Mimecast Threat Dashboard

Document created by user.oxriBaJeN4 Employee on Jun 20, 2019Last modified by user.oxriBaJeN4 Employee on Sep 27, 2019
Version 32Show Document
  • View in full screen mode

This page demonstrates how the Threat Dashboard provides insights into threats blocked by Mimecast security scanning technologies. By examining your tenants data, the dashboard provides a high level overview of:

  • The threats and risks that your organization is facing today.
  • Allows you to examine what you are facing within (by default) the past 30 days.

 

The dashboard also enables you to drill into information about users most targeted, current threats detected, the volume of attacks, and trends related to malicious attachments seen in your tenant. A feed can also be used to return identified malware threats at a customer or regional grid level. See the article Get Threat Intel Feed for further information.

For customers who’ve Mimecast's Secure Email Gateway (SEG), Mimecast Threat Intelligence is a standard feature* that serves up broad, easily digestible insights into threats to their specific environments. You're able to use those insights to remediate if you've Internal Email Protect (IEP). IEP is accessed directly through Mimecast’s Administration Console, or you can use the SIEM, SOAR, or another orchestration tool of your choice to conduct remediations, leveraging the Threat Feed Remediation API.

* Threat Dashboard and Threat Intel APIs are included as standard features only for customers with the Mail Transfer Agent (MTA). They are designed to consolidate information about malicious attachments detected at both the anti-virus and the Targeted Threat Protection-Attachment (TTP-AP) layer of protection. Contact a Mimecast representative or partner for more details on these features or to discuss an upgrade if necessary.

Accessing the Threat Dashboard

 

Threat Intelligence Dashboard OverviewTo access the Threat Dashboard you must have either the Super Administrator, Full Administrator, or Basic Administrator role. See the Understanding Administrator Roles page for more information.

 

To access the threat dashboard:

  1. Access the My Apps portal.
  2. Select the Threat Dashboard icon. The dashboard is displayed with the Overview tab displayed.
  3. If required, adjust the Date Range to display information over 24 Hours, 7 Days, or 30 Days.

 

The Overview Tab

 

The Overview tab displays the following information:

Targeted UsersDisplays the number of users being attacked, and a comparison trend with a higher or lower percentage.
Total Malware DetectionsDisplays the total malware detected, and a comparison trend with a higher or lower percentage.
Malware DetectionsThis graph displays the volume of malware detections during the selected time frame. This is useful in identifying trends or patterns when you receive attacks. For instance, there may be a specific day or time when an attack is more prevalent. Once this information is known, this helps your company to become more proactive in your response. Click on the More Info icon to display the following menu items:
  • Search Detections: This automatically performs a search using with the same parameters as the chart data, with the results displayed in the Search tab.
  • Download PNG / PDF / SVG / JPG: Downloads the graph in the selected image format.
Recent ThreatsDisplays recent threats alongside the type of threat, the amount detected, and the latest detection reported.
Most Targeted Users

Displays the trend of user risk (e.g. the users most prone to being targeted). This could be based on their behaviors (e.g. constantly clicking on bad links). By reviewing this information, you can offer them additional counseling and/or protections and identify attack trends across the business. Click on the More Info icon to display the Search Messages menu item that automatically performs a search using with the same parameters as the chart data, with the results displayed in the Search tab.

Malware OriginDraws attention to where the attacks have originated, based on their IP address. The map helps you to determine trends in the attack origination, so you can create a block against these suspicious regions. Click on the More Info icon to display the Download PNG / PDF / SVG / JPG menu items that allows you to download the map in the selected image format.

 

The Search Tab

 

The Search Tab helps you gain an insight into the messages blocked based on attachments. This allows you to rapidly determine to whom a particular threat has spread. It primarily gives insight into threats identified by anti-virus and Targeted Threat Protection - Attachment Protect metadata.

Threat Intelligence Dashboard Search

The search has two search methods:

  • Search by Data: Allows you to search for data inside a message by searching for:
    • Attachment File Hash
    • From field
    • To field
    • Attachment Filename
    • Subject
    • Sender IP Address
    • Date Range
  • Search by ID: Allows you to search on message IDs inside the header if you have previously identified a problem message ID.

 

Search Results

 

The results of a search are displayed in the bottom of the page with both a graphical display, and details of the affected messages.Search Chart

 

Displaying a Message's Details

 

Message DetailsYou can click on a message which displays a panel providing the following information on the malware attack. The information is displayed in the following tabs:

  • Message Tab: This contains a:
    • Summary of the message including who the message if from / to, the subject, and the received date.
    • List of the malicious attachments, including the file name, scan result, and file size.
      Click on the More Info icon to the right of an attachment to view detailed information about the malicious attachment.
  • Threat Information Tab: This displays further information on the threat. For example if there are more than one attachment linked to the message, you can select one of them from the drop-down. This displays:
    • A summary of the scan result, the malware type (e.g. virus), the attachment file name, threat name, and the file's hash. 
    • The malware analysis which identifies the type of malware, including an expandable / collapsible breakdown of the file's content, including exactly where the malicious content sits inside the file.
    • Evidence to provide proof of the malicious content inside the attachment, and the reason the message was flagged.

 

Dark Mode ExampleChanging the Dashboard's Display Mode

 

You can change the display mode of the dashboard. An option is available to switch between the default "light" mode and a "dark" mode. The dark mode uses a darker, colorful theme.

 

To toggle the display mode:

  1. Click on your Profile's Avatar.
  2. Click on the Dark Mode slider option to enable or disable the dark mode.

 

See Also...

 

2 people found this helpful

Attachments

    Outcomes