Mimecast Threat Intelligence
Overview
Mimecast's Targeted Threat Protection (TTP) is an advanced security layer that inspects URLs and attachments in real time and detects impersonation attempts. When TTP events occur — a user clicking a suspicious URL, a malicious attachment being sandboxed, or an impersonation attempt being identified — Mimecast logs these as TTP events that feed into threat remediation incidents. This skill covers reading TTP logs, reviewing threat remediation incidents, and using audit events to investigate security events.
Key Concepts
Targeted Threat Protection (TTP)
TTP has three components:
- URL Protection — Rewrites URLs in emails and checks them at click time against reputation databases. Tracks every URL click attempt, whether blocked or permitted.
- Attachment Protection — Sandboxes email attachments before delivery. Detects malware, zero-day exploits, and suspicious macros.
- Impersonation Protection — Detects emails that spoof trusted senders — executives, trusted domains, or known contacts.
Threat Remediation Incidents
When TTP identifies a confirmed threat (e.g. a URL classified as malicious after delivery, or a sandboxed attachment containing malware), Mimecast can create a threat remediation incident — a structured record of the threat and recommended remediation actions, such as removing emails from user mailboxes.
Audit Events
The Mimecast audit log records all administrative actions and significant security events — policy changes, user login events, held message releases, and API operations. Useful for compliance investigations and detecting unauthorized admin activity.
API Patterns
Get TTP Logs
mimecast_get_ttp_logs
Retrieves TTP event logs across URL protection, attachment protection, and impersonation protection.
Parameters:
type— Log type:url,attachment, orimpersonationstart— Start datetime (ISO 8601)end— End datetime (ISO 8601)pageToken— Pagination cursor
Example — URL click logs:
{
"type": "url",
"start": "2026-03-01T00:00:00Z",
"end": "2026-03-02T23:59:59Z"
}
Example URL TTP response:
{
"meta": {
"status": 200,
"pagination": {
"pageSize": 25,
"totalCount": 18,
"next": null
}
},
"data": [
{
"date": "2026-03-01T14:35:22Z",
"url": "https://malicious-site.com/payload",
"action": "block",
"userEmail": "user@client.com",
"from": "phishing@external-domain.com",
"subject": "Your account needs attention",
"messageId": "<abc123@external-domain.com>",
"scanResult": "malicious",
"category": "phishing"
},
{
"date": "2026-03-01T09:12:05Z",
"url": "https://legitimate-site.com/page",
"action": "allow",
"userEmail": "another@client.com",
"from": "newsletter@legitimate-site.com",
"subject": "Monthly Update",
"messageId": "<def456@legitimate-site.com>",
"scanResult": "clean",
"category": null
}
]
}
Key fields:
action—block(URL blocked) orallow(URL permitted)scanResult—malicious,suspicious, orcleancategory— Threat category (phishing, malware, spam, etc.)
Example — Attachment TTP response:
{
"meta": { "status": 200 },
"data": [
{
"date": "2026-03-01T11:20:00Z",
"filename": "invoice_march.xlsm",
"result": "malicious",
"definition": "Macro dropper — Emotet variant",
"from": "billing@fake-vendor.net",
"to": "accountspayable@client.com",
"messageId": "<ghi789@fake-vendor.net>",
"action": "block"
}
]
}
Example — Impersonation TTP response:
{
"meta": { "status": 200 },
"data": [
{
"date": "2026-03-01T16:44:00Z",
"from": "ceo@c1ient.com",
"to": "cfo@client.com",
"subject": "Urgent Wire Transfer",
"action": "hold",
"definition": "Domain lookalike — executive impersonation",
"similarDomain": "client.com"
}
]
}
Get Threat Remediation Incidents
mimecast_get_threat_incidents
Returns threat remediation incidents — confirmed threats requiring mailbox remediation.
Parameters:
start— Start datetime (ISO 8601)end— End datetime (ISO 8601)pageToken— Pagination cursor
Example response:
{
"meta": { "status": 200 },
"data": [
{
"id": "TRI-20260301-001",
"created": "2026-03-01T15:00:00Z",
"type": "url",
"status": "open",
"severity": "high",
"reason": "URL reclassified as malicious post-delivery",
"url": "https://malicious-site.com/payload",
"affectedUsers": [
"user@client.com",
"manager@client.com"
],
"affectedMessages": 4,
"remediationAction": "remove_from_mailbox",
"remediationStatus": "pending"
}
]
}
Get Audit Events
mimecast_get_audit_events
Retrieves the Mimecast audit log for administrative and security events.
Parameters:
start— Start datetime (ISO 8601)end— End datetime (ISO 8601)category— Event category filter (optional):authentication,policy,message,userpageToken— Pagination cursor
Example response:
{
"meta": { "status": 200 },
"data": [
{
"id": "audit-001",
"timestamp": "2026-03-01T08:00:00Z",
"category": "authentication",
"action": "admin_login",
"user": "admin@client.com",
"ip": "203.0.113.10",
"result": "success"
},
{
"id": "audit-002",
"timestamp": "2026-03-01T08:45:00Z",
"category": "message",
"action": "held_message_release",
"user": "admin@client.com",
"messageId": "<abc123@external-domain.com>",
"result": "success"
}
]
}
Common Workflows
Daily Threat Review
- Call
mimecast_get_ttp_logswithtype=urlfor the past 24 hours - Filter for
action=blockandscanResult=malicious— these are confirmed threats - Identify users who clicked blocked URLs — they attempted to access malicious content
- Call
mimecast_get_ttp_logswithtype=attachmentfor same period - Check for
result=malicious— these are blocked malware attachments - Call
mimecast_get_threat_incidentsto see any new post-delivery reclassifications - Create PSA tickets for affected users requiring security awareness follow-up
Investigate a Specific Phishing Campaign
- Identify the phishing domain or URL from a user report
- Call
mimecast_get_ttp_logswithtype=urland a broad time range - Filter results for the phishing domain across all users
- Identify all recipients who received the phishing URL
- Check
actionfield —allowmeans the URL was not blocked at click time (user may have visited) - If users accessed the URL, escalate to credential compromise investigation
- Call
mimecast_find_messageto trace all emails containing that domain to understand campaign scope
Detect BEC / Executive Impersonation
- Call
mimecast_get_ttp_logswithtype=impersonationfor the past 7 days - Look for
action=allowentries — impersonation attempts that were not blocked - Identify sender domains in
similarDomainfield — these are lookalike domains - Cross-reference with
mimecast_find_messageto confirm if those emails reached inboxes - Alert affected executives and implement additional impersonation policy rules
Post-Delivery Threat Remediation
- Call
mimecast_get_threat_incidentsto identify open incidents - For each incident, note
affectedUsersandaffectedMessages - Review
remediationAction— typicallyremove_from_mailbox - Confirm
remediationStatus— ifpending, Mimecast may require administrator approval in the console - Notify affected users that suspicious emails have been or will be removed from their mailboxes
Compliance Audit Investigation
- Call `mimecast_get_audit_events