",
"scanResult": "clean",
"sendingIp": "104.130.123.234",
"url": "http://devo.com",
"emailPartsDescription": [
"Body"
],
"creationMethod": "User Click",
"fromUserEmailAddress": "test@devo.com",
"userAwarenessAction": "N/A",
"has_error": false,
"ttpDefinition": "Default URL Protection Definition",
"error": null,
"date": "2021-06-01T04:47:53+0000",
"messageId": "<20210601035725.1.935A8462449914AF@devo.com>",
"actions": "Allow",
"category": "Business",
"route": "inbound",
"action": "allow",
"adminOverride": "N/A"
}Get TTP Impersonation Protection Logs
This action will bring TTP impersonation protection logs.
Inputs Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Oldest First | Orders results with the most recent first. (Default is false). | Â |
Search Field | The field to search, must be one of: senderAddress, recipientAddress, subject, definition or all (meaning all of the preceding fields). (Defaults is all if a search string(query) is provided). | Â |
Query | Jinja-template containing query. Required if searchField is not null. A character string to search for in the logs. | Â |
Start Time | Jinja-template for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Â |
End Time | Jinja-template for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Â |
Page Size | Jinja-template containing page size. The number of results requested. (Default is 100000). | Â |
Output
An array of TTP Impersonation Protection logs, with each log in different row.
``` {json}{ "subject": "Same Day Ach – Compliance as The RDFI And Opportunities For The ODFI And Originator", "taggedMalicious": true, "senderIpAddress": "147.253.210.103", "impersonationResults": [ { "impersonationDomainSource": "targeted_threat_dictionary", "stringSimilarToDomain": "Bank,need,needed,payments,changes,processing,payment,transactions,transaction,Same Day" }, { "impersonationDomainSource": "newly_observed_domain", "similarDomain": "devo.com", "stringSimilarToDomain": "surbl_fresh" } ], "identifiers": [ "newly_observed_domain", "targeted_threat_dictionary" ], "has_error": false, "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0NDJxNLQwVdJRykxRsjI1NrMwNzfQUSpLLSrOzM9TsjLUUSrJA6s2MDBRqgUAwuoTYw", "taggedExternal": true, "error": null, "hits": 2, "messageId": "F0.2C.32231.34F26B06@ak.cc.prd.sparkpost", "eventTime": "2021-06-01T12:59:49+0000", "definition": "Impersonation Protection", "senderAddress": "test@example.com", "action": "hold", "recipientAddress": "test@example.com" }
## Get TTP Attachment Protection Logs
This action will bring TTP attachment protection logs.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------- |
| Oldest First | Orders results with the most recent first. (Default is false). | Required |
| Route | Filters logs by result, must be one of safe, malicious, timeout, error, unsafe, or all. (Defaults is all). | Required |
| Start Time | [Jinja-template](doc:jinja-template) for the date and time of the earliest message to return (Default is Batch start time). Example: 2011-12-03T10:15:30+0000, {{start_time_column}}. | Required |
| End Time | [Jinja-template](doc:jinja-template) for the date and time of the latest message to return, (Default is Batch end time). Example: 2011-12-04T10:15:30+0000, {{end_time_column}}. | Required |
| Page Size | [Jinja-template](doc:jinja-template) containing page size. The number of results requested. (Default is 100000). | Required |
### Output
An array of TTP Attachment Protection logs, with each log in different row.
``` {json}{
"subject": "Pharming GRP NV: Pharming Group to present at Jefferies Virtual Healthcare Conference - June 1",
"result": "safe",
"fileName": "body.txt",
"fileType": "message/rfc822",
"has_error": false,
"error": null,
"date": "2021-06-01T04:57:59+0000",
"messageId": "<60B5BE5600B3043C01D80001_0_194028@msclnypmsgsv03>",
"definition": "Default Attachment Protection Definition",
"details": "Safe \r\nTime taken: 0 hrs, 0 min, 2 sec",
"route": "inbound",
"senderAddress": "test@example.com",
"actionTriggered": "none, none",
"fileHash": "0dd7e40563915eea2f5f93694d3dddac714e3145f2595d80e787bb0e4980a720",
"recipientAddress": "ted@example.com"
}Find groups
This action will bring a list of groups/folders.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query | Jinja-templated text containing query. A character string to search for in the groups. | Â |
Example: {{query_column}} | Required | Â |
Source | The source of the groups. (Default is cloud). | Required |
Page Size | Jinja-templated text containing page size.The number of results requested. (Default is 100000) Example: {{page_size_column}}. | Required |
Output
A JSON object containing a list of groups.
``` {json}{ "subject": "Pharming GRP NV: Pharming Group to present at Jefferies Virtual Healthcare Conference - June 1", "result": "safe", "fileName": "body.txt", "fileType": "message/rfc822", "has_error": false, "error": null, "date": "2021-06-01T04:57:59+0000", "messageId": "60B5BE5600B3043C01D80001_0_194028@msclnypmsgsv03", "definition": "Default Attachment Protection Definition", "details": "Safe \r\nTime taken: 0 hrs, 0 min, 2 sec", "route": "inbound", "senderAddress": "test@example.com", "actionTriggered": "none, none", "fileHash": "0dd7e40563915eea2f5f93694d3dddac714e3145f2595d80e787bb0e4980a720", "recipientAddress": "ted@example.com" }
## Get group members
This action will bring a list of members.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Query | [Jinja-templated](doc:jinja-template) text containing query. A character string to search for in the groups.
Example: {{query_column}} | Required |
| ID | [Jinja-templated](doc:jinja-template) text containing the Mimecast ID of the group.
Example: {{id_column}} | Required |
### Output
A JSON object containing a list of members.
``` {json}{
"name":"",
"internal":false,
"domain":"fundmanager.io",
"emailAddress":"",
"has_error":false,
"error":null,
"type":""
}Add group member
This action can be used to add user email addresses or domains to a profile group.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
ID | Jinja-templated text containing the Mimecast ID of the group to add to. Example: {{id_column}} | Required |
Email Address | Jinja-templated text containing the email address of a user to add to a group. Example: {{email_address_column}} | Required |
Output
A JSON object containing multiple rows of result:
*meta:status
data:data/null
fail:fail Details.
``` {json}{ "meta":{ "status":200 }, "data":[ { "id":"eNoVzVsLgjAYgOH_8t0m6NRleiceCAIjYhWxm3BfOJ2u5qET_ffs-oXn_UCP5WhQCohA3F7cPqfNRdTbgm0S6bO7DltPxYcHfS8YwaJeh6csX6aqoVPFbTpw2_WL6tkdp4Dk2Q4sKMd-0C2aUguc0YTt4xWJPRrMbULTS91BRCy4aiXQKNk1_zlxnMANXe_7A7exLmU", "folderId":"eNoVjr0KgzAYAN_lWytItInGTWqkdBCkqB1cxHyibTQlUftH3712voO7D1hsF4ODhAhGwfLT9ch1FSaB5q8yI4J7vorLB33vCoLZBi8iZYm60bWvXTrXrrfP-udUrQFJRQ4OKNncIeoaZdGBdrGzHtG0WuIWOBTnOCSxT4NNXNHYQU8QEQc6rSSa_0TAGfO_Px11Lwk", "emailAddress":"check.kumar@logcihub.com", "internal":false } ], "fail":[
] }
Create Policy
This endpoint creates new blocked sender policies, which can be used to manage a combination of sender and recipient restrictions.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Policy | Jinja-templated text containing the Policy in json format. Example : {{policy}} | Required |
Option | Jinja-templated text that defines a policy action, must be one of: no_action, block_sender. | Required |
Output
A JSON object:
{json}{
"fail": [],
"data": [{
"option": "no_action",
"id": "asfhabkjasbfl",
"policy": {
"description": "Test Policy",
"fromPart": "header_from",
"from": {
"type": "individual_email_address",
"emailAddress": "abc@example.com"
},
"to": {
"type": "individual_email_address",
"emailAddress": "def@example.com"
},
"fromType": "individual_email_address",
"fromValue": "acb@example.com",
"toType": "individual_email_address",
"toValue": "def@example.com",
"fromEternal": true,
"toEternal": true,
"fromDate": "1900-01-01T00:00:00+0000",
"toDate": "2100-01-01T23:59:59+0000",
"override": false,
"bidirectional": true,
"conditions": {},
"enabled": true,
"enforced": false,
"createTime": "2022-05-12T06:24:39+0000",
"lastUpdated": "2022-05-12T06:24:39+0000"
}
}],
"has_error": false,
"meta": {
"status": 200
},
"error": null
}
Release Notes
v4.0.0- Updated architecture to support IO via filesystemv3.4.1- AddedGet PolicyandCreate Policyactions.