InsightConnect Marketplace

Mimecast

Back to Marketplace

Mimecast

v4.1.1

Services for email security, archiving and continuity. Protect, manage and archive without compromise

Tags: mimecast, email


Actions
  • Add Group Member
  • Create Blocked Sender Policy
  • Create Managed URL
  • Decode URL
  • Delete Group Member
  • Delete Managed URL
  • Find Groups
  • Get Managed URL
  • Get TTP URL Logs
  • Permit or Block Sender

Description

Mimecast is a set of cloud services designed to provide next generation protection against advanced email-borne threats such as malicious URLs, malware, impersonation attacks, as well as internally generated threats, with a focus on email security. This plugin utilizes the Mimecast API.

Key Features

  • Email security
  • Malicious URL and attachment detection

Requirements

  • Access API Key
  • Secret Key
  • Mimecast server
  • API Username and Password

Documentation

Setup

The connection configuration accepts the following parameters:

Name Type Default Required Description Enum Example
access_key credential_secret_key None True The application access key None eWtOL3XZCOwG96BOiFTZRiC5rdvDmP4FFdwU2Y1DC1Us-gh7KyL5trUrZ9aEuzQMV7pPWWxTnPVtsJ6x3fajAh3cRskP0w8hNjaFFVkZB6G9dOytLM2ssQ7HY-p7gJoi
app_id string None True Application ID None 78d2e4b1-8cc2-4806-nt79-6ef332a47374
app_key credential_secret_key None True The application key None 475x54c6-4f61-4fab-8be7-a0710f3859e3
secret_key credential_secret_key None True The application secret key None FgHrtydiP4TynI+rTZF42Qu0FtGuhJtuNM5bDh82goJQHed9kJZ5t/ORwGnI5r2hkl/bzCosZ+KVapJFeaf3Yw==
url string None True The URL for the Mimecast server None https://api.mimecast.com

Example input:

{
  "access_key": "eWtOL3XZCOwG96BOiFTZRiC5rdvDmP4FFdwU2Y1DC1Us-gh7KyL5trUrZ9aEuzQMV7pPWWxTnPVtsJ6x3fajAh3cRskP0w8hNjaFFVkZB6G9dOytLM2ssQ7HY-p7gJoi",
  "app_id": "78d2e4b1-8cc2-4806-nt79-6ef332a47374",
  "app_key": "475x54c6-4f61-4fab-8be7-a0710f3859e3",
  "secret_key": "FgHrtydiP4TynI+rTZF42Qu0FtGuhJtuNM5bDh82goJQHed9kJZ5t/ORwGnI5r2hkl/bzCosZ+KVapJFeaf3Yw==",
  "url": "https://api.mimecast.com"
}

Technical Details

Actions

Create Managed URL

This action is used to create a managed URL.

Input
Name Type Default Required Description Enum Example
action string block True Set to 'block' to blacklist the URL, 'permit' to whitelist it ['block', 'permit'] block
comment string None False A comment about the why the URL is managed; for tracking purposes None i'm blocking this because virustotal said it was malicious
disable_log_click boolean None True Disable logging of user clicks on the URL None Flase
disable_rewrite boolean None True Disable rewriting of this URL in emails. Applies only if action = 'permit' None True
disable_user_awareness boolean None True Disable User Awareness challenges for this URL. Applies only if action = 'permit' None False
match_type string explicit True Set to 'explicit' to block or permit only instances of the full URL. Set to 'domain' to block or permit any URL with the same domain ['explicit', 'domain'] explicit
url string None True The URL to block or permit. Do not include a fragment None https://rapid7.com

Example input:

{
  "action": "block",
  "comment": "Deemed malicious by VirusTotal",
  "disable_log_click": "Flase",
  "disable_rewrite": true,
  "disable_user_awareness": false,
  "match_type": "explicit",
  "url": "https://rapid7.com"
}
Output
Name Type Required Description
response []managed_url False Managed URL that was created

Example output:

{
  "response": [
    {
      "id": "wOi3MCwjYFYhZfkYlp2RMAhvN30QSmqOT7D-I9Abwlmy7ZH7eCwvY3ImP7QVjTLhQT4SWBA3wB_E-UNk-s0gc6iZeMRZzgizv28dIpyFWXw",
      "scheme": "http",
      "domain": "youtube.com",
      "port": -1,
      "matchType": "explicit",
      "action": "block",
      "comment": "test",
      "disableUserAwareness": false,
      "disableRewrite": false,
      "disableLogClick": false
    }
  ]
}

Get Managed URL

This action is used to get information on a managed URL.

Input
Name Type Default Required Description Enum Example
action string none False Filter on whether or not the action is 'block' or 'permit' ['none', 'block', 'permit'] block
disable_log_click string none False Filter on whether or not clicks are logged for this URL ['none', 'false', 'true'] True
disable_rewrite string none False Filter on whether or not rewriting of this URL in emails is enabled ['none', 'false', 'true'] False
disable_user_awareness string none False Filter on whether or not User Awareness challenges for this URL ['none', 'false', 'true'] False
domain string None False The managed domain None rapid7.com
id string None False Filter on the Mimecast secure ID of the managed URL None None
match_type string none False Filter on whether or not the match type is 'explicit' or 'domain' ['none', 'explicit', 'domain'] domain
scheme string None False Filter on whether or not the protocol is HTTP or HTTPS None http

Example input:

{
  "action": "block",
  "disable_log_click": true,
  "disable_rewrite": false,
  "disable_user_awareness": false,
  "domain": "rapid7.com",
  "match_type": "domain",
  "scheme": "http"
}
Output
Name Type Required Description
response []managed_url False Managed URLs matching

Example output:

{
  "response": [
    {
      "id": "wOi3MCwjYFYhZfkYlp2RMAhvN30QSmqOT7D-I9Abwlmy7ZH7eCwvY3ImP7QVjTLho3KMtTMfYm2C21vDPXvKC5vmEJWDAcvTHtH4L4Kw20c",
      "scheme": "https",
      "domain": "steam.com",
      "port": -1,
      "matchType": "explicit",
      "action": "block",
      "comment": "ui test",
      "disableUserAwareness": true,
      "disableRewrite": true,
      "disableLogClick": false
    }
  ]
}

Delete Managed URL

This action is used to remove a Managed URL from the blocked list.

Input
Name Type Default Required Description Enum Example
id string None True The Mimecast secure ID of the managed URL None wOi3MCwjYFYhZfkYlp2RMAhvN30QSmqOT7D-I9Abwlmy7ZH7eCwvY3ImP7QVjTLhHMy6V8J3VOvTNMW2G-txx3o4zL0YXqWxuCVlGQ-1viE

Example input:

{
  "id": "wOi3MCwjYFYhZfkYlp2RMAhvN30QSmqOT7D-I9Abwlmy7ZH7eCwvY3ImP7QVjTLhHMy6V8J3VOvTNMW2G-txx3o4zL0YXqWxuCVlGQ-1viE"
}
Output
Name Type Required Description
success boolean False Success status of delete request

Example output:

{
  "response": [
    {
      "success": True
    }
  ]
}

Permit or Block Sender

This action is used to permit or block a sender.

Input
Name Type Default Required Description Enum Example
action string block True Either 'permit' (to bypass spam checks) or 'block' (to reject the email) ['block', 'permit'] block
sender string None True The email address of the external sender None user@example.com
to string None True The email address of the internal recipient None user@example.com

Example input:

{
  "action": "block",
  "sender": "user@example.com",
  "to": "user@example.com"
}
Output
Name Type Required Description
response []managed_sender False The Managed Sender that was created

Example output:

{
  "response": [
    {
      "id": "MTOKEN:eNoVzbEOgjAUQNF_eTMDGArK1oC2GARFjTpi-zQQ28ZWDGr8d3G-ybkfcCh6i62EBM4MB5Z2hpIiWlM_n0tecYv8nkXLBVH8WOvVTb_Kfcze-ZWefDUUzWHXVeYS1jHdgAeidw-j0AojcRTTbZkFNJ6RcGxPtK41GpLAA9Voh1r-t5OATL8_1zIraQ",
      "sender": "user@example.com",
      "to": "user@example.com",
      "type": "Block"
    }
  ]
}

Create Blocked Sender Policy

This action is used to create a blocked sender policy.

Input
Input
Name Type Default Required Description Enum Example
description string None True A description for the policy which is kept with the email in the archive for future reference None A description
from_part string envelope_from True Must be: envelope_from, header_from or both ['envelope_from', 'header_from', 'both'] envelope_from
from_type string everyone True Can be one of: everyone, internal_addresses, external_addresses, email_domain, profile_group or individual_email_address ['everyone', 'internal_addresses', 'external_addresses', 'email_domain', 'profile_group', 'individual_email_address'] internal_addresses
from_value string None False Required if From Type is one of email_domain, profile_group, individual_email_address. Expected values: If From Type is email_domain, a domain name without the @ symbol. If From Type is profile_group, the ID of the profile group. If From Type is individual_email_address, an email address None user@example.com
option string block_sender True The block, option must be: no_action or block_sender ['block_sender', 'no_action'] block_sender
source_ips string None False A comma separated list of IP addresses using CIDR notation (X.X.X.X/XX). When set the policy only applies for connections from matching addresses None 198.51.100.0/24
to_type string everyone True Can be one of: everyone, internal_addresses, external_addresses, email_domain, profile_group or individual_email_address ['everyone', 'internal_addresses', 'external_addresses', 'email_domain', 'profile_group', 'individual_email_address'] everyone
to_value string None False Required if To Type is one of email_domain, profile_group, individual_email_address. Expected values: If To Type is email_domain, a domain name without the @ symbol. If To Type is profile_group, the ID of the profile group. If To Type is individual_email_address, an email address None user@example.com

Example input:

{
  "description": "A description",
  "from_part": "envelope_from",
  "from_type": "internal_addresses",
  "from_value": "user@example.com",
  "option": "block_sender",
  "source_ips": "198.51.100.0/24",
  "to_type": "everyone",
  "to_value": "user@example.com"
}
Output
Name Type Required Description
sender_policy []sender_policy False The policy that was created

Example output:

{
  "response": [
    {
      "option": "block_sender",
      "id": "eNo1jU0LgjAYgP_LrgpusZl2EzWwUoaKJHibb7W-pk4tif57euj-fHyQBjF0IGu0QW0c20cSFkXgKt_Z2Zz6nNN8wjqU5aqyEuOcRmP6arfgGXl_Si_X_UE0-p0pGFhl6RsyUaPuUkxLjzDiONREYtC9ekAnVA3zxc-SgHhrl9GZHqHTUj1n-G_mUwPRYmNM8fcHIHEysg",
      "policy": {
        "description": "komand test",
        "fromPart": "envelope_from",
        "from": {
          "type": "email_domain",
          "emailDomain": "example.com"
        },
        "to": {
          "type": "everyone"
        },
        "fromType": "email_domain",
        "fromValue": "example.com",
        "toType": "everyone",
        "fromEternal": true,
        "toEternal": true,
        "fromDate": "1900-01-01T00:00:00+0000",
        "toDate": "2100-01-01T23:59:59+0000",
        "override": false,
        "bidirectional": false,
        "conditions": {},
        "createTime": "2019-01-28T17:09:01+0000",
        "lastUpdated": "2019-01-28T17:09:01+0000"
      }
    }
  ]
}

Add Group Member

This action is used to add an email address or domain to a group.

Input
Name Type Default Required Description Enum Example
domain string None False A domain to add to a group. Use either email address or domain None rapid7.com
email_address string None False The email address of a user to add to a group. Use either email address or domain None user@example.com
id string None True The Mimecast ID of the group to add to None eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA

Example input:

{
  "domain": "rapid7.com",
  "email_address": "user@example.com",
  "id": "eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA"
}
Output
Name Type Required Description
email_address string False The email address of the user that was added to the group
folder_id string False The Mimecast ID of the group that the user / domain was added to
id string False The Mimecast ID of the user / domain that was added to the group
internal boolean False Whether or not the user or domain is internal

Example output:

{
  "id": "eNqrVipOTS4tSs1MUbJSctdOd43RNy3K9klKdA038M4xq8otcfIMqTQods2MNIrR99NOD_IsCyovdEt11A4pSQvKyPL2SS4orgjOTy01jdEvzlbSUUouLS7Jz00tSs5PSQUa6hzs52LoaG5pagKUK0stKs7Mz1OyMtRRSsvPSUktysnMywZZbmxgYmFRCwBatS7G",
  "folder_id": "eNoVzrkOgkAUQNF_eTWFIIjQEdk0OEaUgCUyD8HMojNiROO_i_3Nyf2AxmZQ2FPwgUgRxWbnzZOxKwsyiCjP-BnTe7jYxA5Pq1xsmRhJ4Sbv9SU4zfgrq8vjdSdbO3eDPRjAaH0Dv62ZRgOaQT8kR9VIihO_OpDQDFzPsafwiUr3UoBvGtBKRlH9F-ylZXnfH3hjMBs",
  "email_address": "user@example.com",
  "internal": true
}

Delete Group Member

This action is used to remove an email address or domain from a group. Delete on an email or domain that does not exist will result in no operation performed.

Input
Name Type Default Required Description Enum Example
domain string None False A domain to remove from group. Use either email address or domain None rapid7.com
email_address string None False The email address to remove from group. Use either email address or domain None user@example.com
id string None True The Mimecast ID of the group to remove from None eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA

Example input:

{
  "domain": "rapid7.com",
  "email_address": "user@example.com",
  "id": "eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA"
}
Output
Name Type Required Description
success boolean False Status of success of the delete operation

Example output:

{
  "success": true
}

Decode URL

This action is used to decode a Mimecast encoded URL.

Input
Name Type Default Required Description Enum Example
encoded_url string None True The Mimecast encoded URL None https://protect-xx.mimecast.com/TXH7fhe

Example input:

{
  "encoded_url": "https://protect-xx.mimecast.com/TXH7fhe"
}
Output
Name Type Required Description
decoded_url string True Original decoded URL

Example output:

{
  "decoded_url": "https://example.com"
}

Find Groups

This action is used to find groups that match a given query.

Input
Name Type Default Required Description Enum Example
query string None False A string to query for None mygroup
source string cloud True A group source to filter on, either "cloud" or "ldap" ['cloud', 'ldap'] cloud

Example input:

{
  "query": "mygroup",
  "source": "cloud"
}
Output
Name Type Required Description
groups []group False A list of groups that mach the query

Example output:

{
  "groups": [
    {
      "id": "eNoVzrEOgjAUQNF_eTMDaLGBDSUCBjAWjDqS9qGYlmorRjH-u7jfnNwPWOSDwU5ACJkbXJLZklWJ5nlBajWyFaeY3uPFZu2r9Mj6Qvbvck-TMTtHJ1e98uZQX7e6JYxGO3BAiuYGYdtIiw7wwT60QsO1wIlfVWXsRTTwyRQ-0dhO9xB6DrRaCjT_BULn1Pv-ACT0L3A",
      "description": "Relay",
      "source": "cloud",
      "parentId": "eNoVzr0OgjAUQOF3uasMkFAq3RqJ4h8E1IAjaS8EU6i2oqLx3cX95Mv5gEUxGGwlMHgWzUgCvk2t0HbI5iFXM0kxvkXBZkm6uMz7verH5ERX73XDz2732lXF8ZLq2s8pz8ABJasrsLpSFh0Qg73rDo3QEid-cUgij9OQ-FP4QGNb3QPzHKi1kmj-C-73B7L7LyY",
      "userCount": 0,
      "folderCount": 0
    },
    {
      "id": "eNoVzssOgjAQQNF_mTWJoGAjOwIqGkVFQUnc1HYgaKHaCvER_x3c35zcL2hkjcKSgwsqbWlmJmx6Hmz9NNAXJymam8LwEYyXM6cKT3G9FvU7Ssj8syi8zKxeK3o8XDcyt2Pi7cAAwekd3JwKjQawRj9lhYpJjr3v76PA8sjEsfuwRaVLWYNrGZBLwVH9H2wyIsNfB8G2MJw",
      "description": "Permitted senders",
      "source": "cloud",
      "parentId": "eNoVzr0OgjAUQOF3uasMkFAq3RqJ4h8E1IAjaS8EU6i2oqLx3cX95Mv5gEUxGGwlMHgWzUgCvk2t0HbI5iFXM0kxvkXBZkm6uMz7verH5ERX73XDz2732lXF8ZLq2s8pz8ABJasrsLpSFh0Qg73rDo3QEid-cUgij9OQ-FP4QGNb3QPzHKi1kmj-C-73B7L7LyY",
      "userCount": 0,
      "folderCount": 0
    }
  ]
}

Get TTP URL Logs

This action is used to get TTP URL logs.

Input
Name Type Default Required Description Enum Example
from string None False Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day None 2018-11-22T14:49:18+0000
max_pages integer 100 False Max pages returned, default 100 None 10
page_size integer 10 False The number of logs returned per page, default value is 10 None 10
route string all True Filters logs by route, must be one of inbound, outbound, internal, or all ['all', 'inbound', 'outbound', 'internal'] inbound
scan_result string all True Filters logs by scan result, must be one of clean, malicious, or all ['clean', 'malicious', 'all'] malicious
to string None False End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request None 2018-11-22T14:49:18+0000
url_to_filter string None False Regular expression to filter on. e.g. examp will return only URLs with the letters examp in them None exam.*

Example input:

{
  "from": "2018-11-22T14:49:18+0000",
  "max_pages": 10,
  "page_size": 10,
  "route": "inbound",
  "scan_result": "malicious",
  "to": "2018-11-22T14:49:18+0000",
  "url_to_filter": "exam.*"
}
Output
Name Type Required Description
click_logs []click_logs False Click Logs

Example output:

{
  [
    {
       "userEmailAddress": "user@example.com",
       "url": "https://www.dummy-mimecast-blacklist.com",
       "ttpDefinition": "Default URL Protection Definition",
       "action": "warn",
       "adminOverride": "N/A",
       "userOverride": "None",
       "scanResult": "malicious",
       "category": "Compromised",
       "userAwarenessAction": "N/A",
       "date": "2019-04-23T19:50:28+0000",
       "route": "inbound"
    }
  ]
}

Triggers

This plugin does not contain any triggers.

Troubleshooting

For the Create Managed URL action, the URL must include http:// or https:// e.g. http://google.com Most common cloud URLs

Custom Output Types

click_logs

Name Type Required Description
Action string False The action that was taken for the click
Admin Override string False The action defined by the administrator for the URL
Category string False The category of the URL clicked
Date string False The date that the URL was clicked
Route string False The route of the email that contained the link
Scan Result string False The result of the URL scan
TTP Definition string False The description of the definition that triggered the URL to be rewritten by Mimecast
URL string False The URL clicked
User Awareness Action string False The action taken by the user if user awareness was applied
User Email Address string False The email address of the user who clicked the link
User Override string False The action requested by the user

group

Name Type Required Description
Description string False The name of the group
Folder Count integer False None
Id string False None
Parent Id string False None
Source string False None
User Count integer False None

managed_sender

Name Type Required Description
ID string False The Mimecast secure ID of the managed sender object
Sender string False The email address of the external sender
To string False The email address of the internal recipient
Type string False Either 'permit' (to bypass spam checks) or 'block' (to reject the email)

managed_url

Name Type Required Description
Action string False Either block or permit
Comment string False The comment that was posted in the request
Click Logging boolean False If logging of user clicks on the URL is disabled
URL Rewriting boolean False If rewriting of this URL in emails is disabled
User Awareness boolean False If User Awareness challenges for this URL are disabled
Domain string False The managed domain
ID string False The Mimecast secure ID of the managed URL
Match Type string False Either 'explicit' or 'domain'
Port integer False Port
Scheme string False The protocol to apply for the managed URL. Either HTTP or HTTPS

policy

Name Type Required Description
Bidirectional boolean False If the policy is also applied in the reverse of the email flow, i.e. where the specified recipient in the policy becomes the sender, and the specified sender in the policy becomes the recipient
Conditions object False An object with fields describing additional conditions that should affect when the policy is applied
Description string False The description for the policy which is kept with the email in the archive for future reference
From object False An object containing type and value fields defining which sender addresses the policy applies to
From Date string False The date that the policy will apply from
From Eternal boolean False If the policy is always applied or if there is a specific start date
From Part string False Which from address is used in the policy. Can be any of envelope_from, header_from, both
From Type string False Which sender addresses the policy applies to. CCan be one of everyone, internal_addresses, external_addresses, email_domain, profile_group, address_attribute_value, individual_email_address, free_mail_domains, header_display_name
From Value string False A value defining which senders the policy applies to
Override boolean False If true, this option overrides the order in which the policy is applied, and forces it to be applied first if there are multiple applicable policies, unless more specific policies of the same type have been configured with an override as well
To object False An object containing type and value fields defining which recipient addresses the policy applies to
To Date string False The date that the policy will apply until
To Eternal boolean False If the policy should always be applied or if there is an end date
To Type string False Which recipient addresses the policy applies to. Can be one of everyone, internal_addresses, external_addresses, email_domain, profile_group, address_attribute_value, individual_email_address, free_mail_domains, header_display_name

sender_policy

Name Type Required Description
ID string False The Mimecast ID of the policy. Used when updating the policy
Option string False The option set for the policy. Will be one of no_action, block_sender
Policy policy False The policy that was created

Version History

  • 4.1.1 - Fix bug where the connection test would sometimes pass even with invalid credentials
  • 4.1.0 - Update Get TTP URL Logs action to use pagination
  • 4.0.1 - Add example inputs
  • 4.0.0 - Update Get TTP URL Logs to allow for better URL filtering
  • 3.1.0 - New action Delete Managed URL and Delete Group Member
  • 3.0.1 - New spec and help.md format for the Extension Library
  • 3.0.0 - Add URL in Get TTP URL Logs action to filter output | Update connection settings to the proper authentication supported by the Mimecast API
  • 2.5.0 - New action Decode URL
  • 2.4.0 - New action Get TTP URL Logs
  • 2.3.0 - New actions Add Group Member and Find Group
  • 2.2.0 - New action Create Blocked Sender Policy
  • 2.1.0 - New action Permit or Block Sender
  • 2.0.0 - Add Get Managed URL Action | Update descriptions and output titles
  • 1.0.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: [insightconnect]
name: mimecast
title: Mimecast
description: Services for email security, archiving and continuity. Protect, manage
  and archive without compromise
version: 4.1.1
vendor: rapid7
support: rapid7
status: []
resources:
  source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/mimecast
  license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
  vendor_url: http://mimecast.com
tags:
- mimecast
- email
hub_tags:
  use_cases: [threat_detection_and_response]
  keywords: [mimecast, email]
  features: []
types:
  managed_url:
    comment:
      title: Comment
      description: The comment that was posted in the request
      type: string
      required: false
    domain:
      title: Domain
      description: The managed domain
      type: string
      required: false
    disableUserAwareness:
      title: User Awareness
      description: If User Awareness challenges for this URL are disabled
      type: boolean
      required: false
    disableLogClick:
      title: Click Logging
      description: If logging of user clicks on the URL is disabled
      type: boolean
      required: false
    action:
      title: Action
      description: Either block or permit
      type: string
      required: false
    matchType:
      title: Match Type
      description: Either 'explicit' or 'domain'
      type: string
      required: false
    scheme:
      title: Scheme
      description: The protocol to apply for the managed URL. Either HTTP or HTTPS
      type: string
      required: false
    disableRewrite:
      title: URL Rewriting
      description: If rewriting of this URL in emails is disabled
      type: boolean
      required: false
    id:
      title: ID
      description: The Mimecast secure ID of the managed URL
      type: string
      required: false
    port:
      title: Port
      description: Port
      type: integer
      required: false
  managed_sender:
    type:
      title: Type
      description: Either 'permit' (to bypass spam checks) or 'block' (to reject the
        email)
      type: string
      required: false
    to:
      title: To
      description: The email address of the internal recipient
      type: string
      required: false
    sender:
      title: Sender
      description: The email address of the external sender
      type: string
      required: false
    id:
      title: ID
      description: The Mimecast secure ID of the managed sender object
      type: string
      required: false
  policy:
    fromEternal:
      title: From Eternal
      description: If the policy is always applied or if there is a specific start
        date
      type: boolean
      required: false
    toDate:
      title: To Date
      description: The date that the policy will apply until
      type: string
      required: false
    fromValue:
      title: From Value
      description: A value defining which senders the policy applies to
      type: string
      required: false
    from:
      title: From
      description: An object containing type and value fields defining which sender
        addresses the policy applies to
      type: object
      required: false
    description:
      title: Description
      description: The description for the policy which is kept with the email in
        the archive for future reference
      type: string
      required: false
    bidirectional:
      title: Bidirectional
      description: If the policy is also applied in the reverse of the email flow,
        i.e. where the specified recipient in the policy becomes the sender, and the
        specified sender in the policy becomes the recipient
      type: boolean
      required: false
    fromType:
      title: From Type
      description: Which sender addresses the policy applies to. Can be one of everyone,
        internal_addresses, external_addresses, email_domain, profile_group, address_attribute_value,
        individual_email_address, free_mail_domains, header_display_name
      type: string
      required: false
    to:
      title: To
      description: An object containing type and value fields defining which recipient
        addresses the policy applies to
      type: object
      required: false
    fromDate:
      title: From Date
      description: The date that the policy will apply from
      type: string
      required: false
    override:
      title: Override
      description: If true, this option overrides the order in which the policy is
        applied, and forces it to be applied first if there are multiple applicable
        policies, unless more specific policies of the same type have been configured
        with an override as well
      type: boolean
      required: false
    toEternal:
      title: To Eternal
      description: If the policy should always be applied or if there is an end date
      type: boolean
      required: false
    conditions:
      title: Conditions
      description: An object with fields describing additional conditions that should
        affect when the policy is applied
      type: object
      required: false
    toType:
      title: To Type
      description: Which recipient addresses the policy applies to. Can be one of
        everyone, internal_addresses, external_addresses, email_domain, profile_group,
        address_attribute_value, individual_email_address, free_mail_domains, header_display_name
      type: string
      required: false
    fromPart:
      title: From Part
      description: Which from address is used in the policy. Can be any of envelope_from,
        header_from, both
      type: string
      required: false
  sender_policy:
    id:
      title: ID
      description: The Mimecast ID of the policy. Used when updating the policy
      type: string
      required: false
    option:
      title: Option
      description: The option set for the policy. Will be one of no_action, block_sender
      type: string
      required: false
    policy:
      title: Policy
      description: The policy that was created
      type: policy
      required: false
  group:
    description:
      title: Description
      description: The name of the group
      type: string
      required: false
    source:
      title:
      description:
      type: string
      required: false
    folder_count:
      title:
      description:
      type: integer
      required: false
    parent_id:
      title:
      description:
      type: string
      required: false
    id:
      title:
      description:
      type: string
      required: false
    user_count:
      title:
      description:
      type: integer
      required: false
  click_logs:
    category:
      title: Category
      description: The category of the URL clicked
      type: string
      required: false
    userEmailAddress:
      title: User Email Address
      description: The email address of the user who clicked the link
      type: string
      required: false
    url:
      title: URL
      description: The URL clicked
      type: string
      required: false
    userAwarenessAction:
      title: User Awareness Action
      description: The action taken by the user if user awareness was applied
      type: string
      required: false
    route:
      title: Route
      description: The route of the email that contained the link
      type: string
      required: false
    adminOverride:
      title: Admin Override
      description: The action defined by the administrator for the URL
      type: string
      required: false
    date:
      title: Date
      description: The date that the URL was clicked
      type: string
      required: false
    scanResult:
      title: Scan Result
      description: The result of the URL scan
      type: string
      required: false
    action:
      title: Action
      description: The action that was taken for the click
      type: string
      required: false
    ttpDefinition:
      title: TTP Definition
      description: The description of the definition that triggered the URL to be rewritten by Mimecast
      type: string
      required: false
    userOverride:
      title: User Override
      description: The action requested by the user
      type: string
      required: false

connection:
  url:
    title: URL
    description: The URL for the Mimecast server
    type: string
    example: https://api.mimecast.com
    required: true
  app_id:
    title: App ID
    description: Application ID
    type: string
    example: 78d2e4b1-8cc2-4806-nt79-6ef332a47374
    required: true
  app_key:
    title: Application Key
    description: The application key
    type: credential_secret_key
    example: 475x54c6-4f61-4fab-8be7-a0710f3859e3
    required: true
  secret_key:
    title: Application Secret Key
    description: The application secret key
    type: credential_secret_key
    example: FgHrtydiP4TynI+rTZF42Qu0FtGuhJtuNM5bDh82goJQHed9kJZ5t/ORwGnI5r2hkl/bzCosZ+KVapJFeaf3Yw==
    required: true
  access_key:
    title: Application Access Key
    description: The application access key
    type: credential_secret_key
    example: eWtOL3XZCOwG96BOiFTZRiC5rdvDmP4FFdwU2Y1DC1Us-gh7KyL5trUrZ9aEuzQMV7pPWWxTnPVtsJ6x3fajAh3cRskP0w8hNjaFFVkZB6G9dOytLM2ssQ7HY-p7gJoi
    required: true

actions:
  create_managed_url:
    title: Create Managed URL
    description: Create a managed URL
    input:
      url:
        title: URL
        description: The URL to block or permit. Do not include a fragment
        type: string
        example: https://rapid7.com
        required: true
      comment:
        title: Comment
        description: A comment about the why the URL is managed; for tracking purposes
        type: string
        example: i'm blocking this because virustotal said it was malicious
        required: false
      disable_rewrite:
        title: Disable Rewrite
        description: Disable rewriting of this URL in emails. Applies only if action
          = 'permit'
        type: boolean
        example: True
        required: true
      disable_user_awareness:
        title: Disable User Awareness
        description: Disable User Awareness challenges for this URL. Applies only
          if action = 'permit'
        type: boolean
        example: False
        required: true
      disable_log_click:
        title: Disable Log Click
        description: Disable logging of user clicks on the URL
        type: boolean
        example: Flase
        required: true
      action:
        title: Action
        description: Set to 'block' to blacklist the URL, 'permit' to whitelist it
        type: string
        example: block
        required: true
        default: block
        enum:
        - block
        - permit
      match_type:
        title: Match Type
        description: Set to 'explicit' to block or permit only instances of the full
          URL. Set to 'domain' to block or permit any URL with the same domain
        type: string
        example: explicit
        required: true
        default: explicit
        enum:
        - explicit
        - domain
    output:
      response:
        title: Managed URL
        description: Managed URL that was created
        type: '[]managed_url'
        required: false
  delete_managed_url:
    title: Delete Managed URL
    description: Delete a managed URL
    input:
      id:
        title: ID
        description: The Mimecast secure ID of the managed URL
        type: string
        example: wOi3MCwjYFYhZfkYlp2RMAhvN30QSmqOT7D-I9Abwlmy7ZH7eCwvY3ImP7QVjTLhHMy6V8J3VOvTNMW2G-txx3o4zL0YXqWxuCVlGQ-1viE
        required: true
    output:
      success:
        title: Success
        description: Success status of delete request
        type: boolean
        required: false
  get_managed_url:
    title: Get Managed URL
    description: Get information on a managed URL
    input:
      domain:
        title: Domain
        description: The managed domain
        type: string
        example: rapid7.com
        required: false
      disable_user_awareness:
        title: 'Filter: User Awareness'
        description: Filter on whether or not User Awareness challenges for this URL
        type: string
        example: false
        required: false
        default: none
        enum:
        - none
        - 'false'
        - 'true'
      disable_log_click:
        title: 'Filter: Log Click'
        description: Filter on whether or not clicks are logged for this URL
        type: string
        required: false
        example: true
        default: none
        enum:
        - none
        - 'false'
        - 'true'
      action:
        title: 'Filter: Action'
        description: Filter on whether or not the action is 'block' or 'permit'
        type: string
        required: false
        example: block
        default: none
        enum:
        - none
        - block
        - permit
      match_type:
        title: 'Filter: Match Type'
        description: Filter on whether or not the match type is 'explicit' or 'domain'
        type: string
        example: domain
        required: false
        default: none
        enum:
        - none
        - explicit
        - domain
      scheme:
        title: 'Filter: Scheme'
        description: Filter on whether or not the protocol is HTTP or HTTPS
        type: string
        example: http
        required: false
      disable_rewrite:
        title: 'Filter: URL Rewrite'
        description: Filter on whether or not rewriting of this URL in emails is enabled
        type: string
        example: false
        required: false
        default: none
        enum:
        - none
        - 'false'
        - 'true'
      id:
        title: 'Filter: ID'
        description: Filter on the Mimecast secure ID of the managed URL
        type: string
        required: false
    output:
      response:
        title: Managed URL
        description: 'Managed URLs matching '
        type: '[]managed_url'
        required: false
  permit_or_block_sender:
    title: Permit or Block Sender
    description: Permits or blocks a sender
    input:
      action:
        title: Action
        description: Either 'permit' (to bypass spam checks) or 'block' (to reject
          the email)
        type: string
        example: block
        required: true
        default: block
        enum:
        - block
        - permit
      to:
        title: To
        description: The email address of the internal recipient
        type: string
        example: user@example.com
        required: true
      sender:
        title: Sender
        description: The email address of the external sender
        example: user@example.com
        type: string
        required: true
    output:
      response:
        title: Managed Sender
        description: The Managed Sender that was created
        type: '[]managed_sender'
        required: false
  create_blocked_sender_policy:
    title: Create Blocked Sender Policy
    description: Creates a blocked sender policy
    input:
      option:
        title: Option
        description: 'The block, option must be: no_action or block_sender'
        type: string
        required: true
        example: block_sender
        default: block_sender
        enum:
        - block_sender
        - no_action
      description:
        title: Description
        description: A description for the policy which is kept with the email in
          the archive for future reference
        type: string
        example: A description
        required: true
      from_part:
        title: From Part
        description: 'Must be: envelope_from, header_from or both'
        type: string
        example: envelope_from
        required: true
        default: envelope_from
        enum:
        - envelope_from
        - header_from
        - both
      from_type:
        title: From Type
        description: 'Can be one of: everyone, internal_addresses, external_addresses,
          email_domain, profile_group or individual_email_address'
        type: string
        example: internal_addresses
        required: true
        default: everyone
        enum:
        - everyone
        - internal_addresses
        - external_addresses
        - email_domain
        - profile_group
        - individual_email_address
      from_value:
        title: From Value
        description: 'Required if `From Type` is one of email_domain, profile_group,
          individual_email_address. Expected values: If `From Type` is email_domain,
          a domain name without the @ symbol. If `From Type` is profile_group, the
          ID of the profile group. If `From Type` is individual_email_address, an
          email address'
        type: string
        example: user@example.com
        required: false
      to_type:
        title: To Type
        description: 'Can be one of: everyone, internal_addresses, external_addresses,
          email_domain, profile_group or individual_email_address'
        type: string
        example: everyone
        required: true
        default: everyone
        enum:
        - everyone
        - internal_addresses
        - external_addresses
        - email_domain
        - profile_group
        - individual_email_address
      to_value:
        title: To Value
        description: 'Required if `To Type` is one of email_domain, profile_group,
          individual_email_address. Expected values: If `To Type` is email_domain,
          a domain name without the @ symbol. If `To Type` is profile_group, the ID
          of the profile group. If `To Type` is individual_email_address, an email
          address'
        type: string
        example: user@example.com
        required: false
      source_ips:
        title: Source IPs
        description: A comma separated list of IP addresses using CIDR notation (X.X.X.X/XX).
          When set the policy only applies for connections from matching addresses
        type: string
        example: 198.51.100.0/24
        required: false
    output:
      sender_policy:
        title: Policy
        description: The policy that was created
        type: '[]sender_policy'
        required: false
  add_group_member:
    title: Add Group Member
    description: Add an email address or domain to a group
    input:
      id:
        title: ID
        description: The Mimecast ID of the group to add to
        example: eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA
        type: string
        required: true
      email_address:
        title: Email Address
        description: The email address of a user to add to a group. Use either email address or domain
        example: user@example.com
        type: string
        required: false
      domain:
        title: Domain
        description: A domain to add to a group. Use either email address or domain
        type: string
        example: rapid7.com
        required: false
    output:
      folder_id:
        title: Folder ID
        description: The Mimecast ID of the group that the user / domain was added to
        type: string
        required: false
      email_address:
        title: Email Address
        description: The email address of the user that was added to the group
        type: string
        required: false
      id:
        title: ID
        description: The Mimecast ID of the user / domain that was added to the group
        type: string
        required: false
      internal:
        title: Internal
        description: Whether or not the user or domain is internal
        type: boolean
        required: false
  delete_group_member:
    title: Delete Group Member
    description: Delete an email address or domain from a group
    input:
      id:
        title: ID
        description: The Mimecast ID of the group to remove from
        example: eNoVzssKgkAUgOF3OWuhvDHlTjMqgjIilWgzN0UdHZnjBBK9e7b_-fg_gJJbIxsBEdB2Dl-r1HDCMLeHuufXTZyt8_Gou3l_i21JWeK3TOgJizrBvFM0ez5EaDwcytO5AAeUoCNEFVUoHeAWJ91Lw7WQi7-7X1I3JtswWMK3NNjoASLXgUorIc3_ISA-8b4_Gl8xjA
        type: string
        required: true
      email_address:
        title: Email Address
        description: The email address to remove from group. Use either email address or domain
        type: string
        example: user@example.com
        required: false
      domain:
        title: Domain
        description: A domain to remove from group. Use either email address or domain
        example: rapid7.com
        type: string
        required: false
    output:
      success:
        title: Success
        description: Status of success of the delete operation
        type: boolean
        required: false
  find_groups:
    title: Find Groups
    description: Find groups that match a given query
    input:
      query:
        title: Query
        description: A string to query for
        example: mygroup
        type: string
        required: false
      source:
        title: Source
        description: A group source to filter on, either "cloud" or "ldap"
        type: string
        example: cloud
        required: true
        default: cloud
        enum:
        - cloud
        - ldap
    output:
      groups:
        title: Groups
        description: A list of groups that mach the query
        type: "[]group"
        required: false
  get_ttp_url_logs:
    title: Get TTP URL Logs
    description: Get TTP URL logs
    input:
      from:
        title: From
        description: Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day
        example: 2018-11-22T14:49:18+0000
        type: string
        required: false
      to:
        title: To
        description: End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request
        example: 2018-11-22T14:49:18+0000
        type: string
        required: false
      route:
        title: Route
        description: Filters logs by route, must be one of inbound, outbound, internal, or all
        type: string
        example: inbound
        required: true
        default: all
        enum:
        - all
        - inbound
        - outbound
        - internal
      scan_result:
        title: Scan Result
        description: Filters logs by scan result, must be one of clean, malicious, or all
        type: string
        example: malicious
        required: true
        default: all
        enum:
        - clean
        - malicious
        - all
      url_to_filter:
        title: URL Regular Expression Filter
        description: Regular expression to filter on. e.g. `examp` will return only URLs with the letters examp in them
        example: exam.*
        type: string
        required: false
      max_pages:
        title: Max Pages
        description: Max pages returned, default 100
        type: integer
        required: false
        default: 100
        example: 10
      page_size:
        title: Page Size
        type: integer
        description: "The number of logs returned per page, default value is 10"
        required: false
        default: 10
        example: 10
    output:
      click_logs:
        title: Click Logs
        description: Click Logs
        type: "[]click_logs"
        required: false
  decode_url:
    title: Decode URL
    description: Decode a Mimecast encoded URL
    input:
      encoded_url:
        title: Encoded URL
        description: The Mimecast encoded URL
        example: https://protect-xx.mimecast.com/TXH7fhe
        type: string
        required: true
    output:
      decoded_url:
        title: Decoded URL
        description: Original decoded URL
        type: string
        required: true
Other plugins
McAfee Advanced Threat Defense
Rapid7   |   v1.5.0
Plugin
Get
Ivanti Security Controls
Rapid7   |   v1.3.0
Plugin
Get
Base64
Rapid7   |   v1.1.5
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.2
Plugin
Get
Jira
Rapid7   |   v6.0.0
Plugin
Get