Threat Remediation

Document created by user.oxriBaJeN4 Employee on Jan 17, 2018Last modified by user.oxriBaJeN4 Employee on Aug 28, 2019
Version 22Show Document
  • View in full screen mode

Threat remediation forms part of Targeted Threat Protection: Internal Email Protect, and helps protect your internal, outbound, and delivered messages from malware and sensitive content. Threat remediation allows:

  • Automatic remediation of any newly found, zero-day attachment based malware detected in your user's mailboxes, leveraging global threat intelligence to continuously monitor files post delivery. This provides automatic protection if a delivered attachment turns out to be bad, by actively searching your user's accounts for newly identified malicious attachments and instigating removal.
  • Notifications to administrators of any newly identified malicious attachments found in your email environment, allowing you to manually remove the messages from the Administration Console.
  • A manual restore function allowing you to "undo" remediation events. 


How Threat Remediation Works


When an attachment is received, a unique hash is created before it's delivered to the user. If the attachment is later recognized as malicious, the hash is used to remediate the attachment from the user's mailbox, and the user is notified of the removal.


Whilst this feature is primarily about removing malicious attachments, it also works by message id, meaning a message can be identified as harmful. As a result, all attachments associated with the message are marked as a threat. Depending on the settings chosen, Threat remediation either instigates removal automatically or notifies the administrator to manually take action against the threat.


Remediation Notification

When a new threat is identified and automatic remediation is enabled, an email notification is sent to an administrator group 

The notification includes the Incident ID and the File Hash. These can later be used to quickly find the particular incident.

To manage the incident:

  1. Click on the Manage Incident button in the notification. You're redirected to the Administration Console.
  2. Log on if you haven't done so already. The incident displays.
  3. Click on the Email Header to view full details of the attachment / message. From here the message can be manually removed if it's deemed a threat.
    See the Threat Remediation: Removing and Restoring Messages page for further information on actioning incidents.



Threat remediation requires:

  • A Full Administrator or Super Administrator role, or the protected permissions added to a custom role.
  • A working server connection. View the Managing Server Connections page for more information.
  • An active Exchange 2010+ or Exchange Online platform.
  • Your Mimecast account to have some level of retention. Threat remediation searches against the data held in our stores. If your Mimecast account's maximum retention is 30 days the results will span the last 30 days.


Enabling Threat Remediation


Once enabled, end user accounts are actively searched for newly identified malicious attachments in the user's archive. To enable Threat Remediation:

  1. Enable RemediationLog on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Services | Threat Remediation menu item. The Threat Remediation dialog is displayed.
  4. A popup message prompts you to enable and configure settings. Click on the Update Settings button. Alternatively, click on the Settings tab.
  5. Configure your Settings from the following options:

    Field / OptionDescription
    StatusToggle the status to enable or disable threat remediation. 
    ModeSelect what happens when we find a harmful attachment from the drop down menu:
    • Notify Only: The administrator is notified that a threat is identified, and they need to manually take action.
    • Automatic: The identified attachments are automatically removed, and the administrator is notified.
    You can manually perform an action on a message whether you are in "Notify Only" or "Automatic" mode.
    Notification GroupClick on the Select Group button to select a user group to be notified when a harmful attachment is detected. A sliding panel is displayed that allows you to select a group from one of the following tabs:
    • Active Directory Groups: Use the search field to find the group from your Active Directory.
    • Local Groups: Use the search field to find the group from your local directory.
    Notifications aren't sent for manually created events.
    Exclude Group From Remediation (Optional)Optionally click on the Select Group button to exclude a certain group of users from having threat remediation applied. You can select an Active Directory or local directory group as above.
  6. Click on the Save button.


The Threat Remediation Page


The Threat Remediation home page has the following tabs:


OverviewThis is the default tab and displays a summary of the latest remediation incidents and logs. It also allows you to search for a particular file or message if required. See "The Overview Tab" section below for more detail.
IncidentsDisplays a summary of the last five remediation events, including the number of identified, removed, failed, or restored messages. See "The Incidents Tab" section below for more detail.
LogsDisplays the last five actions taken against incidents. The tab also includes a View all Logs link in the bottom right corner to access the full logs queue. See the Threat Remediation: Viewing Logs page for more information.
SettingsDisplays your Status and Mode settings.


The Overview Tab


File Hash SearchUsing the Search Messages widget, you can search for:

  • Instances of an attachment (defined by its SHA-256 hash).
  • Incidents by message ID (unique to the individual message).


To search for an attachment by data:

  1. The Search by Data tab displays by default. Enter the file hash in the Attachment File Hash field.
    The hash is displayed in the email notification sent to administrators, or in the Message Details panel under the message body.
  2. Optionally enter an email address or domain into the From or To fields. This narrows your search to the sender and recipient email header respectively.
  3. Click on the Search button. The results display.


To search for a message by ID:

  1. Click on the Search by ID tab.
  2. Enter the message ID in the Message ID field.
    The message ID can be copied from the email header of the message (e.g. when performing a message tracking or archive search).
  3. Click on the Search button. Results display with each message recipient on a single row.


Incidents WidgetThe Incidents Tab


By default, this tab displays the last five remediation events. The information displayed includes the number of identified, removed, failed, or restored messages. 


The tab also includes a View all Incidents link in the bottom right corner to access the full Incidents queue.


Recorded incidents use a specific Incident ID in the format TR-XXXX-00000-X:

  • The first block "XXXX" relates to your Mimecast customer account code.
  • The second block "00000" is the incremental incident number. This number remains the same when multiple actions are performed on the same incident.
  • The third "X" informs the action that was taken, as described below:
    AThe message was removed automatically by us on the discovery of a threat.
    NThe message matches a threat found by us, with the administrator notified.
    MThe manual removal of the message by the administrator.
    RThe message was restored to the user's mailbox due to a remediation error, or a false positive identification.
See the Threat Remediation: Viewing Incidents page for more information on viewing and exporting data from Incidents.

The Logs Tab


By default, this tab displays a summary of the latest five actions taken against incidents. The tab also includes a View all Logs link in the bottom right corner to access the full logs queue.

See the Threat Remediation: Viewing Logs page for more information on viewing and exporting data from Logs.

The Settings Tab


Your current settings display in the Settings widget, in the bottom left corner of the Overview page. Click on the View all Settings link, or click on the Settings tab to edit your settings as outlined below:

StatusToggle the option to enable / disable Threat Remediation.

Select a mode from the following options:

  • Notify Only - select this option to only be notified of an attachment threat post-delivery, with no further action taken.
  • Automatic - select this option to have an attachment automatically removed if a threat is found post-delivery.
Notification GroupClick on the Select Group button to select a user group to be notified of threat incidents detected post-delivery.
Exclude Group From RemediationClick on the Select Group button to select a user group to be excluded from threat remediation.


See Also...


3 people found this helpful