KB // Mimecast — Email Security Operations

Knowledge Base · Email Security

Mimecast Email Security
Operations Center

Complete reference for configuring, operating, and integrating the Mimecast Email Security Operations Center across KTC-Demo-Org's 13,241-endpoint environment. Covers TTP protection, gateway configuration, quarantine management, API integration, and SIEM forwarding.

MIMECAST API 2.0 13,241 ENDPOINTS DEMO ENVIRONMENT us-api.services.mimecast.com SPLUNK · SENTINEL AZURE AD · LDAP

01 What Is Mimecast

Mimecast is a cloud-native email security platform that sits in front of your mail flow — typically Microsoft 365 or Google Workspace — and inspects every inbound, outbound, and internal message before delivery. It combines anti-spam, anti-malware, targeted threat protection (TTP), impersonation defense, DLP, and awareness training into a single managed service.

In the KTC-Demo-Org environment, Mimecast is the primary email security gateway protecting all 13,241 endpoints. All mail is routed through Mimecast's infrastructure before reaching Microsoft 365 Exchange Online. The Mimecast Operations Center demo surface exposes the full Mimecast API 2.0 via a unified SOC-style interface.

Core Protection Layers

Gateway: Anti-spam, anti-virus, SPF/DKIM/DMARC enforcement, DLP
URL Protect: Real-time URL rewriting and on-click sandboxing
Attachment Protect: Pre-emptive sandboxing of all attachments
Impersonation Protect: BEC, CEO fraud, and typosquat detection
Internal Email Protect: Scans mail between internal users

Platform Integrations

Microsoft 365: Mail routing, Azure AD sync, Defender co-exist
Splunk / Sentinel: SIEM log forwarding via batch API
Azure AD: Directory group sync for policy targeting
Awareness Training: Built-in phishing simulation + SAFE scoring
API: REST API 2.0 for automation, reporting, and orchestration

ℹ

Demo Environment Note The Operations Center dashboard runs in demo mode. All API calls return realistic mock responses scoped to 13,241 endpoints. No live mail is processed. Connect a valid Client ID + Secret in API Explorer to switch to live production data.

02 Architecture & Email Flow

Inbound Mail Flow

Inbound email to your domain is routed through Mimecast MX records before delivery to Microsoft 365. Mimecast inspects every message through multiple processing engines sequentially:

Internet Sender

→

Mimecast MX

→

Gateway Engine
SPF·DKIM·DMARC·AV·Spam

→

TTP Layer
URL·Attach·Impersonation

→

M365 Delivery

spacer

→

Blocked/Rejected

→

Quarantined/Held

Processing Engines

Engine	Function	Output	API Source
Anti-Spam	Bulk and opportunistic spam scoring	Block, Quarantine, Tag	/api/stats/gateway
Anti-Virus	Signature-based malware detection	Block	/api/stats/gateway
SPF/DKIM/DMARC	Sender authentication enforcement	Reject, Quarantine	/api/policy/antispoofing
URL Protect	Rewrites URLs; blocks on click	Block, Warn, Allow	/api/ttp/url/get-logs
Attachment Protect	Pre-emptive sandbox detonation	Block, Convert, Allow	/api/ttp/attachment/get-logs
Impersonation Protect	BEC, CEO fraud, typosquat detection	Block, Tag, Quarantine	/api/ttp/impersonation/get-logs
DLP	Outbound PII / PHI / CCN scanning	Hold, Encrypt, Block	/api/policy/content-examination

Outbound Mail Flow

Outbound mail from Microsoft 365 is relayed through Mimecast for DLP scanning, archiving, and branding injection. Mimecast adds DKIM signatures, enforces SPF alignment, and scans for data loss policy violations before releasing to the internet.

⚠

M365 Connector Requirement Microsoft 365 must be configured with an outbound connector pointing to Mimecast relay IPs. Misconfigured connectors bypass Mimecast DLP and lose DKIM signing. Validate connector configuration monthly via the Policy → Allow Microsoft 365 Relay toggle in the Operations Center.

03 Endpoint Scale Reference

KTC-Demo-Org operates 13,241 protected endpoints across all licensed users, servers, and managed devices. The numbers below represent daily throughput baselines at this scale and are used throughout the Operations Center dashboard to contextualize alert volumes.

Inbound Mail / Day

~94,800

Across 13,241 endpoints

Outbound Mail / Day

~22,400

DLP scanned + relay

Threats Blocked / Day

~240

All threat categories

Spam Rejected / Day

~18,400

99.2% catch rate

URLs Scanned / Hour

~148K

URL Protect rewrites

Attachments Sandboxed

~218

Per day, pre-emptive

Group	Users	Endpoints	Policy Tier	Sync Source
Executive Leadership	52	52	BEC High Risk	Azure AD
Finance Department	128	128	Wire Fraud Policy	Azure AD
IT Administrators	34	204	Bypass Ext Tag	Azure AD
All Staff	8,241	8,241	Standard TTP	LDAP
Infrastructure Servers	—	4,616	Server TTP Policy	API Managed
Total	8,455+	13,241

04 Dashboard Overview

The Operations Center dashboard is the primary entry point. It displays the current threat posture across five KPI tiles, a live event feed, threat breakdown, recent high-priority alerts, hourly sparkline, and top threat origin domains.

KPI Tiles

Threats Blocked (24h)Total blocked events across all threat categories in the last 24 hours. Sourced from /api/threats/events. Drifts upward in live mode as new blocks occur.

Quarantined TodayCount of messages currently in the held/quarantine queue. Links to the Quarantine view. Reflects actions taken — releases and purges decrement this counter live.

URL Clicks BlockedUsers who clicked a Mimecast-rewritten URL that was blocked at click-time. Sourced from /api/ttp/url/get-logs.

Emails ProcessedTotal inbound + outbound messages processed by the gateway since midnight UTC. Drifts upward every 5 seconds in the live feed simulation.

Spam RejectedGateway-level spam rejections (pre-delivery, not quarantine). Sourced from /api/stats/gateway.

Live Feed Bar

The orange LIVE bar at the top of the dashboard scrolls recent high-signal events from the Mimecast event stream. Events rotate every ~3.8 seconds and represent actual event types scoped to 13,241 endpoints — BEC blocks, malware detonations, SIEM batch pulls, URL rewrites, and policy sync confirmations.

Alert Workflow

The Recent High-Priority Alerts panel shows the five most recent events requiring analyst attention. Clicking any row opens a detailed modal with full event context, API response snippet, and action buttons:

Investigate / View Hash: Opens event detail modal with sender data, TTP definition, API source, and code snippet.
Block Domain: Fires a mock PUT /api/policy/blockedsenders call to add the sender domain to the blocked list. Updates the blocked sender count.
Acknowledge: Marks the alert row as reviewed (visual dim), decrements the critical badge in the sidebar.
Export to SIEM: Fires a mock batch export to Splunk/Sentinel.
Ack All (panel header): Acknowledges all five current alerts simultaneously.

05 TTP — Targeted Threat Protection

TTP is Mimecast's advanced threat suite for defending against targeted attacks that bypass standard anti-spam/AV. It consists of three dedicated modules, each with its own API endpoint and policy configuration.

URL Protect

URL Protect rewrites every URL in inbound emails to route clicks through Mimecast's proxy. At click time, the destination is evaluated against live threat intelligence. If the URL is flagged, the user sees a Mimecast block page instead of the malicious site.

REWRITEAll URLs transformed to https://url.us.m.mimecastprotect.com/... at ingest time. Happens before delivery.

ON-CLICK SCANURL checked at click time against live threat feeds. Provides protection even if a URL was clean at delivery but later compromised.

BLOCKClick blocked. User redirected to Mimecast block page. Event logged to /api/ttp/url/get-logs.

WARNSuspicious but not confirmed malicious. User sees a warning page and can choose to proceed.

⚠

User Confusion Risk Rewritten URLs look unusual to end users. Train staff that URLs starting with url.us.m.mimecastprotect.com are Mimecast-wrapped links — not phishing. Hover-preview in Outlook will always show the Mimecast proxy address.

API · URL Protect Log Response

{
  "meta": {"status": 200, "totalCount": 241, "endpoints": 13241},
  "data": [{
    "id": "url001",
    "url": "hxxps://login-secure-bank[.]xyz/auth",
    "userEmailAddress": "j.smith@ktc-demo.com",
    "action": "Block",
    "reason": "Phishing",
    "ttpDefinition": "URL Protect - Default",
    "date": "2026-03-22T10:54:22+0000"
  }]
}

Attachment Protect

Attachment Protect intercepts all inbound attachments and submits them to Mimecast's sandbox for pre-emptive detonation before the message is delivered. Three operating modes are available:

Mode	Behavior	Delivery Delay	Use Case
Sandbox	File detonated in cloud sandbox. Malicious = blocked. Clean = delivered original.	2–10 min	All untrusted inbound
Convert & Deliver	Office docs converted to safe PDF. Original attached to separate email.	None	High-volume / low latency
Pre-emptive Block	Specific file types blocked regardless of content (.exe, .vbs, .ps1).	None	Executive / Finance groups

ℹ

SHA256 Hash Logging Every sandboxed file generates a SHA256 hash stored in /api/ttp/attachment/get-logs. Submit hashes to VirusTotal, your SIEM, or threat intel feeds for cross-environment correlation. The Operations Center includes a "Submit to TI" button in the attachment detail modal.

Impersonation Protect

Impersonation Protect detects attacks that use social engineering instead of malware — specifically Business Email Compromise (BEC), CEO fraud, typosquat domains, and internal spoofing. It uses a combination of AI-based analysis, custom monitored domain lists, and header inspection.

BEC / CEO FraudHigh risk. Message purports to be from an executive or finance authority. Common identifiers: similar internal domain, display name match on different address, DKIM misalign.

CFO / Finance FraudHigh risk. Targets payroll, AR/AP, wire transfer approvers. Executive Leadership and Finance groups should have BEC High Risk policy applied.

Typosquat DomainSender domain is a near-miss of a trusted domain (e.g. microsofft.com, acme-corp.co). Mimecast flags and optionally blocks.

Brand AbuseThird-party brand (DocuSign, PayPal, Microsoft) impersonated in a non-registered domain. Tagged or blocked depending on policy definition.

Internal SpoofFrom-header matches internal domain but is arriving from external source. Should be blocked outright — legitimate internal mail never arrives via the inbound MX path.

🔴

Finance & Exec Groups Must Have BEC Policy Wire transfer fraud is the highest-cost email threat. Ensure the Finance Department (128 users) and Executive Leadership (52 users) have the "BEC High Risk" TTP definition applied. A single successful BEC can exceed an entire year's Mimecast licensing cost. Verify in Directory Groups.

06 Gateway Statistics

Gateway Statistics provides aggregate mail flow metrics from /api/stats/gateway. This view is not for per-message investigation — it is for capacity planning, catch-rate reporting, and trend analysis.

Key Metrics

Inbound ProcessedAll messages accepted by Mimecast MX, regardless of final action. Use for mail volume trend tracking. ~94,822/day for 13,241 endpoints (~7.2 emails/endpoint/day).

Outbound ProcessedAll messages relayed from M365 through the Mimecast outbound connector. Should equal your Exchange Online send count — discrepancy indicates a connector misconfiguration.

Malware BlockedAnti-virus engine catches (signature-based, pre-sandbox). Separate from TTP sandbox detections.

Spam RejectedMessages rejected at the gateway envelope stage (SMTP 5xx) before queuing. These do not appear in quarantine — they are never accepted.

Traffic DispositionDonut chart: Delivered Clean (76%), Blocked/Rejected (18%), Quarantined (4%), Held/Review (2%). Use to justify Mimecast ROI in client QBRs.

✓

99.2% Spam Catch Rate KTC-Demo-Org maintains a 99.2% spam catch rate with under 0.1% false positives. Industry baseline is 99%. If your rate drops below 98%, open a Mimecast support case — sender reputation lists may need refreshing for your domain profile.

07 Quarantine Management

The Quarantine view surfaces held messages from /api/message/get-hold-message-list. At 13,241 endpoints, expect 150–250 held messages on a typical business day. The Operations Center pages 10 at a time and shows a running total.

Hold Reasons & Actions

Hold Reason	Risk Level	Recommended Action	Notes
MALWARE	Critical	Purge immediately	Never release. Sandbox confirmed malicious.
BEC	Critical	Purge + block domain	BEC attempts should never reach the inbox.
SUSPICIOUS	High	Analyst review required	May be legitimate. Check sender, subject, and context.
SPAM	Low	Purge or release based on user request	Check for false positives with users weekly.
POLICY	Medium	Release if authorized by manager	Large file shares, unusual attachment types.
DLP	High	Block + incident log	PII/PHI exfiltration attempt. Must be documented.

Operations Center Quarantine Actions

Checkbox + Release Selected: Select multiple rows and batch-release. Messages animate out and the total counter decrements.
Release (row): Delivers the held message to the recipient's inbox. Use for false positives confirmed by the user or analyst.
Purge (row): Permanently deletes the message. Use for confirmed threats, spam, or policy violations. Cannot be undone.
Purge All: Header button. Purges all visible held messages sequentially with staggered animation. Use during cleanup cycles.
Release Selected: Header button. Batch-releases all checked rows.

⚠

DLP Holds Require Documentation Any message quarantined for DLP reasons (PHI, PII, CCN) must be documented in your ITSM before releasing or purging. This is required for HIPAA and PCI compliance. The DLP violation event should be forwarded to your SIEM via the Export to SIEM action.

API: Get Hold Message List

POST · /api/message/get-hold-message-list

// Request body
{
  "meta": {
    "pagination": {
      "pageSize": 10,
      "pageToken": ""
    }
  },
  "data": [{
    "admin": true,
    "holdType": "MTA"
  }]
}

// Response excerpt · 183 total held messages
{
  "meta": {"pagination": {"totalCount": 183}},
  "data": [{
    "id": "hold001",
    "fromEnv": "billing@invoices-pro.net",
    "holdReason": "Attachment: Malicious",
    "received": "2026-03-22T11:18:05+0000"
  }]
}

08 SIEM Log Batches

Mimecast's SIEM integration uses a batch pull model — your SIEM queries /api/siem/v1/batch/events on a schedule to retrieve compressed JSON event bundles. This is different from a real-time webhook model.

Batch Architecture

Each API call returns a pointer to a compressed file containing up to ~25,000 events per batch at KTC-Demo-Org scale. The SIEM connector fetches, decompresses, parses, and indexes the events. At 13,241 endpoints, expect 20,000–30,000 events per 5-minute pull cycle during business hours.

Log Type	Event Content	SIEM Use Case
`receipt`	All inbound messages — sender, recipient, action, size, IP	Mail volume trending, sender reputation
`delivery`	Outbound delivery events with SMTP codes	Bounce analysis, relay health
`ttp`	URL clicks, attachment sandboxing, impersonation events	Threat correlation, IOC extraction
`av`	Anti-virus detections with file hash	Malware trending, endpoint correlation
`impersonation`	BEC, CEO fraud, typosquat events with identifiers	SOC alerting, executive risk
`process`	Message processing pipeline events, policy matches	Policy audit, compliance evidence
`journal`	Archive/journal copies (if archiving licensed)	eDiscovery, legal hold

SIEM Integration Setup (Splunk)

Create Mimecast API Application

In Mimecast admin console: Administration → Services → API Applications → Add Application. Note the Client ID and Client Secret.

Install Mimecast Add-on for Splunk

Splunkbase: "Mimecast Add-On for Splunk." Install on Heavy Forwarder or Search Head. Requires Splunk 8.2+.

Configure Data Input

Splunk → Settings → Data Inputs → Mimecast SIEM. Enter Client ID, Secret, Account Code, and desired log types. Set pull interval to 300s (5 min).

Validate Index Population

Search index=mimecast sourcetype=mimecast:siem in Splunk. Should see receipt, delivery, and ttp events within one pull cycle.

Build Alert Rules

Create Splunk alerts for: BEC attempts (RejCode=TT0004), malicious attachments (sandboxResult=Malicious), DLP triggers (RejType=ContentExamination).

Sample SIEM Event · BEC Detection

{
  "datetime": "2026-03-22T11:42:18+0000",
  "acc": "KTC-Demo-Org",
  "endpoints": 13241,
  "Sender": "m.johnson@acme-corp.co",
  "Recipient": "finance@ktc-demo.com",
  "Dir": "Inbound",
  "Act": "Blk",
  "RejType": "Impersonation",
  "RejCode": "TT0004",
  "Definition": "BEC High Risk",
  "ThreatDictionary": "CEO Fraud",
  "Subtype": "BEC"
}

09 Security Policies

Mimecast policies define what happens to messages matching specific criteria. Policies are ordered and evaluated top-down — the first matching policy wins. The Operations Center exposes six active gateway policies and allows toggling and editing via the policy management panel.

Policy Name	Action	Scope	Entries	Priority
Block — Known Malicious Senders	BLOCK	All inbound	4,218 entries	1
Quarantine — Suspicious Attachments	QUARANTINE	Inbound · .xlsm .docm .exe .vbs .ps1	—	2
Anti-Spoofing SPF Strict	REJECT	All inbound · SPF fail	—	3
Tag — External Sender Warning	TAG	All external inbound	—	4
DLP — PII Outbound Scan	HOLD	Outbound · SSN / CC / PHI	—	5
Allow — Microsoft 365 Relay	ALLOW	Outbound · IP whitelist (8 IPs)	8 IPs	6

Policy Toggle Behavior

The toggle switch on each policy row calls PUT /api/policy/{id}/enable or PUT /api/policy/{id}/disable and syncs the change across all 13,241 endpoints within ~60 seconds. In demo mode, toggling shows the state change and fires a toast confirmation. Note:

Disabling SPF Strict in production will immediately allow spoofed mail to reach inboxes. Never disable without a maintenance window and change record.
Disabling the M365 Relay Allow policy will block all outbound mail. Ensure this is your last resort during incident response.
The Blocked Senders list is managed via API. The Operations Center allows additions via the Block Domain buttons in URL Protect, Attachment Protect, and Impersonation views.

Adding a New Policy (Operations Center)

Click "+ New Policy" in the Policies view header

Opens the New Policy modal with fields for name, action, scope, and conditions.

Define the Policy Name and Action

Select Block, Quarantine, Tag, Allow, or Hold. Name should follow the convention: Action — Description.

Set the Scope and Conditions

Define whether the policy applies to All inbound, Outbound, specific directory groups, or specific file extensions.

Click "Create Policy"

Fires POST /api/policy/blockedsenders or the relevant endpoint. Policy syncs to all 13,241 endpoints.

10 Directory & Group Sync

Mimecast directory groups allow policies to be applied to specific sets of users rather than the entire tenant. Groups are synchronized from Azure AD (primary) and LDAP. The sync runs at 06:00 UTC daily and can be forced via the Operations Center or API.

Sync Sources

Azure AD SyncUses the Mimecast Azure AD connector (service principal). Syncs user UPNs, group memberships, and manager relationships. Required for BEC policies targeting Executive and Finance groups.

LDAP SyncOn-premises Active Directory sync via LDAP over port 636 (LDAPS). Used for All Staff group (8,241 users) where AD is the authoritative source.

API ManagedGroups like Blocked Senders List are maintained entirely via API calls. No directory sync — entries are added programmatically on threat detection events.

Force Sync (Operations Center)

The "Force AD Sync" button in the Directory view calls POST /api/directory/find-groups followed by a sync trigger. At 13,241 endpoints, expect a 3–5 minute sync cycle. The last sync timestamp updates on completion.

⚠

Sync Lag Risk When an employee is terminated, their Mimecast policies remain active until the next sync cycle (up to 24 hours). For immediate access removal, manually delete the user via Mimecast Admin Console or call DELETE /api/user/{id} directly. Do not rely on the scheduled sync for terminations.

POST · /api/directory/find-groups

{
  "meta": {"pagination": {"pageSize": 25}},
  "data": [{"source": "cloud"}]
}
// Response
{
  "data": [
    {"id": "grp_exec", "description": "Executive Leadership", "userCount": 52},
    {"id": "grp_finance", "description": "Finance Department", "userCount": 128},
    {"id": "grp_all", "description": "All Staff", "userCount": 8241}
  ]
}

11 Awareness Training & SAFE Score

Mimecast Awareness Training is a built-in phishing simulation and security education platform. It runs campaigns against your real user base, tracks click-through rates, and calculates a per-user SAFE Score (Security Awareness Fitness Evaluation).

SAFE Score

The SAFE Score is a 0–100 composite score per user based on phishing simulation behavior, training completion, and historical click rates. Lower scores = higher risk. The Operations Center displays the org-wide average (74 for KTC-Demo-Org) and surfaces the top 5 high-risk users out of 38.

Org-Wide SAFE Score

74 / 100

▲ +4 this month

Training Pending

842

Users overdue · 8,241 total

High Risk Users

SAFE score < 40

Phishing Campaigns

The Operations Center displays active and completed campaigns with sent/clicked/reported rates. Click rates tell the real story — not just whether users clicked, but whether they reported. A 5.8% click rate with 38% report rate (IT Help Desk Spoof) is significantly better than 11.5% click / 26% report (CEO Fraud Sim).

Campaign	Sent	Clicked	Click Rate	Reported	Status
Q1 2026 — CEO Fraud Sim	8,241	948	11.5%	2,194	ACTIVE
IT Help Desk Spoof	8,241	478	5.8%	3,181	ACTIVE
PayPal Invoice Phish	8,241	214	2.6%	5,097	COMPLETE

Assign Training (Operations Center)

In the High Risk Users watchlist, clicking "Assign Training" fires POST /api/awareness-training/assign-module for that user and sends an email notification. The user's SAFE score recalculates within 24–48 hours of course completion.

ℹ

Link Awareness Training to HR Policy For CMMC and HIPAA compliance, awareness training completion must be tracked as a control. Set up a Mimecast API export to push SAFE scores and completion records to your GRC tool monthly. The Operations Center SIEM export covers training events in the awareness log type.

12 API Overview & Authentication

The Mimecast API 2.0 is a REST API hosted at https://us-api.services.mimecast.com (US region). It uses OAuth 2.0 Client Credentials flow. All requests require a short-lived Bearer token obtained by exchanging your Client ID and Secret.

Authentication Flow

Create an API Application

Mimecast Admin Console → Administration → Services → API and Platform Integrations → Add Application. Assign the required API permissions (read-only for monitoring, read-write for automation).

Obtain Client ID and Secret

After saving the application, copy the Client ID and Client Secret. The secret is shown once. Store in Azure Key Vault or your secrets manager immediately.

Request an Access Token

POST to /oauth/token with your credentials. Returns a Bearer token valid for 30 minutes.

Authenticate API Requests

Include the token in all subsequent requests as Authorization: Bearer {token}.

OAuth 2.0 Token Request

# POST /oauth/token
curl -X POST https://us-api.services.mimecast.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "grant_type=client_credentials"

# Response
{
  "access_token": "eyJhbGciOiJSUzI1NiJ9...",
  "token_type": "Bearer",
  "expires_in": 1800
}

API Regions

US (Primary)https://us-api.services.mimecast.com — Used by KTC-Demo-Org. All API calls in the Operations Center use this base URL.

EUhttps://eu-api.services.mimecast.com — GDPR-resident tenants. Data does not leave EU region.

DEhttps://de-api.services.mimecast.com — Germany-resident (DSGVO). Required for certain German public sector customers.

AU / ZA / CAAustralia, South Africa, Canada regional endpoints. Same API surface, data residency varies.

13 Key API Endpoints

Method	Endpoint	Description	Dashboard View
GET	/api/ttp/url/get-logs	URL Protect click events and blocks	URL Protect
GET	/api/ttp/attachment/get-logs	Sandbox verdicts and file hashes	Attachment Protect
GET	/api/ttp/impersonation/get-logs	BEC, CEO fraud, typosquat events	Impersonation Protect
POST	/api/siem/v1/batch/events	SIEM log batch download pointer	SIEM Logs
POST	/api/message/get-hold-message-list	List quarantine / held messages	Quarantine
POST	/api/message/release-held-message	Release a quarantine message	Quarantine (Release)
POST	/api/message/reject-held-message	Purge / delete a held message	Quarantine (Purge)
GET	/api/stats/gateway	Gateway throughput and disposition stats	Gateway Stats
POST	/api/directory/find-groups	List directory groups	Directory Groups
POST	/api/directory/get-group-members	Members of a specific group	Directory Groups
GET	/api/policy/blockedsenders	List blocked sender policies	Policies
POST	/api/policy/blockedsenders/create	Add domain/sender to block list	Block Domain action
POST	/api/awareness-training/get-safe-score-summary	Org and per-user SAFE scores	Awareness Training
POST	/api/awareness-training/get-campaigns	Active and completed campaigns	Awareness Training

14 Rate Limits & Quotas

Mimecast enforces per-endpoint rate limits on all API calls. At KTC-Demo-Org scale (13,241 endpoints), the SIEM batch and quarantine endpoints are the most frequently constrained. The API Status view shows current usage against limits in real time.

Endpoint	Quota	Typical Usage	Status	Notes
/api/ttp/url/get-logs	100/min	~57/min	MODERATE	High during business hours
/api/ttp/impersonation/get-logs	100/min	~43/min	OK	Peaks during exec email cycles
/api/siem/v1/batch/events	10/min	~3/min	OK	Pull every 5 min max recommended
/api/message/get-hold-message-list	50/min	~38/min	MODERATE	Higher during spam wave events
/api/awareness-training/*	20/min	~4/min	OK	Low frequency reporting calls
/api/stats/gateway	60/min	~12/min	OK	Dashboard refresh polling

⚠

Rate Limit Error Handling HTTP 429 responses include a Retry-After header. All automation scripts must implement exponential backoff. The Operations Center API Explorer displays 429 status in red and halts the demo call. In production integrations, never retry immediately on 429.

15 Glossary

BECBusiness Email Compromise. Attack type where an adversary impersonates an executive or trusted authority to initiate fraudulent wire transfers, payroll diversions, or data theft. Highest financial impact email threat type.

TTPTargeted Threat Protection. Mimecast's premium module suite covering URL Protect, Attachment Protect, and Impersonation Protect. Requires TTP license add-on.

SAFE ScoreSecurity Awareness Fitness Evaluation. 0–100 score per user based on phishing simulation behavior and training completion. Below 40 = high risk. Used to target remediation training.

Sandbox DetonationAttachment is opened and executed in an isolated cloud VM. Behavioral analysis determines malice. Pre-emptive detonation occurs before delivery.

URL RewritingAll URLs in inbound messages are replaced with Mimecast proxy URLs (url.us.m.mimecastprotect.com). The proxy evaluates the click in real time.

Hold / QuarantineMessages staged pending review. Accessible via /api/message/get-hold-message-list. Not yet delivered or deleted — can be released or purged.

SPFSender Policy Framework. DNS TXT record listing IP addresses authorized to send mail on behalf of a domain. SPF fail = sender not authorized.

DKIMDomainKeys Identified Mail. Cryptographic signature proving the message body and headers were not modified in transit.

DMARCDomain-based Message Authentication, Reporting & Conformance. Policy layer built on SPF and DKIM. Specifies what to do with messages that fail authentication (none, quarantine, reject).

TyposquatA domain that visually resembles a legitimate domain by substituting characters (e.g. microsofft.com, rn instead of m). Used to trick users into trusting malicious senders.

DLPData Loss Prevention. Policy engine scanning outbound mail for patterns matching sensitive data (SSN, credit card numbers, PHI). Matches trigger hold or encrypt actions.

SIEMSecurity Information and Event Management. Platform (Splunk, Sentinel) that aggregates and correlates log data. Mimecast feeds events via the SIEM batch API.

RejCodeMimecast internal rejection code in SIEM events. TT0001=URL, TT0002=Attachment, TT0003=Typosquat, TT0004=BEC/Impersonation.

16 FAQ & Troubleshooting

Common Issues

Legitimate email going to quarantineCheck hold reason. If SUSPICIOUS or POLICY, review sender domain against blocked list. If recurring, add to a permitted senders policy scoped to the affected recipient group. Do not disable the quarantine policy globally.

SIEM not receiving eventsVerify token is not expired (30-min TTL). Check the SIEM batch queue — a failed prior call may have advanced the cursor. Run a manual pull via API Explorer and inspect the response. Check network egress rules to us-api.services.mimecast.com:443.

Outbound mail not DKIM-signedM365 outbound connector is likely bypassing Mimecast. Verify the connector condition includes all mailboxes and that the connector is set to route through Mimecast relay IPs only.

URL rewriting breaking linksSome applications embed Mimecast-wrapped URLs in webhooks or API callbacks. Add these senders or domains to a URL bypass policy scoped to the specific application mailbox. Never disable URL Protect globally.

API returning 401 UnauthorizedToken expired. Tokens are valid for 1,800 seconds (30 min). Re-request from /oauth/token. In production, implement automatic token refresh 5 minutes before expiry.

Directory sync not updating groupsVerify Azure AD connector service principal has Group.Read.All and User.Read.All permissions. Check Mimecast connector status in admin console. Force a manual sync via the Operations Center and watch for error events in the SIEM awareness log.

Operations Center Demo Behavior

All Release and Purge actions animate the quarantine row out and decrement the sidebar badge — no API call is made in demo mode.
Block Domain buttons fire a toast notification and simulate adding to the blocked senders list. The blocked entry count is not persisted between sessions.
The API Explorer returns mock responses. Selecting a template + clicking RUN always returns 200 OK with realistic demo data scoped to 13,241 endpoints.
Live counters drift upward every 5 seconds to simulate real-world mail volume. Refresh All resets counters to new random baselines.
The auth token TTL counts down from 28 minutes and fires a warning toast at 0. In production, this represents a real OAuth token expiry — implement auto-refresh.

17 Compliance Alignment

Mimecast contributes to multiple compliance frameworks through its gateway, archiving, and training capabilities. The Operations Center surfaces the evidence artifacts most relevant to common audit requirements.

Framework	Control	Mimecast Evidence	Operations Center Source
CMMC L2	SI.L2-3.14.1 — Flaw Remediation	Malware block logs, sandboxing records	Attachment Protect · SIEM batch
CMMC L2	AT.L2-3.2.2 — Role-based Training	SAFE Score, campaign completion rates	Awareness Training
HIPAA	§164.312(a)(1) — Access Controls	DLP quarantine records for PHI	Quarantine · SIEM `process` logs
HIPAA	§164.308(a)(5) — Security Training	Phishing sim completion, SAFE Score	Awareness Training · API export
PCI DSS	Req 5.3 — Anti-Malware	Gateway AV stats, sandbox verdicts	Gateway Stats · Attachment Protect
PCI DSS	Req 6.3.3 — Phishing Protection	URL Protect blocks, impersonation logs	URL Protect · Impersonation
NIST CSF	DE.CM-3 — Personnel Monitoring	BEC alerts, DLP violations, click events	Threat Events · SIEM batch
NIST CSF	PR.AT-1 — User Awareness	Awareness training records	Awareness Training
SOC 2	CC6.6 — Transmission of Data	DLP outbound controls, DKIM/DMARC enforcement	Policies · Gateway Stats

✓

Automate Evidence Collection Use the SIEM batch API to export monthly evidence bundles directly to your GRC tool. Schedule POST /api/siem/v1/batch/events on the last day of each month with log_types: ["ttp","impersonation","av","process"]. This eliminates manual screenshot collection at audit time and is timestamped by Mimecast's infrastructure.

  KB // MIMECAST EMAIL SECURITY OPERATIONS
  KTC-DEMO-ORG · 13,241 ENDPOINTS · API 2.0