Fortinet black logo

Mimecast

Home FortiSOAR Connectors Mimecast

Mimecast v2.0.0

2.0.0
2.1.0
2.0.0
1.2.0
1.1.0
1.0.0
Copy Link
Copy Doc ID 3eab8c0d-b8ed-11ed-8e6d-fa163e15d75b:515

About the connector

Mimecast specializes in cloud-based email management for Microsoft Exchange and Microsoft Office 365, and offers security, archiving, and continuity services to protect business mail.

This document provides information about the Mimecast connector, which facilitates automated interactions, with a Mimecast server using FortiSOAR™ playbooks. Add the Mimecast connector as a step in FortiSOAR™ playbooks and perform automated operations, such as adding a sender to the blocked sender list on Mimecast or retrieving information about a tracked message from Mimecast.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Mimecast connector in version 2.0.0:

  • Added following new operations and playbooks:
    • Get Search URL Logs
    • Get TTP URL Logs
    • Decode URL
  • Updated configuration parameters as follows:
    • Added new parameters Secret key and Access Key
    • Removed existing parameters User Name, Password and Auth Type

Getting Access Tokens

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-mimecast

Prerequisites to configuring the connector

  • You must have the URL of the Mimecast server to which you will connect and perform automated operations and authentication details to perform automated operations.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Mimecast server.

Minimum Permissions Required

Following table illustrates permissions required for each action in this connector:

Action Application Permissions
Create Blocked Sender Policy Gateway | Policies | Edit
Get Blocked Sender Policy Gateway | Policies | Read
Update Blocked Sender Policy Gateway | Policies | Edit
Delete Blocked Sender Policy Gateway | Policies | Edit
Create Group Directories | Groups | Edit
Find Groups Directories | Groups | Edit
Update Group Directories | Groups | Edit
Delete Group Directories | Groups | Edit
Add Group Member Directories | Groups | Edit
Get Group Member Directories | Groups | Read
Remove Group Member Directories | Groups | Edit
Block Sender Gateway | Managed Senders | Edit
Unblock Sender Gateway | Managed Senders | Edit
Get Managed URL Services | Targeted Threat Protection - URL Protect | Edit
Blacklist URL Services | Targeted Threat Protection - URL Protect | Edit
Whitelist URL Services | Targeted Threat Protection - URL Protect | Edit
Decode URL Account | Dashboard | Read
Get Search URL Logs Archive | Search Logs | Read
Get TTP URL Logs Monitoring | URL Protection | Read
Get Message List Archive | Search | Read
Archive Search Archive | Search | Read
Message Search Gateway | Tracking | Read
Get Archive Search Message Details Archive | Search Content View
Get Message Info Gateway | Tracking | Read
Get Aliases Directories | Internal | Read

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Mimecast connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL The URL of the Mimecast server to which you will connect and perform automated operations.
Application ID The Mimecast API application has a unique API Application ID that is used to create an authentication token that you can use to access the API.
Application Key The Mimecast API application has a unique API Application Key that is used to create an authentication token that you can use to access the API.
Access Key Specify an access key to access the API
Secret Key Specify a secret key to access the API
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Create Blocked Sender Policy Creates a policy for blocking senders on the Mimecast server. create_policy
Containment
Get Blocked Sender Policy Retrieves a list and details of all blocked sender policies for a Mimecast account from the Mimecast server, or retrieves the details of a specific policy based on the policy ID you have specified. get_policy
Investigation
Update Blocked Sender Policy Updates an existing blocked sender policy from a Mimecast account on the Mimecast server, based on the policy id, action, and other input parameters you have specified. update_policy
Miscellaneous
Delete Blocked Sender Policy Deletes an existing blocked sender policy from a Mimecast account on the Mimecast server, based on the policy id you have specified. delete_policy
Miscellaneous
Create Group Creates a new group on the Mimecast server. create_group
Containment
Delete Group Deletes an existing group from the Mimecast server. delete_group
Miscellaneous
Find Groups Retrieves details of existing Mimecast groups from the Mimecast server, based on the input parameters (filter criteria) you have specified.
If you do not specify any filter criteria, then details of all existing groups are retrieved from the Mimecast server.		 get_groups
Investigation
Update Group Updates a group on the Mimecast server, based on the input parameters you have specified. update_group
Investigation
Add Group Member Adds members (users) to the specified group on the Mimecast server, based on the CSV list of email addresses or domains of the users you have specified. add_group_member
Investigation
Get Group Member Retrieves details of the members of a specific group on the Mimecast server, based on the group ID you have specified. get_group_member
Investigation
Remove Group Member Removes a member from the specified group on the Mimecast server, based on the email address or the domain of the user you have specified. remove_group_member
Remediation
Block Sender Adds a sender to the blocked sender list on the Mimecast server. block_sender
Containment
Unblock Sender Adds a sender to the permitted sender list on the Mimecast server. unblock_sender
Remediation
Blacklist URL Adds a URL to be blacklisted on the Mimecast server. block_url
Containment
Whitelist URL Adds a URL to the targeted threat protection whitelist on the Mimecast server. unblock_url
Remediation
Decode URL Decodes a Mimecast-encoded URL that you have specified. decode_url
Investigation
Get Search URL Logs Retrieves all the search URL Logs or specific search URL logs from Mimecast based on filtration query and other parameters you have specified. get_search_url_logs
Investigation
Get TTP URL Logs Retrieves all the TTP URL Logs or specific TTP URL logs from Mimecast based on the input parameters you have specified. get_ttp_url_logs
Investigation
Get Managed URL Retrieves a list and details of managed URLs from the targeted threat protection blacklist or whitelist on the Mimecast server. get_managed_url
Investigation
Get Message List Retrieves a list of messages for a specified user or the logged-in user from Mimecast. get_message_list
Investigation
Get Archive Search Message Details Retrieves metadata for a message from the Mimecast archives, based on the message ID you have specified. get_archive_search_message_detail
Investigation
Get Message Info Retrieves information for a tracked message from Mimecast, based on the Mimecast ID you have specified. get_tracked_message_info
Investigation
Archive Search Retrieves a list of messages from Mimecast that match the search criteria that you have specified. archive_search
Investigation
Message Search Tracks messages across the Mimecast platform, based on the input parameters you have specified message_search
Investigation
Get Aliases Retrieves the alias address(es) associated with a user from Mimecast, based on the email address you have specified. get_aliases
Investigation

operation: Create Blocked Sender Policy

Input parameters

Parameter Description
Action Specify the action to take. You can choose from the following options:
  • Blocked Sender: Select this option to add the specified email addresses to blocked sender policy on Mimecast.
  • No Action: Select this option to take no action on the specified email addresses.
Description Specify a description of the blocked sender policy that you want to create on the Mimecast server. This description is kept with the email in the Archive for future reference.
Sender Type Specify the sender type being blocked using this blocked sender policy. Select from the following options:
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Sender Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Sender Type, then you must specify a value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Addresses Based on Specify the addresses based on which you will block the sender using this blocked sender policy. Choose one of the following options:
  • Envelope From
  • Header From
  • Both
Receiver Type Specify the receiver type included in this blocked sender policy. Select from the following options:
  • Everyone
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Receiver Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Receiver Type, then you must specify the value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Source IP (Optional) Specify a list of IP addresses that use the CIDR notation (X.X.X.X/XX), as comma-separated values. When you specify the source IP, then this blocked sender policy applies only to connections from matching IP addresses.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"option": "",
"policy": {
"fromType": "",
"fromValue": "",
"fromEternal": "",
"from": {
"emailDomain": "",
"type": "",
"groupId": "",
"emailAddress": ""
},
"fromPart": "",
"conditions": {
"sourceIPs": []
},
"toDate": "",
"fromDate": "",
"toType": "",
"override": "",
"bidirectional": "",
"toEternal": "",
"description": "",
"to": {
"emailDomain": "",
"type": "",
"groupId": "",
"emailAddress": ""
}
},
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Get Blocked Sender Policy

Input parameters

Parameter Description
Policy ID (Optional) Specify the ID of the policy whose blocked sender details you want to retrieve from the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"option": "",
"policy": {
"fromType": "",
"from": {
"type": ""
},
"fromPart": "",
"conditions": {},
"toDate": "",
"fromDate": "",
"toType": "",
"override": "",
"bidirectional": "",
"toEternal": "",
"description": "",
"to": {
"type": ""
}
},
"id": ""
}
],
"fail": []
}

operation: Update Blocked Sender Policy

Input parameters

Parameter Description
Policy ID Specify the ID of the existing blocked sender policy that you want to update on Mimecast.
Action Specify the block option or action to update on Mimecast. Choose from one of the following: Blocked Sender or No Action.
Description Specify a description of the blocked sender policy that you want to update on the Mimecast server. This description is kept with the email in the Archive for future reference.
Sender Type Specify the sender type being blocked using this blocked sender policy. Select from the following options:
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Sender Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Sender Type, then you must specify a value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Addresses Based on Specify the addresses based on which you will block the sender using this blocked sender policy. Choose one of the following options:
  • Envelope From
  • Header From
  • Both
Receiver Type Specify the receiver type included in this blocked sender policy. Select from the following options:
  • Everyone
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Receiver Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Receiver Type, then you must specify the value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Source IP (Optional) Specify a list of IP addresses that use the CIDR notation (X.X.X.X/XX), as comma-separated values. When you specify the source IP, then this blocked sender policy applies only to connections from matching IP addresses.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"option": "",
"policy": {
"fromType": "",
"fromValue": "",
"fromEternal": "",
"from": {
"type": "",
"emailAddress": ""
},
"description": "",
"conditions": {},
"toDate": "",
"toEternal": "",
"toType": "",
"override": "",
"bidirectional": "",
"fromDate": "",
"fromPart": "",
"to": {
"type": ""
}
},
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Delete Blocked Sender Policy

Input parameters

Parameter Description
Policy ID Specify the ID of the existing blocked sender policy that you want to delete from Mimecast.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"id": "",
"deleted": ""
}
],
"meta": {
"status": ""
}
}

operation: Create Group

Input parameters

Parameter Description
Description Specify a description of the new group that you want to create on the Mimecast server.
Parent ID (Optional) Specify the ID of the parent group under which you want to create the new group on the Mimecast server.
If you do not specify a parent ID, then the new group will be created at the root level on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"parentId": "",
"source": "",
"userCount": "",
"folderCount": "",
"description": "",
"id": ""
}
],
"fail": []
}

operation: Find Groups

Input parameters

Parameter Description
Query Specify the query string using which you want to search for groups on the Mimecast server.
Note: If you do not provide any query string then details of all existing groups are retrieved from the Mimecast server.
Source Specify the source of the group based on which you want to search for groups on the Mimecast server. Choose from one of the following: Cloud or LDAP.
Page Size (Optional) Specify the number of results that are requested by this operation.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"previous": ""
},
"status": ""
},
"data": [
{
"folders": [
{
"parentId": "",
"source": "",
"userCount": "",
"folderCount": "",
"description": "",
"id": ""
}
],
"query": "",
"source": ""
}
],
"fail": []
}

operation: Update Group

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group that you want to update on the Mimecast server.
Use the Find Groups operation to retrieve the Group IDs for existing groups on the Mimecast server.
Description (Optional) Specify the description to update the group specified in this operation.
Parent ID (Optional) Specify the ID to update as the parent of the group specified in this operation.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"folderCount": "",
"parentId": "",
"source": "",
"userCount": "",
"description": "",
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Delete Group

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group that you want to delete from the Mimecast server.
Use the Find Groups operation to retrieve the Group IDs for existing groups on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"status": "",
"id": ""
}
],
"fail": []
}

operation: Add Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group in which you want to add the user.
Email Address Specify a comma-separated list of email addresses that you want to add to the specified group.

NOTE: To add members to a group, you can specify a CSV list of email addresses of users or domains of users, or both. However, in one go, you can add a maximum of 100 members to a group.
Domain Specify a comma-separated list of domains of users that you want to add to the specified group.

Output

The output contains the following populated JSON schema if you have specified the CSV list of domains of users:
{
"meta": {
"status": ""
},
"data": [
{
"id": "",
"folderId": "",
"domain": ""
}
],
"fail": [
{
"key": {
"domain": "",
"id": ""
},
"errors": [
{
"code": "",
"message": "",
"retryable": ""
}
]
}
],
"major_fail": [
{
"key": {
"domain": "",
"id": ""
},
"errors": [
{
"message": "",
"code": "",
"field": "",
"retryable": ""
}
]
}
]
}

operation: Get Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group whose member details you want to retrieve from the Mimecast server.
Page Size (Optional) Specify the number of results that are requested by this operation.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"groupMembers": [
{
"internal": "",
"domain": "",
"type": "",
"name": "",
"emailAddress": ""
}
]
}
],
"meta": {
"pagination": {
"pageSize": ""
},
"status": ""
}
}

operation: Remove Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group from which you want to remove a member (user).
Email Address Specify the email address of the user that you want to remove from the specified group.

NOTE: You must specify either the email address or the domain of the user that you want to remove from the specified group.
Domain Specify the domain of the user that you want to remove from the specified group.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"domain": "",
"id": "",
"folderId": ""
}
],
"meta": {
"status": ""
}
}

operation: Block Sender

Input parameters

Parameter Description
Sender Email ID Specify the email address of the sender that you want to block on the Mimecast server.
Recipient Email ID Specify the email address of the recipient that you want to block on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"sender": "",
"type": "",
"id": "",
"to": ""
}
],
"fail": []
}

operation: Unblock Sender

Input parameters

Parameter Description
Sender Email ID Specify the email address of the sender that you want to unblock on the Mimecast server.
Recipient Email ID Specify the email address of the recipient that you want to unblock on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"sender": "",
"type": "",
"id": "",
"to": ""
}
],
"fail": []
}

operation: Get Managed URL

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"meta": {
"status": "",
"pagination": {
"pageSize": "",
"recordStart": "",
"next": ""
}
},
"data": [
{
"status": "",
"received": "",
"from": {
"displayableName": "",
"emailAddress": ""
},
"smash": "",
"read": "",
"attachmentCount": "",
"ccm": "",
"to": {
"displayableName": "",
"emailAddress": ""
},
"recalled": "",
"subject": "",
"expired": "",
"id": "",
"size": ""
}
]
}

operation: Blacklist URL

Input parameters

Parameter Description
URL Specify the URL that you want to blacklist on the Mimecast server.
Note: Do not include a fragment (#)
Disable Log Click (Optional) Select to disable logging of user clicks on the specified URL.
By default, this is set to False.
Match Type (Optional) Select from the following options to Explicit to explicitly blacklist only the specified URL or Domain to blacklist any URL on the same domain.
Comment (Optional) Specify a comment about why you want to blacklist the specified URL on the Mimecast server. Comments are used for tracking purposes.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"comment": "",
"disableRewrite": "",
"scheme": "",
"disableUserAwareness": "",
"matchType": "",
"port": "",
"action": "",
"id": "",
"domain": "",
"disableLogClick": ""
}
],
"fail": []
}

operation: Whitelist URL

Input parameters

Parameter Description
URL Specify the URL that you want to include in the targeted threat protection whitelist on the Mimecast server.
Note: Do not include a fragment (#)
Disable Rewrite (Optional) Select this option to disable rewriting of the specified URL in emails.
Disable User Awareness (Optional) Select this option to disable user awareness of the specified URL.
Disable Log Click (Optional) Select to disable logging of user clicks on the specified URL.
By default, this is set to False.
Match Type (Optional) Select Explicit to explicitly whitelist only the specified URL or Domain to whitelist any URL on the same domain.
Comment (Optional) Specify a comment about why you want to whitelist the specified URL on the Mimecast server. Comments are used for tracking purposes.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"comment": "",
"disableRewrite": "",
"scheme": "",
"disableUserAwareness": "",
"matchType": "",
"port": "",
"action": "",
"id": "",
"domain": "",
"disableLogClick": ""
}
],
"fail": []
}

operation: Get Message List

Input parameters

Parameter Description
Mailbox Specify the email address for which you want to retrieve the message list from Mimecast.
Note: If you do not specify any email address, then the message list for the logged-in user is retrieved from Mimecast.
Source Specify the type of message that you want to retrieve from Mimecast. Choose from the following options: INBOX or SENT.
By default, this is set as INBOX.
Start Time Specify a start date from when you want to retrieve messages from Mimecast.
By default, this is set as the last calendar month.
End Time Specify an end date till when you want to retrieve messages from Mimecast.
By default, this is set as the current day.
Include Delegates Select this checkbox, i.e., set it to True to include messages for addresses for which the mailbox has delegate permissions.
By default, this is set as False.
Include Alias Select this checkbox, i.e., set it to True to include messages for alias addresses of the mailbox.
By default, this is set as True.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"next": "",
"recordStart": ""
},
"status": ""
},
"data": [
{
"received": "",
"attachmentCount": "",
"subject": "",
"from": {
"emailAddress": "",
"displayableName": ""
},
"recalled": "",
"status": "",
"id": "",
"read": "",
"ccm": "",
"smash": "",
"expired": "",
"to": {
"emailAddress": "",
"displayableName": ""
},
"size": ""
}
],
"fail": []
}

operation: Get Archive Search Message Details

Input parameters

Parameter Description
Mimecast ID Specify the Mimecast ID of the message whose metadata information you want to retrieve from the Mimecast archives.
Use the Archive Search operation to retrieve the message IDs for existing messages in the Mimecast archives.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"received": "",
"headerDate": "",
"mimeMessageId": "",
"from": {
"emailAddress": "",
"displayableName": ""
},
"id": "",
"status": "",
"hasHtmlBody": "",
"hasTextBody": "",
"isPassthrough": "",
"cc": [
{
"emailAddress": "",
"displayableName": ""
}
],
"messageBodyPreview": "",
"subject": "",
"attachments": [
{
"contentType": "",
"extension": "",
"filename": "",
"contentId": "",
"sha256": "",
"id": "",
"bodyType": "",
"size": ""
}
],
"envelopeFrom": {
"emailAddress": "",
"displayableName": ""
},
"smash": "",
"headers": [
{
"values": [],
"name": ""
}
],
"processed": "",
"to": [
{
"emailAddress": "",
"displayableName": ""
}
],
"size": "",
"replyTo": {
"emailAddress": "",
"displayableName": ""
}
}
],
"fail": []
}

operation: Get Message Info

Input parameters

Parameter Description
Mimecast ID Specify the Mimecast ID of the message whose information you want to retrieve from Mimecast.
Use the Message Search operation to retrieve the message IDs for tracked messages.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"deliveredMessage": {
"user@domain.com": {
"messageInfo": {
"htmlBody": "",
"fromHeader": "",
"subject": "",
"sent": "",
"cc": [],
"fromEnvelope": "",
"attachments": [],
"route": "",
"processed": "",
"transmissionInfo": "",
"to": [],
"textBody": ""
},
"policyInfo": [
{
"policyType": "",
"policyName": "",
"inherited": ""
}
],
"deliveryMetaInfo": {
"components": [
{
"extension": "",
"type": "",
"mimeType": "",
"name": "",
"size": ""
}
],
"transmissionEnd": "",
"transmissionStart": "",
"encryptionInfo": "",
"transmissionSize": "",
"remoteHost": "",
"emailAddress": "",
"remoteServerGreeting": "",
"deliveryEvent": "",
"processingServer": "",
"remoteIp": "",
"messageExpiresIn": "",
"receiptAcknowledgement": ""
}
}
},
"status": "",
"id": "",
"retentionInfo": {
"litigationHoldInfo": [],
"smartTags": [],
"fbrStamps": [],
"purgeBasedOn": "",
"fbrExpireCheck": [],
"currentPurgeDate": "",
"audits": [],
"originalPurgeDate": "",
"retentionAdjustmentDays": ""
},
"recipientInfo": {
"recipientMetaInfo": {
"components": [
{
"extension": "",
"type": "",
"mimeType": "",
"name": "",
"size": ""
}
],
"receiptEvent": "",
"receiptAcknowledgement": "",
"remoteServerGreeting": "",
"encryptionInfo": "",
"transmissionSize": "",
"remoteHost": "",
"spamEvent": "",
"transmissionEnd": "",
"transmissionStart": "",
"processingServer": "",
"messageExpiresIn": "",
"binaryEmailSize": "",
"remoteIp": ""
},
"messageInfo": {
"cc": [],
"htmlBody": "",
"fromEnvelope": "",
"attachments": [],
"subject": "",
"fromHeader": "",
"processed": "",
"transmissionInfo": "",
"to": [],
"textBody": "",
"sent": ""
}
}
}
],
"fail": []
}

operation: Archive Search

Input parameters

Parameter Description
Email ID Specify the email address that is configured in Mimecast whose messages you want to search on Mimecast.
Search Text Specify the text to filter the search for messages on Mimecast.
Admin Select this option, i.e., set it to True if this search is an administrative search.
By default, this is set as False, i.e., the search is an end-user search.
Time Period (Optional) Specify the time period for which you want to query messages received in the specified email address. You can choose from the following options: Today, Yesterday, Last Week, Last Month, Last Year, or Between.
If you choose Between, then in the From field, you should specify the start date and time from when you want to query for messages received in the specified email address, and in the To field, you should specify the end date and time till when you want to query for messages received in the specified email address.
Document Type (Optional) Select the type of document (attachment) for which you want to query for messages received in the specified email address. Some of the options you can choose from are Spreadsheets, Documents, Text, Media, etc.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"next": "",
"recordStart": ""
},
"status": ""
},
"data": [
{
"subject": "",
"smash": "",
"size": "",
"receiveddate": "",
"attachmentcount": "",
"status": "",
"id": "",
"displayto": "",
"displayfrom": ""
}
],
"fail": []
}

operation: Message Search

Input parameters

Parameter Description
Sender Email ID Specify the email address or domain of the sender of the messages that you want to track on Mimecast.
Recipient Email ID Specify the email address or domain of the recipient of the messages that you want to track on Mimecast.
Subject Specify the subject of the messages that you want to track on Mimecast.
Message ID Specify the Internet message ID of the message whose message details you want to track on Mimecast.
For example, <CALEwL_b_JJ_OfLw5S9vH34cnvAUowaQ24PhOePtkGUa6WV3QFw@mail.gmail.com>
Sender IP Specify the source IP address of the sender of the messages that you want to track on Mimecast.
Search Reason Specify the reason for tracking the messages on Mimecast.
Start Time Specify the date and time from when you want to search messages on Mimecast.
End Time Specify the date and time till when you want to search messages on Mimecast.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"trackedEmails": [
{
"received": "",
"attachments": "",
"fromHdr": {
"emailAddress": "",
"displayableName": ""
},
"fromEnv": {
"emailAddress": "",
"displayableName": ""
},
"route": "",
"id": "",
"status": "",
"senderIP": "",
"to": [
{
"emailAddress": "",
"displayableName": ""
}
],
"sent": "",
"subject": ""
}
]
}
],
"fail": []
}

operation: Get Aliases

Input parameters

Parameter Description
Email ID Specify the primary email address of the user whose alias email addresses you want to retrieve from Mimecast

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"emailAddress": "",
"aliases": [
{
"domain": "",
"type": "",
"emailAddress": "",
"displayName": "",
"isInternal": ""
}
]
}
],
"fail": []
}

operation: Decode URL

Input parameters

Parameter Description
Encoded URL Specify the Mimecast-encoded URL, for example, https://protect-xx.mimecast.com/... you want to decode.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"url": "",
"success": ""
}
],
"meta": {
"status": ""
}
}

operation: Get Search URL Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all Search URL Logs are fetched from Mimecast.

Parameter Description
Query Specify the query string using which you want to search for URL Logs on the Mimecast server.
Note: If you do not provide any query string then details of all existing Search URLs Logs are retrieved from the Mimecast server.
Start Time Specify the date and time from when you want to search URL logs on Mimecast. Defaults to the start of the current day.
End Time Specify the date and time till when you want to search URL logs on Mimecast. Defaults to the end of the current day.
Page Size Specify the number of results that are requested by this operation.
Page Token Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"logs": [
{
"searchText": "",
"description": "",
"searchReason": "",
"museQuery": "",
"emailAddr": "",
"source": "",
"isAdmin": "",
"searchPath": "",
"createTime": ""
}
]
}
],
"meta": {
"status": "",
"pagination": {
"pageSize": "",
"next": ""
}
}
}

operation: Get TTP URL Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all TTP URL Logs are fetched from Mimecast.

Parameter Description
Oldest First Select this option to order results with the most recent first. By default, this is set to False.
Route Select the route by which you want to filter the TTP URL logs. You can choose from the following options: inbound, outbound, internal, or all. Defaults to 'all'.
Start Time Specify the date and time from when you want to search TTP URL logs on Mimecast. Defaults to the start of the current day.
End Time Specify the date and time till when you want to search TTP URL logs on Mimecast. Defaults to the time of the request.
Scan Result Select the scan result by which you want to filter the TTP URL logs. You can choose from the following options: clean, malicious, or all. Defaults to 'all'.
Page Size Specify the number of results that are requested by this operation.
Page Token Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"source": "",
"folders": [
{
"folderCount": "",
"parentId": "",
"userCount": "",
"source": "",
"description": "",
"id": ""
}
],
"query": ""
}
],
"meta": {
"status": "",
"pagination": {
"previous": "",
"pageSize": ""
}
}
}

Included playbooks

The Sample - Mimecast - 2.0.0 playbook collection comes bundled with the Mimecast connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mimecast connector.

  • Add Group Member
  • Archive Search
  • Blacklist URL
  • Block Sender
  • Create Blocked Sender Policy
  • Create Group
  • Decode URL
  • Delete Blocked Sender Policy
  • Delete Group
  • Find Groups
  • Get Aliases
  • Get Archive Search Message Details
  • Get Blocked Sender Policy
  • Get Group Member
  • Get Managed URL
  • Get Message Info
  • Get Message List
  • Get Search URL Logs
  • Get TTP URL Logs
  • Message Search
  • Remove Group Member
  • Unblock Sender
  • Update Blocked Sender Policy
  • Update Group
  • Whitelist URL

NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

Mimecast specializes in cloud-based email management for Microsoft Exchange and Microsoft Office 365, and offers security, archiving, and continuity services to protect business mail.

This document provides information about the Mimecast connector, which facilitates automated interactions, with a Mimecast server using FortiSOAR™ playbooks. Add the Mimecast connector as a step in FortiSOAR™ playbooks and perform automated operations, such as adding a sender to the blocked sender list on Mimecast or retrieving information about a tracked message from Mimecast.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Mimecast connector in version 2.0.0:

Getting Access Tokens

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-mimecast

Prerequisites to configuring the connector

Minimum Permissions Required

Following table illustrates permissions required for each action in this connector:

Action Application Permissions
Create Blocked Sender Policy Gateway | Policies | Edit
Get Blocked Sender Policy Gateway | Policies | Read
Update Blocked Sender Policy Gateway | Policies | Edit
Delete Blocked Sender Policy Gateway | Policies | Edit
Create Group Directories | Groups | Edit
Find Groups Directories | Groups | Edit
Update Group Directories | Groups | Edit
Delete Group Directories | Groups | Edit
Add Group Member Directories | Groups | Edit
Get Group Member Directories | Groups | Read
Remove Group Member Directories | Groups | Edit
Block Sender Gateway | Managed Senders | Edit
Unblock Sender Gateway | Managed Senders | Edit
Get Managed URL Services | Targeted Threat Protection - URL Protect | Edit
Blacklist URL Services | Targeted Threat Protection - URL Protect | Edit
Whitelist URL Services | Targeted Threat Protection - URL Protect | Edit
Decode URL Account | Dashboard | Read
Get Search URL Logs Archive | Search Logs | Read
Get TTP URL Logs Monitoring | URL Protection | Read
Get Message List Archive | Search | Read
Archive Search Archive | Search | Read
Message Search Gateway | Tracking | Read
Get Archive Search Message Details Archive | Search Content View
Get Message Info Gateway | Tracking | Read
Get Aliases Directories | Internal | Read

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Mimecast connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL The URL of the Mimecast server to which you will connect and perform automated operations.
Application ID The Mimecast API application has a unique API Application ID that is used to create an authentication token that you can use to access the API.
Application Key The Mimecast API application has a unique API Application Key that is used to create an authentication token that you can use to access the API.
Access Key Specify an access key to access the API
Secret Key Specify a secret key to access the API
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Create Blocked Sender Policy Creates a policy for blocking senders on the Mimecast server. create_policy
Containment
Get Blocked Sender Policy Retrieves a list and details of all blocked sender policies for a Mimecast account from the Mimecast server, or retrieves the details of a specific policy based on the policy ID you have specified. get_policy
Investigation
Update Blocked Sender Policy Updates an existing blocked sender policy from a Mimecast account on the Mimecast server, based on the policy id, action, and other input parameters you have specified. update_policy
Miscellaneous
Delete Blocked Sender Policy Deletes an existing blocked sender policy from a Mimecast account on the Mimecast server, based on the policy id you have specified. delete_policy
Miscellaneous
Create Group Creates a new group on the Mimecast server. create_group
Containment
Delete Group Deletes an existing group from the Mimecast server. delete_group
Miscellaneous
Find Groups Retrieves details of existing Mimecast groups from the Mimecast server, based on the input parameters (filter criteria) you have specified.
If you do not specify any filter criteria, then details of all existing groups are retrieved from the Mimecast server.		 get_groups
Investigation
Update Group Updates a group on the Mimecast server, based on the input parameters you have specified. update_group
Investigation
Add Group Member Adds members (users) to the specified group on the Mimecast server, based on the CSV list of email addresses or domains of the users you have specified. add_group_member
Investigation
Get Group Member Retrieves details of the members of a specific group on the Mimecast server, based on the group ID you have specified. get_group_member
Investigation
Remove Group Member Removes a member from the specified group on the Mimecast server, based on the email address or the domain of the user you have specified. remove_group_member
Remediation
Block Sender Adds a sender to the blocked sender list on the Mimecast server. block_sender
Containment
Unblock Sender Adds a sender to the permitted sender list on the Mimecast server. unblock_sender
Remediation
Blacklist URL Adds a URL to be blacklisted on the Mimecast server. block_url
Containment
Whitelist URL Adds a URL to the targeted threat protection whitelist on the Mimecast server. unblock_url
Remediation
Decode URL Decodes a Mimecast-encoded URL that you have specified. decode_url
Investigation
Get Search URL Logs Retrieves all the search URL Logs or specific search URL logs from Mimecast based on filtration query and other parameters you have specified. get_search_url_logs
Investigation
Get TTP URL Logs Retrieves all the TTP URL Logs or specific TTP URL logs from Mimecast based on the input parameters you have specified. get_ttp_url_logs
Investigation
Get Managed URL Retrieves a list and details of managed URLs from the targeted threat protection blacklist or whitelist on the Mimecast server. get_managed_url
Investigation
Get Message List Retrieves a list of messages for a specified user or the logged-in user from Mimecast. get_message_list
Investigation
Get Archive Search Message Details Retrieves metadata for a message from the Mimecast archives, based on the message ID you have specified. get_archive_search_message_detail
Investigation
Get Message Info Retrieves information for a tracked message from Mimecast, based on the Mimecast ID you have specified. get_tracked_message_info
Investigation
Archive Search Retrieves a list of messages from Mimecast that match the search criteria that you have specified. archive_search
Investigation
Message Search Tracks messages across the Mimecast platform, based on the input parameters you have specified message_search
Investigation
Get Aliases Retrieves the alias address(es) associated with a user from Mimecast, based on the email address you have specified. get_aliases
Investigation

operation: Create Blocked Sender Policy

Input parameters

Parameter Description
Action Specify the action to take. You can choose from the following options:
  • Blocked Sender: Select this option to add the specified email addresses to blocked sender policy on Mimecast.
  • No Action: Select this option to take no action on the specified email addresses.
Description Specify a description of the blocked sender policy that you want to create on the Mimecast server. This description is kept with the email in the Archive for future reference.
Sender Type Specify the sender type being blocked using this blocked sender policy. Select from the following options:
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Sender Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Sender Type, then you must specify a value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Addresses Based on Specify the addresses based on which you will block the sender using this blocked sender policy. Choose one of the following options:
  • Envelope From
  • Header From
  • Both
Receiver Type Specify the receiver type included in this blocked sender policy. Select from the following options:
  • Everyone
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Receiver Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Receiver Type, then you must specify the value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Source IP (Optional) Specify a list of IP addresses that use the CIDR notation (X.X.X.X/XX), as comma-separated values. When you specify the source IP, then this blocked sender policy applies only to connections from matching IP addresses.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"option": "",
"policy": {
"fromType": "",
"fromValue": "",
"fromEternal": "",
"from": {
"emailDomain": "",
"type": "",
"groupId": "",
"emailAddress": ""
},
"fromPart": "",
"conditions": {
"sourceIPs": []
},
"toDate": "",
"fromDate": "",
"toType": "",
"override": "",
"bidirectional": "",
"toEternal": "",
"description": "",
"to": {
"emailDomain": "",
"type": "",
"groupId": "",
"emailAddress": ""
}
},
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Get Blocked Sender Policy

Input parameters

Parameter Description
Policy ID (Optional) Specify the ID of the policy whose blocked sender details you want to retrieve from the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"option": "",
"policy": {
"fromType": "",
"from": {
"type": ""
},
"fromPart": "",
"conditions": {},
"toDate": "",
"fromDate": "",
"toType": "",
"override": "",
"bidirectional": "",
"toEternal": "",
"description": "",
"to": {
"type": ""
}
},
"id": ""
}
],
"fail": []
}

operation: Update Blocked Sender Policy

Input parameters

Parameter Description
Policy ID Specify the ID of the existing blocked sender policy that you want to update on Mimecast.
Action Specify the block option or action to update on Mimecast. Choose from one of the following: Blocked Sender or No Action.
Description Specify a description of the blocked sender policy that you want to update on the Mimecast server. This description is kept with the email in the Archive for future reference.
Sender Type Specify the sender type being blocked using this blocked sender policy. Select from the following options:
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Sender Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Sender Type, then you must specify a value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Addresses Based on Specify the addresses based on which you will block the sender using this blocked sender policy. Choose one of the following options:
  • Envelope From
  • Header From
  • Both
Receiver Type Specify the receiver type included in this blocked sender policy. Select from the following options:
  • Everyone
  • Internal Addresses
  • External Addresses
  • Email Domain
  • Profile Group
  • Individual Email Address
Receiver Value (Optional) If you have selected Email Domain, Profile Group, or Individual Email Address as Receiver Type, then you must specify the value in this field.
  • Email Domain: Specify a domain name without the @ symbol.
  • Profile Group: Specify the ID of the profile group in this field.
  • Individual Email Address: Specify an email address in this field.
Source IP (Optional) Specify a list of IP addresses that use the CIDR notation (X.X.X.X/XX), as comma-separated values. When you specify the source IP, then this blocked sender policy applies only to connections from matching IP addresses.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"option": "",
"policy": {
"fromType": "",
"fromValue": "",
"fromEternal": "",
"from": {
"type": "",
"emailAddress": ""
},
"description": "",
"conditions": {},
"toDate": "",
"toEternal": "",
"toType": "",
"override": "",
"bidirectional": "",
"fromDate": "",
"fromPart": "",
"to": {
"type": ""
}
},
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Delete Blocked Sender Policy

Input parameters

Parameter Description
Policy ID Specify the ID of the existing blocked sender policy that you want to delete from Mimecast.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"id": "",
"deleted": ""
}
],
"meta": {
"status": ""
}
}

operation: Create Group

Input parameters

Parameter Description
Description Specify a description of the new group that you want to create on the Mimecast server.
Parent ID (Optional) Specify the ID of the parent group under which you want to create the new group on the Mimecast server.
If you do not specify a parent ID, then the new group will be created at the root level on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"parentId": "",
"source": "",
"userCount": "",
"folderCount": "",
"description": "",
"id": ""
}
],
"fail": []
}

operation: Find Groups

Input parameters

Parameter Description
Query Specify the query string using which you want to search for groups on the Mimecast server.
Note: If you do not provide any query string then details of all existing groups are retrieved from the Mimecast server.
Source Specify the source of the group based on which you want to search for groups on the Mimecast server. Choose from one of the following: Cloud or LDAP.
Page Size (Optional) Specify the number of results that are requested by this operation.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"previous": ""
},
"status": ""
},
"data": [
{
"folders": [
{
"parentId": "",
"source": "",
"userCount": "",
"folderCount": "",
"description": "",
"id": ""
}
],
"query": "",
"source": ""
}
],
"fail": []
}

operation: Update Group

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group that you want to update on the Mimecast server.
Use the Find Groups operation to retrieve the Group IDs for existing groups on the Mimecast server.
Description (Optional) Specify the description to update the group specified in this operation.
Parent ID (Optional) Specify the ID to update as the parent of the group specified in this operation.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"folderCount": "",
"parentId": "",
"source": "",
"userCount": "",
"description": "",
"id": ""
}
],
"meta": {
"status": ""
}
}

operation: Delete Group

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group that you want to delete from the Mimecast server.
Use the Find Groups operation to retrieve the Group IDs for existing groups on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"status": "",
"id": ""
}
],
"fail": []
}

operation: Add Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group in which you want to add the user.
Email Address Specify a comma-separated list of email addresses that you want to add to the specified group.

NOTE: To add members to a group, you can specify a CSV list of email addresses of users or domains of users, or both. However, in one go, you can add a maximum of 100 members to a group.
Domain Specify a comma-separated list of domains of users that you want to add to the specified group.

Output

The output contains the following populated JSON schema if you have specified the CSV list of domains of users:
{
"meta": {
"status": ""
},
"data": [
{
"id": "",
"folderId": "",
"domain": ""
}
],
"fail": [
{
"key": {
"domain": "",
"id": ""
},
"errors": [
{
"code": "",
"message": "",
"retryable": ""
}
]
}
],
"major_fail": [
{
"key": {
"domain": "",
"id": ""
},
"errors": [
{
"message": "",
"code": "",
"field": "",
"retryable": ""
}
]
}
]
}

operation: Get Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group whose member details you want to retrieve from the Mimecast server.
Page Size (Optional) Specify the number of results that are requested by this operation.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"groupMembers": [
{
"internal": "",
"domain": "",
"type": "",
"name": "",
"emailAddress": ""
}
]
}
],
"meta": {
"pagination": {
"pageSize": ""
},
"status": ""
}
}

operation: Remove Group Member

Input parameters

Parameter Description
Group ID Specify the Mimecast ID of the group from which you want to remove a member (user).
Email Address Specify the email address of the user that you want to remove from the specified group.

NOTE: You must specify either the email address or the domain of the user that you want to remove from the specified group.
Domain Specify the domain of the user that you want to remove from the specified group.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"domain": "",
"id": "",
"folderId": ""
}
],
"meta": {
"status": ""
}
}

operation: Block Sender

Input parameters

Parameter Description
Sender Email ID Specify the email address of the sender that you want to block on the Mimecast server.
Recipient Email ID Specify the email address of the recipient that you want to block on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"sender": "",
"type": "",
"id": "",
"to": ""
}
],
"fail": []
}

operation: Unblock Sender

Input parameters

Parameter Description
Sender Email ID Specify the email address of the sender that you want to unblock on the Mimecast server.
Recipient Email ID Specify the email address of the recipient that you want to unblock on the Mimecast server.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"sender": "",
"type": "",
"id": "",
"to": ""
}
],
"fail": []
}

operation: Get Managed URL

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"meta": {
"status": "",
"pagination": {
"pageSize": "",
"recordStart": "",
"next": ""
}
},
"data": [
{
"status": "",
"received": "",
"from": {
"displayableName": "",
"emailAddress": ""
},
"smash": "",
"read": "",
"attachmentCount": "",
"ccm": "",
"to": {
"displayableName": "",
"emailAddress": ""
},
"recalled": "",
"subject": "",
"expired": "",
"id": "",
"size": ""
}
]
}

operation: Blacklist URL

Input parameters

Parameter Description
URL Specify the URL that you want to blacklist on the Mimecast server.
Note: Do not include a fragment (#)
Disable Log Click (Optional) Select to disable logging of user clicks on the specified URL.
By default, this is set to False.
Match Type (Optional) Select from the following options to Explicit to explicitly blacklist only the specified URL or Domain to blacklist any URL on the same domain.
Comment (Optional) Specify a comment about why you want to blacklist the specified URL on the Mimecast server. Comments are used for tracking purposes.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"comment": "",
"disableRewrite": "",
"scheme": "",
"disableUserAwareness": "",
"matchType": "",
"port": "",
"action": "",
"id": "",
"domain": "",
"disableLogClick": ""
}
],
"fail": []
}

operation: Whitelist URL

Input parameters

Parameter Description
URL Specify the URL that you want to include in the targeted threat protection whitelist on the Mimecast server.
Note: Do not include a fragment (#)
Disable Rewrite (Optional) Select this option to disable rewriting of the specified URL in emails.
Disable User Awareness (Optional) Select this option to disable user awareness of the specified URL.
Disable Log Click (Optional) Select to disable logging of user clicks on the specified URL.
By default, this is set to False.
Match Type (Optional) Select Explicit to explicitly whitelist only the specified URL or Domain to whitelist any URL on the same domain.
Comment (Optional) Specify a comment about why you want to whitelist the specified URL on the Mimecast server. Comments are used for tracking purposes.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"comment": "",
"disableRewrite": "",
"scheme": "",
"disableUserAwareness": "",
"matchType": "",
"port": "",
"action": "",
"id": "",
"domain": "",
"disableLogClick": ""
}
],
"fail": []
}

operation: Get Message List

Input parameters

Parameter Description
Mailbox Specify the email address for which you want to retrieve the message list from Mimecast.
Note: If you do not specify any email address, then the message list for the logged-in user is retrieved from Mimecast.
Source Specify the type of message that you want to retrieve from Mimecast. Choose from the following options: INBOX or SENT.
By default, this is set as INBOX.
Start Time Specify a start date from when you want to retrieve messages from Mimecast.
By default, this is set as the last calendar month.
End Time Specify an end date till when you want to retrieve messages from Mimecast.
By default, this is set as the current day.
Include Delegates Select this checkbox, i.e., set it to True to include messages for addresses for which the mailbox has delegate permissions.
By default, this is set as False.
Include Alias Select this checkbox, i.e., set it to True to include messages for alias addresses of the mailbox.
By default, this is set as True.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"next": "",
"recordStart": ""
},
"status": ""
},
"data": [
{
"received": "",
"attachmentCount": "",
"subject": "",
"from": {
"emailAddress": "",
"displayableName": ""
},
"recalled": "",
"status": "",
"id": "",
"read": "",
"ccm": "",
"smash": "",
"expired": "",
"to": {
"emailAddress": "",
"displayableName": ""
},
"size": ""
}
],
"fail": []
}

operation: Get Archive Search Message Details

Input parameters

Parameter Description
Mimecast ID Specify the Mimecast ID of the message whose metadata information you want to retrieve from the Mimecast archives.
Use the Archive Search operation to retrieve the message IDs for existing messages in the Mimecast archives.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"received": "",
"headerDate": "",
"mimeMessageId": "",
"from": {
"emailAddress": "",
"displayableName": ""
},
"id": "",
"status": "",
"hasHtmlBody": "",
"hasTextBody": "",
"isPassthrough": "",
"cc": [
{
"emailAddress": "",
"displayableName": ""
}
],
"messageBodyPreview": "",
"subject": "",
"attachments": [
{
"contentType": "",
"extension": "",
"filename": "",
"contentId": "",
"sha256": "",
"id": "",
"bodyType": "",
"size": ""
}
],
"envelopeFrom": {
"emailAddress": "",
"displayableName": ""
},
"smash": "",
"headers": [
{
"values": [],
"name": ""
}
],
"processed": "",
"to": [
{
"emailAddress": "",
"displayableName": ""
}
],
"size": "",
"replyTo": {
"emailAddress": "",
"displayableName": ""
}
}
],
"fail": []
}

operation: Get Message Info

Input parameters

Parameter Description
Mimecast ID Specify the Mimecast ID of the message whose information you want to retrieve from Mimecast.
Use the Message Search operation to retrieve the message IDs for tracked messages.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"deliveredMessage": {
"user@domain.com": {
"messageInfo": {
"htmlBody": "",
"fromHeader": "",
"subject": "",
"sent": "",
"cc": [],
"fromEnvelope": "",
"attachments": [],
"route": "",
"processed": "",
"transmissionInfo": "",
"to": [],
"textBody": ""
},
"policyInfo": [
{
"policyType": "",
"policyName": "",
"inherited": ""
}
],
"deliveryMetaInfo": {
"components": [
{
"extension": "",
"type": "",
"mimeType": "",
"name": "",
"size": ""
}
],
"transmissionEnd": "",
"transmissionStart": "",
"encryptionInfo": "",
"transmissionSize": "",
"remoteHost": "",
"emailAddress": "",
"remoteServerGreeting": "",
"deliveryEvent": "",
"processingServer": "",
"remoteIp": "",
"messageExpiresIn": "",
"receiptAcknowledgement": ""
}
}
},
"status": "",
"id": "",
"retentionInfo": {
"litigationHoldInfo": [],
"smartTags": [],
"fbrStamps": [],
"purgeBasedOn": "",
"fbrExpireCheck": [],
"currentPurgeDate": "",
"audits": [],
"originalPurgeDate": "",
"retentionAdjustmentDays": ""
},
"recipientInfo": {
"recipientMetaInfo": {
"components": [
{
"extension": "",
"type": "",
"mimeType": "",
"name": "",
"size": ""
}
],
"receiptEvent": "",
"receiptAcknowledgement": "",
"remoteServerGreeting": "",
"encryptionInfo": "",
"transmissionSize": "",
"remoteHost": "",
"spamEvent": "",
"transmissionEnd": "",
"transmissionStart": "",
"processingServer": "",
"messageExpiresIn": "",
"binaryEmailSize": "",
"remoteIp": ""
},
"messageInfo": {
"cc": [],
"htmlBody": "",
"fromEnvelope": "",
"attachments": [],
"subject": "",
"fromHeader": "",
"processed": "",
"transmissionInfo": "",
"to": [],
"textBody": "",
"sent": ""
}
}
}
],
"fail": []
}

operation: Archive Search

Input parameters

Parameter Description
Email ID Specify the email address that is configured in Mimecast whose messages you want to search on Mimecast.
Search Text Specify the text to filter the search for messages on Mimecast.
Admin Select this option, i.e., set it to True if this search is an administrative search.
By default, this is set as False, i.e., the search is an end-user search.
Time Period (Optional) Specify the time period for which you want to query messages received in the specified email address. You can choose from the following options: Today, Yesterday, Last Week, Last Month, Last Year, or Between.
If you choose Between, then in the From field, you should specify the start date and time from when you want to query for messages received in the specified email address, and in the To field, you should specify the end date and time till when you want to query for messages received in the specified email address.
Document Type (Optional) Select the type of document (attachment) for which you want to query for messages received in the specified email address. Some of the options you can choose from are Spreadsheets, Documents, Text, Media, etc.
Page Token (Optional) Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"meta": {
"pagination": {
"pageSize": "",
"next": "",
"recordStart": ""
},
"status": ""
},
"data": [
{
"subject": "",
"smash": "",
"size": "",
"receiveddate": "",
"attachmentcount": "",
"status": "",
"id": "",
"displayto": "",
"displayfrom": ""
}
],
"fail": []
}

operation: Message Search

Input parameters

Parameter Description
Sender Email ID Specify the email address or domain of the sender of the messages that you want to track on Mimecast.
Recipient Email ID Specify the email address or domain of the recipient of the messages that you want to track on Mimecast.
Subject Specify the subject of the messages that you want to track on Mimecast.
Message ID Specify the Internet message ID of the message whose message details you want to track on Mimecast.
For example, <CALEwL_b_JJ_OfLw5S9vH34cnvAUowaQ24PhOePtkGUa6WV3QFw@mail.gmail.com>
Sender IP Specify the source IP address of the sender of the messages that you want to track on Mimecast.
Search Reason Specify the reason for tracking the messages on Mimecast.
Start Time Specify the date and time from when you want to search messages on Mimecast.
End Time Specify the date and time till when you want to search messages on Mimecast.

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"trackedEmails": [
{
"received": "",
"attachments": "",
"fromHdr": {
"emailAddress": "",
"displayableName": ""
},
"fromEnv": {
"emailAddress": "",
"displayableName": ""
},
"route": "",
"id": "",
"status": "",
"senderIP": "",
"to": [
{
"emailAddress": "",
"displayableName": ""
}
],
"sent": "",
"subject": ""
}
]
}
],
"fail": []
}

operation: Get Aliases

Input parameters

Parameter Description
Email ID Specify the primary email address of the user whose alias email addresses you want to retrieve from Mimecast

Output

The output contains the following populated JSON schema:
{
"meta": {
"status": ""
},
"data": [
{
"emailAddress": "",
"aliases": [
{
"domain": "",
"type": "",
"emailAddress": "",
"displayName": "",
"isInternal": ""
}
]
}
],
"fail": []
}

operation: Decode URL

Input parameters

Parameter Description
Encoded URL Specify the Mimecast-encoded URL, for example, https://protect-xx.mimecast.com/... you want to decode.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"url": "",
"success": ""
}
],
"meta": {
"status": ""
}
}

operation: Get Search URL Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all Search URL Logs are fetched from Mimecast.

Parameter Description
Query Specify the query string using which you want to search for URL Logs on the Mimecast server.
Note: If you do not provide any query string then details of all existing Search URLs Logs are retrieved from the Mimecast server.
Start Time Specify the date and time from when you want to search URL logs on Mimecast. Defaults to the start of the current day.
End Time Specify the date and time till when you want to search URL logs on Mimecast. Defaults to the end of the current day.
Page Size Specify the number of results that are requested by this operation.
Page Token Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"logs": [
{
"searchText": "",
"description": "",
"searchReason": "",
"museQuery": "",
"emailAddr": "",
"source": "",
"isAdmin": "",
"searchPath": "",
"createTime": ""
}
]
}
],
"meta": {
"status": "",
"pagination": {
"pageSize": "",
"next": ""
}
}
}

operation: Get TTP URL Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all TTP URL Logs are fetched from Mimecast.

Parameter Description
Oldest First Select this option to order results with the most recent first. By default, this is set to False.
Route Select the route by which you want to filter the TTP URL logs. You can choose from the following options: inbound, outbound, internal, or all. Defaults to 'all'.
Start Time Specify the date and time from when you want to search TTP URL logs on Mimecast. Defaults to the start of the current day.
End Time Specify the date and time till when you want to search TTP URL logs on Mimecast. Defaults to the time of the request.
Scan Result Select the scan result by which you want to filter the TTP URL logs. You can choose from the following options: clean, malicious, or all. Defaults to 'all'.
Page Size Specify the number of results that are requested by this operation.
Page Token Specify the value of the Next or Previous fields from an earlier request.

Output

The output contains the following populated JSON schema:
{
"fail": [],
"data": [
{
"source": "",
"folders": [
{
"folderCount": "",
"parentId": "",
"userCount": "",
"source": "",
"description": "",
"id": ""
}
],
"query": ""
}
],
"meta": {
"status": "",
"pagination": {
"previous": "",
"pageSize": ""
}
}
}

Included playbooks

The Sample - Mimecast - 2.0.0 playbook collection comes bundled with the Mimecast connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mimecast connector.

NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next