BETA: Internal Email Protect: Threat Remediation

Document created by user.gA8uBK66K5 Expert on May 22, 2018Last modified by user.gA8uBK66K5 Expert on Jul 4, 2018
Version 2Show Document
  • View in full screen mode

Beta Information and overview

General

Internal Email Protect helps customer administrators to protect both internal and outbound messages from malware and sensitive content.  Based on improvements to Mimecast's pooled threat intelligence and analytics capabilities, Mimecast is adding new functionality that will allow automatic remediation of newly found, zero-day attachment based malware.  Customer administrators will be able to configure Mimecast to either notify administrators or notify and remediate messages if a previously delivered message's attachment status becomes known as malicious.  There are also manual search based remediation functions based on either file hash (SHA256) or message ID.

Timeline and feedback

We are focused on providing an exceptional experience for our customers, so are look for candidates willing to participate in this beta, due to start from June 20th.  Interested candidates are required to email ttpbeta@mimecast.com to register interest.

 

Known issues and limitations

There is a set of current known issues documented below.  These are being addressed through the beta cycle, and will be fixed prior to release.

 

IssueStatus
Messages that are encrypted are treated as suspicious, so will trigger an incident.Fixed
When searching by message ID and not including the < brackets > the search result isn't displayedFixed
Messages that have been remediated that were in the hold queue or pending delivery will show as 'delivered' in the recipients tab inside the message view under the incident.Fixed
'Something went wrong' error when trying to restore a previously restored incidentFix TBC
Export of results to XLS currently unavailableFixed
Page count does not update when changing search parameters on the results pageFix TBC
No Log is created when a user exports data in remediation for logs and incidentsFix TBC
No Search Log is created when a user searches for messages in RemediationFix TBC
No View Log is created for viewing email content in RemediationFix TBC

 

 

Threat Remediation Dashboard

Once enabled on your account, the Threat Remediation dashboard will become visible, under Administration > Services > Threat Remediation.

 

Setup

On first view of the Threat Remediation dashboard, a 'toast' popup will prompt to enable and configure settings.

Settings 'toast'

Alternatively, click on the settings tab.  On the settings screen the following options are available;

  • Status: Enabled or Disabled
  • Mode:
    • Notify only: Your administrators are notified that they need to take action.
    • Automatic: The identified messages are automatically removed. Your administrators are notified.
  • Notification group: Directory or local group that will receive incident administrator notifications
  • Exclude group from remediation: Option to exclude a group of mailboxes from the remediation process

Threat Rem Settings

 

Overview

The overview page allows administrators to see the most recent incidents and logs, while providing access to the search functionality.

 

Search Messages

Use the search function to search for instances of either a file (defined by it's SHA256 hash) or by message ID.  As message ID is unique to the individual message, there are no 'from' and 'two' fields.  Mimecast will search against the data held in the Mimecast stores so if the account maximum retention is 30 days, the results will span the last 30 days.  Results are displayed with each recipient on one row.  Clicking onto the recipient will show the message slider, including the message summary and the header tab.  Using the 'Remove Messages' button will prompt for a reason.  The reason is then logged along with the removal incident in the Incident view.

 

Incidents

Incidents correspond to an event and list all the matching messages, by recipient.  Incidents recorded have a specific naming convention in the format; TR-XXXX-00000-X, where the first block relates to the customer account code, the second is the incremental incident number and the third informs the action that was taken.

 

IndicatorAction
AAutomatic: Indicates messages were removed automatically by Mimecast upon discovery of a threat
NNotify only: Indicates a group of messages that match a threat found by Mimecast
MManual: Indicates manual removal of messages by an adminstrator, either by removing messages found with 'Notify only' or by removing messages through the search function
RRestore: Indicates messages were restored due to removal error

Logs

The log view shows actions taken against all messages in date order.  The log can be searched and retains the last 30 days of actions.  There's a set of filters available using the options, such as filter by action or filter by message status.

 

Notifications

Notifications are sent to the selected administrator group configured in the settings.  The notification provides the incident details, including the ID and the hash.

Threat Notification

Attachments

    Outcomes