Threat remediation forms part of Targeted Threat Protection: Internal Email Protect, and helps protect your internal, outbound, and delivered messages from malware and sensitive content. Threat remediation allows:
- Automatic remediation of any newly found, zero-day attachment based malware detected in your user's mailboxes, leveraging global threat intelligence to continuously monitor files post delivery. This provides automatic protection if a delivered attachment turns out to be bad, by actively searching your user's accounts for newly identified malicious attachments and instigating removal.
- Notifications to administrators of any newly identified malicious attachments found in your email environment, allowing you to manually remove the messages from the Administration Console.
- A manual restore function allowing you to "undo" remediation events.
How Threat Remediation Works
When an attachment is received, a unique hash is created before it's delivered to the user. If the attachment is later recognized as malicious, the hash is used to remediate the attachment from the user's mailbox, and the user is notified of the removal.
Whilst this feature is primarily about removing malicious attachments, it also works by message id, meaning a message can be identified as harmful. As a result, all attachments associated with the message are marked as a threat. Depending on the settings chosen, Threat remediation either instigates removal automatically, or notifies the administrator to manually take action against the threat.
When a new threat is identified and automatic remediation is enabled, an email notification is sent to an administrator group
To manage the incident:
- Click on the Manage Incident button in the notification. You're redirected to the Administration Console.
- Log on if you haven't done so already. The incident displays.
- Click on the Email Header to view full details of the attachment / message. From here the message can be manually removed if it's deemed a threat.See the Threat Remediation: Removing and Restoring Messages page for further information on actioning incidents.
Threat remediation requires:
- A Full Administrator or Super Administrator role, or the protected permissions added to a custom role.
- A working server connection. View the Managing Server Connections page for more information.
- An active Exchange 2010+ or Exchange platform.
- Your Mimecast account to have some level of retention. Threat remediation searches against the data held in our stores. If your Mimecast account's maximum retention is 30 days the results will span the last 30 days.
Enabling Threat Remediation
Once enabled, end user accounts are actively searched for newly identified malicious attachments in the user's archive. To enable Threat Remediation:
- Log on to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Services | Threat Remediation menu item. The Threat Remediation dialog is displayed.
- A popup message prompts you to enable and configure settings. Click on the Update Settings button. Alternatively, click on the Settings tab.
- Configure your Settings from the following options:
Field / Option Description Status Toggle the status to enable or disable threat remediation. Mode Select what happens when we find a harmful attachment from the drop down menu:
You can manually perform an action on a message whether you are in "Notify Only" or "Automatic" mode.
- Notify Only: The administrator is notified that a threat is identified, and they need to manually take action.
- Automatic: The identified attachments are automatically removed, and the administrator is notified.
Notification Group Click on the Select Group button to select a user group to be notified when a harmful attachment is detected. A sliding panel is displayed that allows you to select a group from one of the following tabs:
Notifications aren't sent for manually created events.
- Active Directory Groups: Use the search field to find the group from your Active Directory.
- Local Groups: Use the search field to find the group from your local directory.
Exclude Group From Remediation (Optional) Optionally click on the Select Group button to exclude a certain group of users from having threat remediation applied. You can select an Active Directory or local directory group as above.
- Click on the Save button.
The Threat Remediation Page
The Threat Remediation home page has the following tabs:
|Overview||This is the default tab and displays a summary of the latest remediation incidents and logs. It also allows you to search for a particular file or message if required. See "The Overview Tab section below for more detail.|
|Incidents||Displays a summary of the last five remediation events, including the number of identified, removed, failed, or restored messages. See "The Incidents Tab section below for more detail.|
|Logs||Displays the last five actions taken against incidents. The tab also includes a View all Logs link in the bottom right corner to access the full logs queue. See the Threat Remediation: Viewing Logs page for more information.|
|Settings||Displays your Status and Mode settings.|
The Overview Tab
- Instances of an attachment (defined by its SHA-256 hash).
- Incidents by message ID (unique to the individual message).
To search for an attachment by data:
- The Search by Data tab displays by default. Enter the file hash in the Attachment File Hash field.The hash is displayed in the email notification sent to administrators, or in the Message Details panel under the message bodypre>
- Optionally enter an email address or domain into the From or To fields. This narrows your search to the sender and recipient email header respectively.
- Click on the Search button. The results display.
To search for a message by ID:
- Click on the Search by ID tab.
- Enter the message ID in the Message ID field.The message id can be copied from the email header of the message (e.g. when performing a track and trace or archive search).
- Click on the Search button. Results display with each message recipient on a single row.
By default, this tab displays the last five remediation events. The information displayed includes the number of identified, removed, failed, or restored messages.
The tab also includes a View all Incidents link in the bottom right corner to access the full Incidents queue.
Recorded incidents use a specific Incident Id naming convention in the format TR-XXXX-00000-X:
- The first block "XXXX" relates to your Mimecast customer account code.
- The second block "00000" is the incremental incident number. This number remains the same when multiple actions are performed on the same incident.
- The third "X" informs the action that was taken, as described below:
Indicator Action A The message was removed automatically by us on discovery of a threat. N The message matches a threat found by us, with the administrator notified. M The manual removal of the message by the administrator. R The message was restored to the user's mailbox due to a remediation error, or a false positive identification.
The Logs Tab
By default, this tab displays a summary of the latest five actions taken against incidents. The tab also includes a View all Logs link in the bottom right corner to access the full logs queue.
The Settings Tab
Your current Status and Mode settings display in the Settings widget, in the bottom left corner of the Overview page. Click on the View all Settings link to jump to the Settings tab and make any necessary changes.