Explore and Analyze Mimecast Events
After Logpoint ingests Mimecast logs:
Use Search to access and examine events.
View events in real time through Dashboards.
Configure Alerts to get notified of critical or suspicious activity.
Search
Use the following queries to explore common Mimecast events:
All Mimecast logs
col_type = mimecast
All normalized Mimecast events
norm_id = "Mimecast"
Malicious file detections
norm_id = "Mimecast" label = "Detect" label = "Malicious" label = "File"
Phishing detections
norm_id = "Mimecast" label = "Phishing"
Malware detections
norm_id = "Mimecast" label = "Malware"
Rejected emails
norm_id = "Mimecast" action = "Reject"
Held emails
norm_id = "Mimecast" action = "Hold"
Failed deliveries
norm_id = "Mimecast" label = "Delivery" label = "Fail"
Internal user impersonation
norm_id = "Mimecast" label = "Internal" label = "User" label = "Name" label = "Detect"
Reply address mismatches
norm_id = "Mimecast" label = "Reply" label = "Address" label = "Mismatch"
Newly observed domains
norm_id = "Mimecast" label = "Newly" label = "Observed" label = "Domain"
Inbound email traffic
norm_id = "Mimecast" direction = "Inbound"
Outbound email traffic
norm_id = "Mimecast" direction = "Outbound"
Internal email traffic
norm_id = "Mimecast" direction = "Internal"
Dashboards
LP_Mimecast Threat Protection Dashboard
The LP_Mimecast Threat Protection dashboard provides real-time insights into email security threats across your environment, showing patterns in malicious domains, malware attachments, targeted attacks, and impersonation attempts. It helps you identify threat sources, monitor malicious communications, track newly observed domains, and investigate targeted threat dictionary matches.
Dashboard Widgets:
Top 10 Malicious Domain
The number of domain attackers register for nefarious purposes, such as distributing malware or phishing attacks. It allows administrators to analyze emails for malware attachments and malicious URLs.
Top 10 Extensions of Malicious Files
The extensions like .exe, .scr, .doc or .jpeg used in malware attacks and spam. It allows administrators to block email attachments containing malware such as ZBOT, CRILOCK and DUNIHI.
Top 10 Malware
Any program or file detected in the incoming emails with an intent to harm computers, networks or servers.
Threats Detected Over Time
An hourly count of detected threats such as spam, malware, data leaks and spear-phishing in the scanned email, attachments and URLs.
Top 10 Senders in Malicious Communication
The senders using malicious emails as a mode of communication to distribute malware, phishing attempts, fraudulent schemes or links to malicious websites. It ensures administrators reject an email, quarantine it for review, tag it with a warning, and send it to users.
Top 10 Receivers in Malicious Communication
Receivers of malicious links in emails and weaponized attachments.
Threat Detected By Country
The location of detected threats in an email.
Threat Details
Information about specific threat types that emails were attached with based on log timestamp, event category, sender, source address, receiver and malicious content.
Internal User Name Detected
Entails the sender's display name matched with one of the internal user display names. It enables administrators to detect attacks that impersonate an internal user.
Targeted Threat Dictionary Detected
Displays the dictionary attacks detected when the message content was checked against a Targeted Threat Dictionary (Mimecast or Custom). It helps administrators see suspicious characteristics in the email header, body or subject.
Reply Address Mismatch Detected
Identifies a mismatch between the sender's email address (Header only) and the email's reply address. For instance, newsletters email can contain links that respond to a different email address than the one who sent the message.
Similar Internal Domain Detected
Displays the sender's domain similar to any of your internal domains. For example, if the sender's domain is Loggpoint.com and the internal domain is Logpoint.com, then Mimecast protects inbound messages.
Newly Observed Domain Detected
The sender's domain verified against a list of domains kept in Mimecast. It allows administrators to determine if there has been an increase in the sender's mailing quantity.
LP_Mimecast Dashboard
The LP_Mimecast dashboard provides real-time insights into email traffic patterns and delivery status across your environment, showing patterns in message flows, rejection reasons, delivery failures, and geographic distribution. It helps you monitor email infrastructure health, identify delivery issues, track sender/receiver activity, and analyze cross-border email traffic.
Dashboard Widgets:
Email Activity
Provides an hourly comprehensive view of the message traffic for both incoming and outgoing messages.
Top 10 Reasons for Mail Rejection
Emails rejected by Mimecast for reasons such as emails containing a virus signature or being destined for a non-existent recipient.
Top 10 Reasons for Mail Held
The suspicious emails not delivered to your inbox but marked held until you check it's safe for reasons like content examination, spam scanning and attachment management.
Top 10 Reason for Failed Delivery
An outbound email not being delivered for reasons like a failed or delayed delivery of the message or the recipient's mail server rejected the email during the attempted connection.
Top 10 Senders
The email addresses and domains manually blocked, permitted or automatically added to the auto-allow list. Administrators can view, add, modify or delete the sender entries.
Top 10 Receivers
The email recipients who can block, release and permit the senders and their emails.
Outbound Messages By Destination Countries
The destination countries to which outbound messaging from your account is allowed.
Mail Accepted by Source Country
The recipient's server that accepted the email from a trusted location and further processed it for content filtering and authenticating to deliver the email.
Mail Rejected by Source Country
The recipient's server unable to verify the sender's email originated from a reliable source.
Top 10 Senders of Mail Rejected
The senders whose emails were not delivered and bounced back.
Adding Mimecast Dashboards
Navigate to Settings >> Knowledge Base >> Dashboards.
Select VENDOR DASHBOARD from the dropdown.
Click the Use icon under Actions of the dashboard.
Click Choose Repos.
Select the repository configured for Mimecast logs and click Done.
In Ask Repos, select the dashboard and click Ok.
The dashboard will appear under Dashboards. You can view details about each widget by clicking the Info icon.
Alerts
Email Security Alerts
LP_Mimecast Phishing Email Attachments Detection
Triggered when phishing email attachments are detected. ATT&CK Category: Initial Access ATT&CK Tag: Phishing, Spearphishing Attachment ATT&CK ID: T1566, T1566.001
norm_id=Mimecast label=Detect label=Malicious label=File
Adding Mimecast Alerts
Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.
Select Vendor Rules from the dropdown.
Click the Use icon under Actions of LP_Mimecast Phishing Email Attachments Detection.
After adding the alert rule, Mimecast redirects you to the Used Alert Rules page. When a Mimecast alert is triggered, Logpoint generates an incident in the Incidents page.
Last updated
Was this helpful?