Skip to main content
Skip table of contents

Mimecast

LAST UPDATED: 05/30/2024

Overview

Mimecast Limited is a Jersey-domiciled, UK-headquartered company specializing in cloud-based email management for Microsoft Exchange and Microsoft Office 365, including security, archiving, and continuity services to protect business mail.

D3 SOAR is providing REST operations to function with Mimecast.

Mimecast is available for use in:

D3 SOAR

V14.0.145.0+

Category

Email Security

Deployment Options

Option I, Option II, Option III, Option IV

Known Limitations

The Mimecast API enforces call rate limiting among other protective measures to ensure fair usage. These include max entry counts, historical date restrictions, and max request item counts per call, all detailed under respective endpoint descriptions.

If an API endpoint starts impacting the platform negatively, additional limits may be set.

Upon sending a request to the API, users are given a call quota to monitor subsequent requests. Once the quota is exceeded, requests fail until the quota drops below the max count. A reset mechanism replenishes the call quota at defined intervals. HTTP headers in each response indicate rate limiting status, showing the user's call quota, remaining calls, and the reset time in milliseconds.

Normally, the API returns a 200 response code, but a 429 code is returned if the rate limit is breached, suggesting a pause before sending further requests as indicated by the X-RateLimit-Reset header.

Please refer to API Call Restrictions | Mimecast for more information.

Connection

To connect to Mimecast from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Region

The global region of your Mimecast environment.

US

Application ID

The application ID to authenticate the API connection.

*****

Application Key

The application key to authenticate the API connection.

*****

Access Key

The access key to authenticate the API connection.

*****

Secret Key

The secret key to authenticate the API connection.

*****

Permission Requirements

Each endpoint in the Mimecast API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permission

API Reference

Add Group Member

Mimecast Admin: Directories | Groups | Edit

Add Group Member | Mimecast

Create Group

Mimecast Admin: Directories | Groups | Edit

Create Group | Mimecast

Create Managed URL

Mimecast Admin: Services | URL Protection | Edit

Create Managed URL | Mimecast

Create Policy

Mimecast Admin: Gateway | Policies | Edit

Create Policy | Mimecast

Create Remediation Incident

Mimecast Admin: Services | Threat Remediation | Edit +Archive | Search Content View

Create Remediation Incident | Mimecast

Get Message Detail | Mimecast

Decode URL

Mimecast Admin: Account | Dashboard | Read

Decode URL | Mimecast

Fetch Event

Mimecast Admin: Archive | Search | Read + Gateway | Tracking | Read + Archive | Search Content View

Get Message List | Mimecast

Search | Mimecast

Get Message Info | Mimecast

Fetch Related Events

Mimecast Admin: Archive | Search | Read + Gateway | Tracking | Read + Archive | Search Content View

Get Message List | Mimecast

Search | Mimecast

Get Message Info | Mimecast

Get Files

Mimecast Admin: Gateway | Tracking | Read

Get File | Mimecast

Get Group Members

Mimecast Admin: Directories | Groups | Read

Get Group Members | Mimecast

Get Groups

Mimecast Admin: Directories | Groups | Edit

Find Groups | Mimecast

Get Hold Message List

Mimecast Admin: Account | Dashboard | Read

Get Hold Message List | Mimecast

Get Managed URL

Mimecast Admin: Services | URL Protection | Edit

Get Managed URL | Mimecast

Get Message Attachment

Mimecast Admin: Archive | Search Content View.

Note: No admin permissions required for user's own messages or if they have delegate permission.

Get File Attachment | Mimecast

Get Message Detail | Mimecast

Get Message Detail

Mimecast Admin: Archive | Search Content View.

Note: No admin permissions required for user's own messages or if they have delegate permission.

Get Message Detail | Mimecast

Get Message List

Mimecast Admin: Archive | Search | Read.

Note: No admin permissions required for user's own messages or if they have delegate permission.

Get Message List | Mimecast

Get Policy

Mimecast Admin: Gateway | Policies | Read

Get Message Detail | Mimecast

Get Remediation Incident

Mimecast Admin: Archive | Services | Threat Remediation | Edit | Search Content View

Get Remediation Incident | Mimecast

Get TTP Attachment Log

Mimecast Admin: Monitoring | Attachment Protection | Read

Get TTP Attachment Protection Logs | Mimecast

Get URL Logs

Mimecast Admin: Monitoring | URL Protection | Read

Get TTP URL Logs | Mimecast

Permit Or Block Sender

Mimecast Admin: Gateway | Managed Senders | Edit

Permit or Block Sender | Mimecast

Release Message

Mimecast Admin: Account | Monitoring | Held | Edit

Release Message | Mimecast

Remove Group Member

Mimecast Admin: Directories | Groups | Edit

Remove Group Member | Mimecast

Search File Hash

Mimecast Admin: Services | Threat Remediation | Read

Search File Hash | Mimecast

Test Connection

Mimecast Admin: Monitoring | Attachment Protection | Read

Get TTP Attachment Protection Logs | Mimecast

Update Group

Mimecast Admin: Directories | Groups | Edit

Update Group | Mimecast

Configuring Mimecast to Work with D3 SOAR

Setting Up an API Application in Mimecast

  1. Log in to the Mimecast Administration Console (https://login-<region code>.mimecast.com/admin#/administration-dashboard).

  2. From the side menu, navigate to Services > API and Platform Integrations.

  1. From the Available Integrations tab, locate the Mimecast API 1.0 tile. Click Generate Keys.

  1. Complete the Application Details section. Select SOAR Integration for the category. It is also recommended to select the Enable Extended Session checkbox. This ensures the access key used to interface with D3 SOAR will not expire. When you are done, click Next.

  1. Complete the Notification Settings section. When you are done, click Next.

  1. Review the Summary page to ensure all details are correct. To fix any errors:

a. Click the Edit link next to the Details or Settings to return to the relevant page.

b. Make changes and click the Next button to proceed to the Summary page again.

  1. Click Add. The application's details are displayed in a slide-in panel. Copy and save the Application ID and Key in a secure location. It will be required for creating the integration connection in D3 SOAR.

Creating a Custom Role and Assigning it to a User

  1. Log in to the Mimecast Administration Console (https://login-<region code>.mimecast.com/admin#/administration-dashboard).

  2. From the side menu, navigate to Account > Roles.

  1. Click New Role.

  1. Input a Role Name and Description. Select the appropriate Security Permissions for the role. Under Application Permissions, check boxes for required roles. Refer to Permission Requirements for a list of required permissions for each command. Once you are done, click Save and Exit.

  1. To add an account to the role, select the created role from the list of roles.

  1. Click Add User to Role. You will see a list of current users. Select the user(s) you wish to assign the new role to and then click Add Selected Users. For more information on user management, refer to Email Security Cloud Gateway - Creating or Editing Users.

Generating Access and Secret Keys

  1. Log in to the Mimecast Administration Console (https://login-<region code>.mimecast.com/admin#/administration-dashboard).

  2. From the side menu, navigate to Services > API and Platform Integrations > Your API 1.0 Applications. Select your created API application. Click Create Keys.

  1. Input an existing user account's email address. The access and secret keys will inherit the role permissions of the user account.

READER NOTE

Be prepared with the service account's domain or cloud password for upcoming steps.

  1. In the Authentication dialog, provide the following details:

  • Email Address: This should display the email of the service account you entered earlier.

  • Type: Choose the password type of the service account (e.g., domain or cloud).

  • Password: Input the service account's password.

  1. Click Next. This will bring you to the Verification stage. Copy and save the Access and Secret Keys in a secure location. It will be required for creating the integration connection in D3 SOAR.

READER NOTE

If you have configured a 2-step authentication method, an authentication code will be sent to you either via SMS or email. Ensure you enter this code within 15 minutes.

  1. Click Close to complete the process.

Configuring D3 SOAR to Work with Mimecast

  1. Log in to D3 SOAR.

  2. Find the Mimecast integration.

a. Navigate to Configuration on the top header menu.

b. Click on the Integration icon on the left sidebar.

c. Type Mimecast in the search box to find the integration, then click it to select it.

d. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  1. Configure the following fields to create a connection to Mimecast.

a. Connection Name: The desired name for the connection.

b. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

c. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

d. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

e. Description (Optional): Add your desired description for the connection.

f. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

g. Configure User Permissions: Defines which users have access to the connection.

h. Active: Check the tick box to ensure the connection is available for use.

i. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

1. Select the region of your Mimecast region. To identify your Mimecast region, log into your Mimecast account using your credentials. Upon successful login, look at the address bar of your web browser to view the URL. This URL will typically follow a pattern like https://login-xx.mimecast.com/..., where "xx" stands for the region code.

2. Input your Application ID. Refer to step 7 of Setting Up an API Application in Mimecast for more information.

3. Input your Application Key. Refer to step 7 of Setting Up an API Application in Mimecast for more information.

4. Input your Access Key. Refer to step 5 of Generating Access and Secret Keys for more information.

5. Input your Secret Key. Refer to step 5 of Generating Access and Secret Keys for more information.

j. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

k. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  1. Test the connection.

a. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

b. Click OK to close the alert window.

c. Click + Add to create and add the configured connection.

Commands

Mimecast includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Mimecast API, please refer to the Mimecast API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Mimecast to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  1. Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add Group Member

Adds user email addresses to a profile group.

READER NOTE

  • Group ID is a required parameter to run this command.

    • Run the Get Groups command to obtain Group ID. Group IDs can be found in the returned raw data at the path $.data[*].folders[*].id.

  • The same user cannot be added to the same group.

Input

Input Parameter

Required/Optional

Description

Example

Email Address

Required

The email addresses of users to add to a group.

["***@*****.***"]

Group ID

Required

The Mimecast ID of the group to add to. Group IDs can be obtained using the Get Groups command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "id": "*****-*****",
                "folderId": "*****",
                "emailAddress": "*****@*****.com",
                "internal": true
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path the $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****-*****",
        "folderId": "*****",
        "emailAddress": "*****@*****.com",
        "internal": true
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Id": ["*****-*****"],
    "FolderId": ["*****"],
    "EmailAddress": ["*****@*****.com"]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

folderId

emailAddress

internal

*****-*****

*****

*****@*****.com

True

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Group Member failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: err_folder_group_member_already_exists.

Error Sample Data

Add Group Member failed.

Status Code: 400.

Message: err_folder_group_member_already_exists.

Create Group

Creates new profile groups at the root level, or as a child-group. Groups can be used to apply permissions and policies.

READER NOTE

Parent ID is an optional parameter to run this command.

  • Run the Get Groups command to obtain a Parent ID. Parent IDs can be found in the returned raw data at the path $.data[*].folders[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Group Name

Required

The name of the new group.

*****

Parent ID

Optional

The Mimecast ID of the new group's parent group. If excluded, the new group will be created at the root level. Parent ID can be found from the Get Groups command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "id": "*****",
            "description": "*****",
            "source": "cloud",
            "parentId": "*****",
            "userCount": 0,
            "folderCount": 0
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "description": "*****",
        "source": "cloud",
        "parentId": "*****",
        "userCount": 0,
        "folderCount": 0
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupName": ["*****"],
    "GroupSource": ["cloud"],
    "GroupId": ["*****"],
    "UserCount": [0],
    "ParentId": ["*****"],
    "FolderCount": [0]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

description

source

parentId

userCount

folderCount

*****

*****

cloud

*****

0

0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Error occurred during group creation.

Error Sample Data

Create Group failed.

Status Code: 400.

Message: Error occurred during group creation.

Create Managed URL

Adds new managed URL entries for URL protection. The common actions are to manually block or permit a URL, however additional options include the ability to disable URL rewriting and bypassing user awareness.

Input

Input Parameter

Required/Optional

Description

Example

URL

Required

The URL to block or permit.

http://www.*****.com

Action

Required

The requested action to be taken. The action can be set to either “block” or “permit”.

permit

Match Type

Required

The match type of the action. The match type can be set to “explicit” to block or permit the specific URL or “domain” to block or permit the entire domain.

domain

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "id": "*****",
            "scheme": "http",
            "domain": "www.*****.com",
            "port": -1,
            "path": "",
            "queryString": "",
            "matchType": "domain",
            "action": "permit",
            "comment": "",
            "disableUserAwareness": false,
            "disableRewrite": false,
            "disableLogClick": false
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "scheme": "http",
        "domain": "www.*****.com",
        "port": -1,
        "path": "",
        "queryString": "",
        "matchType": "domain",
        "action": "permit",
        "comment": "",
        "disableUserAwareness": false,
        "disableRewrite": false,
        "disableLogClick": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "URLid": ["*****"],
    "Domain": ["www.*****.com"],
    "Action": ["permit"],
    "DisableLogClick": [false],
    "MatchType": ["domain"],
    "DisableRewrite": [false]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

scheme

domain

port

path

queryString

matchType

action

comment

disableUserAwareness

disableRewrite

disableLogClick

*****

http

www.*****.com

-1

domain

permit

False

False

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Managed URL failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The URL is invalid.

Error Sample Data

Create Managed URL failed.

Status Code: 400.

Message: The URL is invalid.

Create Policy

Creates new blocked sender policies, which can be used to manage a combination of sender and recipient restrictions.

Input

Input Parameter

Required/Optional

Description

Example

Option

Required

The policy action. The available options are no_action and blcok_sender.

no_action

Description

Required

The description for the new policy.

Test Policy 1404

From Type

Required

The from type for the new policy. The available options are internal_addresses, external_addresses, email_domain, profile_group, individual_email_address, address_attribute_value, free_mail_domains, and header_display_name.

individual_email_address

From Value

Optional

A value defining which senders the policy applies to corresponds to the selected From Type. When this type is set as "individual_email_address", the policy is applied to individual email addresses. If the type is "email_domain", the policy targets the email domain. For "profile_group", the policy is relevant to group users. When set to "header_display_name", the policy impacts the display names in email headers. Lastly, if the type is "address_attribute_value", the policy pertains to the address attribute.

*****@*****.***

To Type

Required

The to type of the new policy.

individual_email_address

To Value

Optional

The to value which the policy will be applied to. Policy is applied on email address when type is set to individual_email_address. Policy is applied on email domain when type is set to email_domain Policy is applied on group users when type is set to profile_group. Policy is applied on email headers display name when type is set to header_display_name. Policy is applied on address attribute when type is set to address_attribute_value.

*****@*****.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "option": "no_action",
            "id": "*****",
            "policy": {
                "description": "Test Policy 1404",
                "fromPart": "envelope_from",
                "from": {
                    "type": "everyone"
                },
                "to": {
                    "type": "everyone"
                },
                "fromType": "everyone",
                "toType": "everyone",
                "fromEternal": true,
                "toEternal": true,
                "fromDate": "1899-12-31T16:00:00-08:00",
                "toDate": "2100-01-01T15:59:59-08:00",
                "override": false,
                "bidirectional": false,
                "conditions": {},
                "enabled": true,
                "enforced": false,
                "createTime": "2021-05-26T15:50:58-07:00",
                "lastUpdated": "2021-05-26T15:50:58-07:00"
            }
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "option": "no_action",
        "id": "*****",
        "policy": {
            "description": "Test Policy 1404",
            "fromPart": "envelope_from",
            "from": {
                "type": "everyone"
            },
            "to": {
                "type": "everyone"
            },
            "fromType": "everyone",
            "toType": "everyone",
            "fromEternal": true,
            "toEternal": true,
            "fromDate": "1899-12-31T16:00:00-08:00",
            "toDate": "2100-01-01T15:59:59-08:00",
            "override": false,
            "bidirectional": false,
            "conditions": {},
            "enabled": true,
            "enforced": false,
            "createTime": "2021-05-26T15:50:58-07:00",
            "lastUpdated": "2021-05-26T15:50:58-07:00"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PolicyId": ["*****"]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

option

id

policy

no_action

*****

{
"description": "Test Policy 1404",
"fromPart": "envelope_from",
"from": {
"type": "everyone"
},
"to": {
"type": "everyone"
},
"fromType": "everyone",
"toType": "everyone",
"fromEternal": true,
"toEternal": true,
"fromDate": "1899-12-31T16:00:00-08:00",
"toDate": "2100-01-01T15:59:59-08:00",
"override": false,
"bidirectional": false,
"conditions": {},
"enabled": true,
"enforced": false,
"createTime": "2021-05-26T15:50:58-07:00",
"lastUpdated": "2021-05-26T15:50:58-07:00"
}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Option and Description and FromType and ToType is required.

Error Sample Data

Create Policy failed.

Status Code: 400.

Message: Option and Description and FromType and ToType is required.

Create Remediation Incident

This endpoint can be used to create a remediation incident, by messageId or file hash.

READER NOTE

Message ID is a required parameter to run this command.

  • Run the Get Message List command to obtain Message ID. Message IDs can be found in the returned raw data at the path $.data[*].id.

At least one of the following parameters: Subject, Sender, Mime Message ID, File Hash, URL and Parent Incident Code, is required to run this command.

  • Run the Fetch Event command to obtain Mime Message ID. Mime Message ID can be found in the returned raw data at the path $.MessageDetail.mimeMessageId.

  • Run the Fetch Event or Search Messages command to obtain File Hash.

Input

Input Parameter

Required/Optional

Description

Example

Message ID

Required

The message ID for creating the remediation incident. Message IDs can be obtained using the Get Message List command.

["*****]

Reason

Required

The reason for creating the remediation incident.

tim1

Start Time

Required

The earliest date of the messages to remediate.

2021-04-07 00:00

End Time

Required

The latest end date of the messages to remediate.

2021-05-07 00:00

Subject

Optional

The case-insensitive string to filter incidents by subject. This string must be at least 3 characters in length. Additionally, at least one of the following parameters: Subject, Sender, Mime Message ID, File Hash, URL, and Parent Incident Code, cannot be empty at the same time.

Account

Sender

Optional

The case-insensitive string to filter incident by sender email address. This string must be at least 3 characters in length. Additionally, at least one of the following parameters: Subject, Sender, Mime Message ID, File Hash, and URL, cannot be empty at the same time.

mimecast.com

Mime Message ID

Optional

The Mime message ID to filter results. This string must be at least 3 characters in length. Additionally, at least one of the following parameters: Subject, Sender, Mime Message ID, File Hash, URL, and Parent Incident Code cannot be empty at the same time. Mime message IDs can be obtained using the Fetch Event command, where the MIME message includes a MessageDetail field.

<Mimecast.**.***@*****.mimecast.***>

File Hash

Optional

The file hash to filter results. This value should be at least 32 characters long. The parameter Subject, Sender, Mime Message ID, File Hash, URL, or Parent Incident Code cannot be empty at the same time. Mime message IDs can be obtained using the Fetch Event or Search Messages commands.

*****

URL

Optional

The URL to filter results. This value should be at least 3 characters long. The parameter Subject, Sender, Mime Message ID, File Hash, URL, or Parent Incident Code cannot be empty at the same time.

www.d3security.com

Parent Incident Code

Optional

The case-insensitive string to filter incidents by parent incident code This string must be at least 3 characters in length. Additionally, at least one of the following parameters: Subject, Sender, Mime Message ID, File Hash, URL, and Parent Incident Code, cannot be empty at the same time. The created incident will fail when the specified incident does not have at least one identified message.

TR-*****-00162-M

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "code": "*****",
            "type": "manual",
            "reason": "tim1",
            "searchCriteria": {
                "start": "2021-04-06T17:00:00-07:00",
                "end": "2021-05-06T17:00:00-07:00"
            },
            "create": "2021-05-26T15:58:18-07:00",
            "modified": "2021-05-26T15:58:18-07:00",
            "remediatedBy": "*****@*****.***",
            "identified": 2,
            "successful": 0,
            "failed": 0,
            "restored": 0,
            "id": "*****"
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "code": "*****",
        "type": "manual",
        "reason": "tim1",
        "searchCriteria": {
            "start": "2021-04-06T17:00:00-07:00",
            "end": "2021-05-06T17:00:00-07:00"
        },
        "create": "2021-05-26T15:58:18-07:00",
        "modified": "2021-05-26T15:58:18-07:00",
        "remediatedBy": "*****@*****.***",
        "identified": 2,
        "successful": 0,
        "failed": 0,
        "restored": 0,
        "id": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IncidentId": ["*****"],
    "IncidentCode": ["*****"],
    "IncidentType": ["manual"],
    "IncidentReason": ["tim1"],
    "IdentifiedMessages": [2],
    "SuccessfullyRemediatedMessages": [0],
    "FailedRemediatedMessages": [0],
    "MessagesRestored": [0]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

code

type

reason

searchCriteria

create

modified

remediatedBy

identified

successful

failed

restored

id

*****

manual

tim1

{
"start": "2021-04-06T17:00:00-07:00",
"end": "2021-05-06T17:00:00-07:00"
}

5/26/2021 3:58:18 PM

5/26/2021 3:58:18 PM

*****@*****.***

2

0

0

0

*****

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Remediation Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: At least one of [fileHash, messageId, messageIds, subject, parentIncidentCode, from, url] must be not null.

Error Sample Data

Create Remediation Incident failed.

Status Code: 400.

Message: At least one of [fileHash, messageId, messageIds, subject, parentIncidentCode, from, url] must be not null.

Decode URL

Decodes URLs.

Input

Input Parameter

Required/Optional

Description

Example

URL

Required

The URLs to decode.

["http://www.*****.com"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "url": "http://www.*****.com",
                "success": true
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "url": "http://www.*****.com",
        "success": true
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "DecodedUrl": ["http://www.*****.com"],
    "Success": [true]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

url

success

http://www.*****.com

True

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Decode URL failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Decode URL failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Fetch Event

Retrieve events from Mimecast.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to fetch events, in UTC time.

2021-04-27 00:00

End Time

Required

The end time of the time range to fetch events, in UTC time.

2021-04-30 00:00

Number of Event(s) Fetched

Required

The maximum number of events to retrieve.

1

Search Archive

Optional

The option to search either archive or message tracking. The selection in this parameter will impact the query syntax that is used in the Search Condition parameter.

True

Search Conditions

Required

The search condition for querying results varies based on the state of the "Search Archive" parameter. When set to True, it allows for querying within the archive using specific parameters: view (such as INBOX), mailbox (like test1@example.com), from (for instance, test2@example.com), to (mirroring the from value), subject (targeting a specific subject line), and filename (for attachments, e.g., test.pdf). An example query in this case would be view=INBOX, mailbox=test1@example.com, from=test2@example.com, filename=test.pdf.

If "Search Archive" is set to False, the query format changes to focus on the current mailbox, using parameters like to (e.g., test1@example.com), from (e.g., test2@example.com), subject (a specific subject line), and senderIP (such as ***.***.***.***). An example query here would be to=test1@example.com, from=test2@example.com, subject=test, senderip=***.***.***.***.

view=INBOX, mailbox=*****@*****.***

Tolerance Scope

Optional

The tolerance scope (in minutes) for the query to fetch events between the specified start and end time to avoid event loss or fetch failure. The events will be fetched between {Start Time - Tolerance Scope, End Time}. The default value is 0.

0

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": "*****",
        "from": {
            "emailAddress": "Admin account",
            "displayableName": "Admin account"
        },
        "to": {
            "emailAddress": "Eddie and 1 other(s)",
            "displayableName": "Eddie and 1 other(s)"
        },
        "received": "2021-04-28T15:14:00-07:00",
        "subject": "Test_Subject",
        "size": 1067,
        "attachmentCount": 0,
        "status": "Archived",
        "smash": "*****",
        "read": false,
        "expired": false,
        "recalled": false,
        "ccm": false,
        "MessageDetail": {
            "id": "*****
            "mimeMessageId": "<Mimecast.***@***.mimecast.***>",
            "smash": "*****",
            "subject": "Test_Subject",
            "size": 1063,
            "received": "2021-04-28T15:14:26-07:00",
            "processed": "2021-04-28T15:14:26-07:00",
            "status": "Archived",
            "hasHtmlBody": true,
            "hasTextBody": true,
            "isPassthrough": false,
            "envelopeFrom": {
                "emailAddress": "****@*****.com",
                "displayableName": "Sysint_Eddie"
            },
            "from": {
                "emailAddress": "****@*****.com",
                "displayableName": "Sysint_Eddie"
            },
            "to": [
                {
                    "displayableName": "Eddie",
                    "emailAddress": "****@*****.com"
                }
            ],
            "cc": [],
            "headerDate": "Wed, 28 Apr 2021 18:14:25 -0400",
            "headers": [
                {
                    "name": "X-Mimecast-Spam-Score",
                    "values": [
                        "0"
                    ]
                },
                {
                    "name": "Received",
                    "values": [
                        "from null (us-sl-41.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n *****; Wed, 28 Apr 2021\r\n 18:14:26 -0400"
                    ]
                },
                {
                    "name": "Authentication-Results",
                    "values": [
                        "*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=****@*****.com"
                    ]
                },
                {
                    "name": "Message-Id",
                    "values": [
                        "<Mimecast.***@***.mimecast.***>"
                    ]
                },
                {
                    "name": "From",
                    "values": [
                        "\"Sysint_Eddie\" <****@*****.com>"
                    ]
                },
                {
                    "name": "To",
                    "values": [
                        "\"Eddie\" <****@*****.com>"
                    ]
                },
                {
                    "name": "String",
                    "values": [
                        "String"
                    ]
                },
                {
                    "name": "Mime-Version",
                    "values": [
                        "1.0"
                    ]
                },
                {
                    "name": "X-MC-Unique",
                    "values": [
                        "*****"
                    ]
                },
                {
                    "name": "Subject",
                    "values": [
                        "Test_Subject"
                    ]
                },
                {
                    "name": "Date",
                    "values": [
                        "Wed, 28 Apr 2021 18:14:25 -0400"
                    ]
                }
            ],
            "attachments": [],
            "messageBodyPreview": "String",
            "isCcm": false
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "from": {
            "emailAddress": "Admin account",
            "displayableName": "Admin account"
        },
        "to": {
            "emailAddress": "Eddie and 1 other(s)",
            "displayableName": "Eddie and 1 other(s)"
        },
        "received": "2021-04-28T15:14:00-07:00",
        "subject": "Test_Subject",
        "size": 1067,
        "attachmentCount": 0,
        "status": "Archived",
        "smash": "*****",
        "read": false,
        "expired": false,
        "recalled": false,
        "ccm": false,
        "MessageDetail": {
            "id": "*****
            "mimeMessageId": "&lt;Mimecast.***@***.mimecast.***&gt;",
            "smash": "*****",
            "subject": "Test_Subject",
            "size": 1063,
            "received": "2021-04-28T15:14:26-07:00",
            "processed": "2021-04-28T15:14:26-07:00",
            "status": "Archived",
            "hasHtmlBody": true,
            "hasTextBody": true,
            "isPassthrough": false,
            "envelopeFrom": {
                "emailAddress": "****@*****.com",
                "displayableName": "Sysint_Eddie"
            },
            "from": {
                "emailAddress": "****@*****.com",
                "displayableName": "Sysint_Eddie"
            },
            "to": [
                {
                    "displayableName": "Eddie",
                    "emailAddress": "****@*****.com"
                }
            ],
            "cc": [],
            "headerDate": "Wed, 28 Apr 2021 18:14:25 -0400",
            "headers": [
                {
                    "name": "X-Mimecast-Spam-Score",
                    "values": [
                        "0"
                    ]
                },
                {
                    "name": "Received",
                    "values": [
                        "from null (us-sl-41.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n *****; Wed, 28 Apr 2021\r\n 18:14:26 -0400"
                    ]
                },
                {
                    "name": "Authentication-Results",
                    "values": [
                        "*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=****@*****.com"
                    ]
                },
                {
                    "name": "Message-Id",
                    "values": [
                        "&lt;Mimecast.***@***.mimecast.***&gt;"
                    ]
                },
                {
                    "name": "From",
                    "values": [
                        "\"Sysint_Eddie\" &lt;****@*****.com&gt;"
                    ]
                },
                {
                    "name": "To",
                    "values": [
                        "\"Eddie\" &lt;****@*****.com&gt;"
                    ]
                },
                {
                    "name": "String",
                    "values": [
                        "String"
                    ]
                },
                {
                    "name": "Mime-Version",
                    "values": [
                        "1.0"
                    ]
                },
                {
                    "name": "X-MC-Unique",
                    "values": [
                        "*****"
                    ]
                },
                {
                    "name": "Subject",
                    "values": [
                        "Test_Subject"
                    ]
                },
                {
                    "name": "Date",
                    "values": [
                        "Wed, 28 Apr 2021 18:14:25 -0400"
                    ]
                }
            ],
            "attachments": [],
            "messageBodyPreview": "String",
            "isCcm": false
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageIDs": ["*****"]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

from

to

received

subject

size

attachmentCount

status

smash

read

expired

recalled

ccm

MessageDetail

*****

{
"emailAddress": "Admin account",
"displayableName": "Admin account"
}

{
"emailAddress": "Eddie and 1 other(s)",
"displayableName": "Eddie and 1 other(s)"
}

4/28/2021 3:14:00 PM

Test_Subject

1067

0

Archived

*****

False

False

False

False

{
"id": "*****
"mimeMessageId": "<Mimecast.***@***.mimecast.***>",
"smash": "*****",
"subject": "Test_Subject",
"size": 1063,
"received": "2021-04-28T15:14:26-07:00",
"processed": "2021-04-28T15:14:26-07:00",
"status": "Archived",
"hasHtmlBody": true,
"hasTextBody": true,
"isPassthrough": false,
"envelopeFrom": {
"emailAddress": "****@*****.com",
"displayableName": "Sysint_Eddie"
},
"from": {
"emailAddress": "****@*****.com",
"displayableName": "Sysint_Eddie"
},
"to": [
{
"displayableName": "Eddie",
"emailAddress": "****@*****.com"
}
],
"cc": [],
"headerDate": "Wed, 28 Apr 2021 18:14:25 -0400",
"headers": [
{
"name": "X-Mimecast-Spam-Score",
"values": [
"0"
]
},
{
"name": "Received",
"values": [
"from null (us-sl-41.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n *****; Wed, 28 Apr 2021\r\n 18:14:26 -0400"
]
},
{
"name": "Authentication-Results",
"values": [
"*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=****@*****.com"
]
},
{
"name": "Message-Id",
"values": [
"<Mimecast.***@***.mimecast.***>"
]
},
{
"name": "From",
"values": [
"\"Sysint_Eddie\" <****@*****.com>"
]
},
{
"name": "To",
"values": [
"\"Eddie\" <****@*****.com>"
]
},
{
"name": "String",
"values": [
"String"
]
},
{
"name": "Mime-Version",
"values": [
"1.0"
]
},
{
"name": "X-MC-Unique",
"values": [
"*****"
]
},
{
"name": "Subject",
"values": [
"Test_Subject"
]
},
{
"name": "Date",
"values": [
"Wed, 28 Apr 2021 18:14:25 -0400"
]
}
],
"attachments": [],
"messageBodyPreview": "String",
"isCcm": false

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the Mimecast integration has some pre-configured field mappings for default field mapping.

  • Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.

    • Main Event JSON Path: $
      The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

      For example, the root node of a JSON Path is value. The child node denoting the Unique Event Key field would be id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.id.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Email subject

.subject

Source IP address

.senderIP

Recipient

.to.emailAddress

Sender

.fromEnv.emailAddress

Receipt time

.received

Unique Event Key

.id

Start Time

.sent

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Fetch Related Events

Retrieve related events from Mimecast.

Input

Input Parameter

Required/Optional

Description

Example

Last Hours

Optional

The number of hours before the current time to fetch related events.

240

Top Recent Event Number

Required

The maximum number of the most recent events to retrieve.

1

Search Archive

Optional

The option to search either archive or message tracking. The selection in this parameter will impact the query syntax that is used in the Search Condition parameter.

FALSE

Search Condition

Required

The search condition for querying results varies based on the state of the "Search Archive" parameter. When set to True, it allows for querying within the archive using specific parameters: view (such as INBOX), mailbox (like *****@*****.***), from (for instance, *****@*****.***), to (mirroring the from value), subject (targeting a specific subject line), and filename (for attachments, e.g., test.pdf). An example query in this case would be view=INBOX, mailbox=*****@*****.***, from=*****@*****.***, filename=test.pdf.

If "Search Archive" is set to False, the query format changes to focus on the current mailbox, using parameters like to (e.g., *****@*****.com), from (e.g., *****@*****.***), subject (a specific subject line), and senderIP (such as ***.***.***.***). An example query here would be to=*****@*****.com, from=*****@*****.***, subject=test, senderip=***.***.***.***.

to=*****@*****.com, from=*****@*****.***, subject=test

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "info": "Indexed and archived",
        "id": "*****",
        "status": "archived",
        "fromEnv": {
            "emailAddress": "*****@*****.***"
        },
        "fromHdr": {
            "displayableName": "Admin account",
            "emailAddress": "*****@*****.***"
        },
        "to": [
            {
                "displayableName": "",
                "emailAddress": "*****@*****.***"
            }
        ],
        "received": "2021-05-25T12:34:00-07:00",
        "subject": "test 1233",
        "senderIP": "***.***.***.***",
        "attachments": true,
        "route": "outbound",
        "sent": "2021-05-25T12:34:00-07:00",
        "MessageDetail": {
            "recipientInfo": {
                "messageInfo": {
                    "fromHeader": "*****@*****.***",
                    "fromEnvelope": "*****@*****.***",
                    "to": [
                        "*****@*****.***"
                    ],
                    "cc": [],
                    "subject": "test 1233",
                    "sent": "2021-05-25T12:34:29-07:00",
                    "processed": "2021-05-25T12:34:29-07:00",
                    "transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=&quot;UTF-8&quot;\r\nx-mimecast-att: mailfile=&quot;12105251534330041&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>"
                },
                "recipientMetaInfo": {
                    "receiptEvent": "Email Received via WebMail",
                    "spamEvent": "na",
                    "messageExpiresIn": 28,
                    "processingServer": "us-***.**.***.***",
                    "transmissionSize": 592473,
                    "binaryEmailSize": 592533,
                    "remoteIp": "***.***.***.***",
                    "remoteHost": "***.***.***.***",
                    "remoteServerGreeting": "MCEHLO WEBMAIL ***** ***.***.***.*** uid:673a20ee-2845-4dbe-8b37-ca9569b6624a ccm:0",
                    "receiptAcknowledgement": "250 SmtpInternalThread-15673107-1621971273400@us-***.**.***.*** Received OK",
                    "transmissionStart": "2021-05-25T12:34:29-07:00",
                    "transmissionEnd": "2021-05-25T12:34:33-07:00",
                    "encryptionInfo": "TLS",
                    "components": [
                        {
                            "type": "Email Primary Body HTML",
                            "name": "body.htm",
                            "extension": "txt",
                            "mimeType": "text/plain",
                            "size": 16,
                            "hash": "*****"
                        },
                        {
                            "type": "Email Attachment",
                            "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                            "extension": "pdf",
                            "mimeType": "application/pdf",
                            "size": 591260,
                            "hash": "*****"
                        },
                        {
                            "type": "Email Transmission File",
                            "name": "transmission.eml",
                            "extension": "eml",
                            "mimeType": "message/rfc822-stubbed",
                            "size": 1257,
                            "hash": "*****"
                        }
                    ]
                }
            },
            "deliveredMessage": {
                "*****@*****.***": {
                    "messageInfo": {
                        "fromHeader": "*****@*****.***",
                        "fromEnvelope": "*****@*****.***",
                        "to": [
                            "*****@*****.***"
                        ],
                        "cc": [],
                        "subject": "test 1233",
                        "sent": "2021-05-25T12:34:29-07:00",
                        "processed": "2021-05-25T12:34:29-07:00",
                        "transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&quot;12105251534350111&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>",
                        "route": "outbound"
                    },
                    "policyInfo": [
                        {
                            "policyType": "AV Scan On Release",
                            "policyName": "Enable AV scan on release",
                            "inherited": false
                        },
                        {
                            "policyType": "Greylisting",
                            "policyName": "Apply Greylisting",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Receipt",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Auto Allow",
                            "policyName": "Apply Auto Allow",
                            "inherited": false
                        },
                        {
                            "policyType": "Message Actions",
                            "policyName": "Enable Message Actions",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Delivery",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Suspected Malware",
                            "policyName": "Default Suspected Malware Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Protection",
                            "policyName": "Default Inbound Attachment Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "URL Protection",
                            "policyName": "Default Inbound URL Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Management",
                            "policyName": "Default Attachment Management Definition - Block Dangerous File Types",
                            "inherited": false
                        },
                        {
                            "policyType": "Stationary Assignment",
                            "policyName": "Default Stationery Layout",
                            "inherited": false
                        }
                    ],
                    "deliveryMetaInfo": {
                        "deliveryEvent": "Email Delivered via MX resolution",
                        "emailAddress": "*****@*****.***",
                        "messageExpiresIn": 28,
                        "processingServer": "us-***.**.***.***",
                        "transmissionSize": 593639,
                        "remoteIp": "***.***.***.***",
                        "remoteHost": "***.***.***.***",
                        "remoteServerGreeting": "220 mx.google.com ESMTP l15si1321967edv.507 - gsmtp",
                        "receiptAcknowledgement": "250 2.0.0 OK 1621971277 l15si1321967edv.507 - gsmtp",
                        "transmissionStart": "2021-05-25T12:34:35-07:00",
                        "transmissionEnd": "2021-05-25T12:34:37-07:00",
                        "encryptionInfo": "TLS",
                        "components": [
                            {
                                "type": "Email Primary Body HTML",
                                "name": "body.htm",
                                "extension": "htm",
                                "mimeType": "text/html",
                                "size": 1184,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Attachment",
                                "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                                "extension": "pdf",
                                "mimeType": "application/pdf",
                                "size": 591260,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Transmission File",
                                "name": "transmission.eml",
                                "extension": "eml",
                                "mimeType": "message/rfc822-stubbed",
                                "size": 1255,
                                "hash": "*****"
                            }
                        ]
                    }
                },
                "*****@*****.***": {
                    "messageInfo": {
                        "fromHeader": "*****@*****.***",
                        "fromEnvelope": "*****@*****.***",
                        "to": [
                            "*****@*****.***"
                        ],
                        "cc": [],
                        "subject": "test 1233",
                        "sent": "2021-05-25T12:34:29-07:00",
                        "processed": "2021-05-25T12:34:29-07:00",
                        "transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&quot;12105251534330041&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>",
                        "route": "internal"
                    },
                    "policyInfo": [
                        {
                            "policyType": "AV Scan On Release",
                            "policyName": "Enable AV scan on release",
                            "inherited": false
                        },
                        {
                            "policyType": "Greylisting",
                            "policyName": "Apply Greylisting",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Receipt",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Auto Allow",
                            "policyName": "Apply Auto Allow",
                            "inherited": false
                        },
                        {
                            "policyType": "Message Actions",
                            "policyName": "Enable Message Actions",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Delivery",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Anti-Spoofing",
                            "policyName": "Apply Anti-Spoofing (Exclude Mimecast IPs)",
                            "inherited": false
                        },
                        {
                            "policyType": "Suspected Malware",
                            "policyName": "Default Suspected Malware Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Protection",
                            "policyName": "Default Inbound Attachment Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "URL Protection",
                            "policyName": "Default Inbound URL Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Management",
                            "policyName": "Default Attachment Management Definition - Block Dangerous File Types",
                            "inherited": false
                        },
                        {
                            "policyType": "Spam Scanning",
                            "policyName": "Relaxed Spam Detection",
                            "inherited": false
                        }
                    ],
                    "deliveryMetaInfo": {
                        "deliveryEvent": "Email Delivered via MX resolution",
                        "emailAddress": "*****@*****.***",
                        "messageExpiresIn": 28,
                        "processingServer": "us-***.**.***.***",
                        "transmissionSize": 592471,
                        "remoteIp": "***.***.***.***",
                        "remoteHost": "***.***.***.***",
                        "remoteServerGreeting": "220 mx.google.com ESMTP da21si15823601edb.214 - gsmtp",
                        "receiptAcknowledgement": "250 2.0.0 OK 1621971277 da21si15823601edb.214 - gsmtp",
                        "transmissionStart": "2021-05-25T12:34:35-07:00",
                        "transmissionEnd": "2021-05-25T12:34:37-07:00",
                        "encryptionInfo": "TLS",
                        "components": [
                            {
                                "type": "Email Primary Body HTML",
                                "name": "body.htm",
                                "extension": "txt",
                                "mimeType": "text/plain",
                                "size": 16,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Attachment",
                                "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                                "extension": "pdf",
                                "mimeType": "application/pdf",
                                "size": 591260,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Transmission File",
                                "name": "transmission.eml",
                                "extension": "eml",
                                "mimeType": "message/rfc822-stubbed",
                                "size": 1255,
                                "hash": "*****"
                            }
                        ]
                    }
                }
            },
            "retentionInfo": {
                "currentPurgeDate": "2021-06-24T12:34:29-07:00",
                "purgeBasedOn": "original",
                "originalPurgeDate": "2021-06-24T12:34:29-07:00",
                "retentionAdjustmentDays": -1,
                "litigationHoldInfo": [],
                "fbrStamps": [],
                "smartTags": [],
                "fbrExpireCheck": [],
                "audits": []
            },
            "status": "archived",
            "id": "*****"
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "info": "Indexed and archived",
        "id": "*****",
        "status": "archived",
        "fromEnv": {
            "emailAddress": "*****@*****.***"
        },
        "fromHdr": {
            "displayableName": "Admin account",
            "emailAddress": "*****@*****.***"
        },
        "to": [
            {
                "displayableName": "",
                "emailAddress": "*****@*****.***"
            }
        ],
        "received": "2021-05-25T12:34:00-07:00",
        "subject": "test 1233",
        "senderIP": "***.***.***.***",
        "attachments": true,
        "route": "outbound",
        "sent": "2021-05-25T12:34:00-07:00",
        "MessageDetail": {
            "recipientInfo": {
                "messageInfo": {
                    "fromHeader": "*****@*****.***",
                    "fromEnvelope": "*****@*****.***",
                    "to": [
                        "*****@*****.***"
                    ],
                    "cc": [],
                    "subject": "test 1233",
                    "sent": "2021-05-25T12:34:29-07:00",
                    "processed": "2021-05-25T12:34:29-07:00",
                    "transmissionInfo": "&lt;pre&gt;\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &amp;lt;Mimecast.fdd.*****@*****.***.mimecast.lan&amp;gt;\r\nFrom: &amp;quot;Admin account&amp;quot; &amp;lt;*****@*****.***&amp;gt;\r\nTo: &amp;lt;*****@*****.***&amp;gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&amp;quot;MCBoundary=_12105251534290011&amp;quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=&amp;quot;UTF-8&amp;quot;\r\nx-mimecast-att: mailfile=&amp;quot;12105251534330041&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;\r\nContent-Disposition: attachment;\r\n filename=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&amp;quot;12105251534330761&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n&lt;/pre&gt;"
                },
                "recipientMetaInfo": {
                    "receiptEvent": "Email Received via WebMail",
                    "spamEvent": "na",
                    "messageExpiresIn": 28,
                    "processingServer": "us-***.**.***.***",
                    "transmissionSize": 592473,
                    "binaryEmailSize": 592533,
                    "remoteIp": "***.***.***.***",
                    "remoteHost": "***.***.***.***",
                    "remoteServerGreeting": "MCEHLO WEBMAIL ***** ***.***.***.*** uid:673a20ee-2845-4dbe-8b37-ca9569b6624a ccm:0",
                    "receiptAcknowledgement": "250 SmtpInternalThread-15673107-1621971273400@us-***.**.***.*** Received OK",
                    "transmissionStart": "2021-05-25T12:34:29-07:00",
                    "transmissionEnd": "2021-05-25T12:34:33-07:00",
                    "encryptionInfo": "TLS",
                    "components": [
                        {
                            "type": "Email Primary Body HTML",
                            "name": "body.htm",
                            "extension": "txt",
                            "mimeType": "text/plain",
                            "size": 16,
                            "hash": "*****"
                        },
                        {
                            "type": "Email Attachment",
                            "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                            "extension": "pdf",
                            "mimeType": "application/pdf",
                            "size": 591260,
                            "hash": "*****"
                        },
                        {
                            "type": "Email Transmission File",
                            "name": "transmission.eml",
                            "extension": "eml",
                            "mimeType": "message/rfc822-stubbed",
                            "size": 1257,
                            "hash": "*****"
                        }
                    ]
                }
            },
            "deliveredMessage": {
                "*****@*****.***": {
                    "messageInfo": {
                        "fromHeader": "*****@*****.***",
                        "fromEnvelope": "*****@*****.***",
                        "to": [
                            "*****@*****.***"
                        ],
                        "cc": [],
                        "subject": "test 1233",
                        "sent": "2021-05-25T12:34:29-07:00",
                        "processed": "2021-05-25T12:34:29-07:00",
                        "transmissionInfo": "&lt;pre&gt;\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &amp;lt;Mimecast.fdd.*****@*****.***.mimecast.lan&amp;gt;\r\nFrom: &amp;quot;Admin account&amp;quot; &amp;lt;*****@*****.***&amp;gt;\r\nTo: &amp;lt;*****@*****.***&amp;gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&amp;quot;MCBoundary=_12105251534290011&amp;quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&amp;quot;12105251534350111&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;\r\nContent-Disposition: attachment;\r\n filename=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&amp;quot;12105251534330761&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n&lt;/pre&gt;",
                        "route": "outbound"
                    },
                    "policyInfo": [
                        {
                            "policyType": "AV Scan On Release",
                            "policyName": "Enable AV scan on release",
                            "inherited": false
                        },
                        {
                            "policyType": "Greylisting",
                            "policyName": "Apply Greylisting",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Receipt",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Auto Allow",
                            "policyName": "Apply Auto Allow",
                            "inherited": false
                        },
                        {
                            "policyType": "Message Actions",
                            "policyName": "Enable Message Actions",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Delivery",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Suspected Malware",
                            "policyName": "Default Suspected Malware Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Protection",
                            "policyName": "Default Inbound Attachment Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "URL Protection",
                            "policyName": "Default Inbound URL Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Management",
                            "policyName": "Default Attachment Management Definition - Block Dangerous File Types",
                            "inherited": false
                        },
                        {
                            "policyType": "Stationary Assignment",
                            "policyName": "Default Stationery Layout",
                            "inherited": false
                        }
                    ],
                    "deliveryMetaInfo": {
                        "deliveryEvent": "Email Delivered via MX resolution",
                        "emailAddress": "*****@*****.***",
                        "messageExpiresIn": 28,
                        "processingServer": "us-***.**.***.***",
                        "transmissionSize": 593639,
                        "remoteIp": "***.***.***.***",
                        "remoteHost": "***.***.***.***",
                        "remoteServerGreeting": "220 mx.google.com ESMTP l15si1321967edv.507 - gsmtp",
                        "receiptAcknowledgement": "250 2.0.0 OK 1621971277 l15si1321967edv.507 - gsmtp",
                        "transmissionStart": "2021-05-25T12:34:35-07:00",
                        "transmissionEnd": "2021-05-25T12:34:37-07:00",
                        "encryptionInfo": "TLS",
                        "components": [
                            {
                                "type": "Email Primary Body HTML",
                                "name": "body.htm",
                                "extension": "htm",
                                "mimeType": "text/html",
                                "size": 1184,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Attachment",
                                "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                                "extension": "pdf",
                                "mimeType": "application/pdf",
                                "size": 591260,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Transmission File",
                                "name": "transmission.eml",
                                "extension": "eml",
                                "mimeType": "message/rfc822-stubbed",
                                "size": 1255,
                                "hash": "*****"
                            }
                        ]
                    }
                },
                "*****@*****.***": {
                    "messageInfo": {
                        "fromHeader": "*****@*****.***",
                        "fromEnvelope": "*****@*****.***",
                        "to": [
                            "*****@*****.***"
                        ],
                        "cc": [],
                        "subject": "test 1233",
                        "sent": "2021-05-25T12:34:29-07:00",
                        "processed": "2021-05-25T12:34:29-07:00",
                        "transmissionInfo": "&lt;pre&gt;\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &amp;lt;Mimecast.fdd.*****@*****.***.mimecast.lan&amp;gt;\r\nFrom: &amp;quot;Admin account&amp;quot; &amp;lt;*****@*****.***&amp;gt;\r\nTo: &amp;lt;*****@*****.***&amp;gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&amp;quot;MCBoundary=_12105251534290011&amp;quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&amp;quot;12105251534330041&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;\r\nContent-Disposition: attachment;\r\n filename=&amp;quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&amp;quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&amp;quot;12105251534330761&amp;quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n&lt;/pre&gt;",
                        "route": "internal"
                    },
                    "policyInfo": [
                        {
                            "policyType": "AV Scan On Release",
                            "policyName": "Enable AV scan on release",
                            "inherited": false
                        },
                        {
                            "policyType": "Greylisting",
                            "policyName": "Apply Greylisting",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Receipt",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Auto Allow",
                            "policyName": "Apply Auto Allow",
                            "inherited": false
                        },
                        {
                            "policyType": "Message Actions",
                            "policyName": "Enable Message Actions",
                            "inherited": false
                        },
                        {
                            "policyType": "Secure Delivery",
                            "policyName": "Opportunistic TLS",
                            "inherited": false
                        },
                        {
                            "policyType": "Anti-Spoofing",
                            "policyName": "Apply Anti-Spoofing (Exclude Mimecast IPs)",
                            "inherited": false
                        },
                        {
                            "policyType": "Suspected Malware",
                            "policyName": "Default Suspected Malware Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Protection",
                            "policyName": "Default Inbound Attachment Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "URL Protection",
                            "policyName": "Default Inbound URL Protect Definition",
                            "inherited": false
                        },
                        {
                            "policyType": "Attachment Management",
                            "policyName": "Default Attachment Management Definition - Block Dangerous File Types",
                            "inherited": false
                        },
                        {
                            "policyType": "Spam Scanning",
                            "policyName": "Relaxed Spam Detection",
                            "inherited": false
                        }
                    ],
                    "deliveryMetaInfo": {
                        "deliveryEvent": "Email Delivered via MX resolution",
                        "emailAddress": "*****@*****.***",
                        "messageExpiresIn": 28,
                        "processingServer": "us-***.**.***.***",
                        "transmissionSize": 592471,
                        "remoteIp": "***.***.***.***",
                        "remoteHost": "***.***.***.***",
                        "remoteServerGreeting": "220 mx.google.com ESMTP da21si15823601edb.214 - gsmtp",
                        "receiptAcknowledgement": "250 2.0.0 OK 1621971277 da21si15823601edb.214 - gsmtp",
                        "transmissionStart": "2021-05-25T12:34:35-07:00",
                        "transmissionEnd": "2021-05-25T12:34:37-07:00",
                        "encryptionInfo": "TLS",
                        "components": [
                            {
                                "type": "Email Primary Body HTML",
                                "name": "body.htm",
                                "extension": "txt",
                                "mimeType": "text/plain",
                                "size": 16,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Attachment",
                                "name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
                                "extension": "pdf",
                                "mimeType": "application/pdf",
                                "size": 591260,
                                "hash": "*****"
                            },
                            {
                                "type": "Email Transmission File",
                                "name": "transmission.eml",
                                "extension": "eml",
                                "mimeType": "message/rfc822-stubbed",
                                "size": 1255,
                                "hash": "*****"
                            }
                        ]
                    }
                }
            },
            "retentionInfo": {
                "currentPurgeDate": "2021-06-24T12:34:29-07:00",
                "purgeBasedOn": "original",
                "originalPurgeDate": "2021-06-24T12:34:29-07:00",
                "retentionAdjustmentDays": -1,
                "litigationHoldInfo": [],
                "fbrStamps": [],
                "smartTags": [],
                "fbrExpireCheck": [],
                "audits": []
            },
            "status": "archived",
            "id": "*****"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageIDs": ["*****"] 
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

info

id

status

fromEnv

fromHdr

to

received

subject

senderIP

attachments

route

sent

MessageDetail

Indexed and archived

*****

archived

{
"emailAddress": "*****@*****.***"
}

{
"displayableName": "Admin account",
"emailAddress": "*****@*****.***"
}

[
{
"displayableName": "",
"emailAddress": "*****@*****.***"
}
]

5/25/2021 12:34:00 PM

test 1233

***.***.***.***

True

outbound

5/25/2021 12:34:00 PM

{
"recipientInfo": {
"messageInfo": {
"fromHeader": "*****@*****.***",
"fromEnvelope": "*****@*****.***",
"to": [
"*****@*****.***"
],
"cc": [],
"subject": "test 1233",
"sent": "2021-05-25T12:34:29-07:00",
"processed": "2021-05-25T12:34:29-07:00",
"transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=&quot;UTF-8&quot;\r\nx-mimecast-att: mailfile=&quot;12105251534330041&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>"
},
"recipientMetaInfo": {
"receiptEvent": "Email Received via WebMail",
"spamEvent": "na",
"messageExpiresIn": 28,
"processingServer": "us-***.**.***.***",
"transmissionSize": 592473,
"binaryEmailSize": 592533,
"remoteIp": "***.***.***.***",
"remoteHost": "***.***.***.***",
"remoteServerGreeting": "MCEHLO WEBMAIL ***** ***.***.***.*** uid:673a20ee-2845-4dbe-8b37-ca9569b6624a ccm:0",
"receiptAcknowledgement": "250 SmtpInternalThread-15673107-1621971273400@us-***.**.***.*** Received OK",
"transmissionStart": "2021-05-25T12:34:29-07:00",
"transmissionEnd": "2021-05-25T12:34:33-07:00",
"encryptionInfo": "TLS",
"components": [
{
"type": "Email Primary Body HTML",
"name": "body.htm",
"extension": "txt",
"mimeType": "text/plain",
"size": 16,
"hash": "*****"
},
{
"type": "Email Attachment",
"name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
"extension": "pdf",
"mimeType": "application/pdf",
"size": 591260,
"hash": "*****"
},
{
"type": "Email Transmission File",
"name": "transmission.eml",
"extension": "eml",
"mimeType": "message/rfc822-stubbed",
"size": 1257,
"hash": "*****"
}
]
}
},
"deliveredMessage": {
"*****@*****.***": {
"messageInfo": {
"fromHeader": "*****@*****.***",
"fromEnvelope": "*****@*****.***",
"to": [
"*****@*****.***"
],
"cc": [],
"subject": "test 1233",
"sent": "2021-05-25T12:34:29-07:00",
"processed": "2021-05-25T12:34:29-07:00",
"transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&quot;12105251534350111&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>",
"route": "outbound"
},
"policyInfo": [
{
"policyType": "AV Scan On Release",
"policyName": "Enable AV scan on release",
"inherited": false
},
{
"policyType": "Greylisting",
"policyName": "Apply Greylisting",
"inherited": false
},
{
"policyType": "Secure Receipt",
"policyName": "Opportunistic TLS",
"inherited": false
},
{
"policyType": "Auto Allow",
"policyName": "Apply Auto Allow",
"inherited": false
},
{
"policyType": "Message Actions",
"policyName": "Enable Message Actions",
"inherited": false
},
{
"policyType": "Secure Delivery",
"policyName": "Opportunistic TLS",
"inherited": false
},
{
"policyType": "Suspected Malware",
"policyName": "Default Suspected Malware Definition",
"inherited": false
},
{
"policyType": "Attachment Protection",
"policyName": "Default Inbound Attachment Protect Definition",
"inherited": false
},
{
"policyType": "URL Protection",
"policyName": "Default Inbound URL Protect Definition",
"inherited": false
},
{
"policyType": "Attachment Management",
"policyName": "Default Attachment Management Definition - Block Dangerous File Types",
"inherited": false
},
{
"policyType": "Stationary Assignment",
"policyName": "Default Stationery Layout",
"inherited": false
}
],
"deliveryMetaInfo": {
"deliveryEvent": "Email Delivered via MX resolution",
"emailAddress": "*****@*****.***",
"messageExpiresIn": 28,
"processingServer": "us-***.**.***.***",
"transmissionSize": 593639,
"remoteIp": "***.***.***.***",
"remoteHost": "***.***.***.***",
"remoteServerGreeting": "220 mx.google.com ESMTP l15si1321967edv.507 - gsmtp",
"receiptAcknowledgement": "250 2.0.0 OK 1621971277 l15si1321967edv.507 - gsmtp",
"transmissionStart": "2021-05-25T12:34:35-07:00",
"transmissionEnd": "2021-05-25T12:34:37-07:00",
"encryptionInfo": "TLS",
"components": [
{
"type": "Email Primary Body HTML",
"name": "body.htm",
"extension": "htm",
"mimeType": "text/html",
"size": 1184,
"hash": "*****"
},
{
"type": "Email Attachment",
"name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
"extension": "pdf",
"mimeType": "application/pdf",
"size": 591260,
"hash": "*****"
},
{
"type": "Email Transmission File",
"name": "transmission.eml",
"extension": "eml",
"mimeType": "message/rfc822-stubbed",
"size": 1255,
"hash": "*****"
}
]
}
},
"*****@*****.***": {
"messageInfo": {
"fromHeader": "*****@*****.***",
"fromEnvelope": "*****@*****.***",
"to": [
"*****@*****.***"
],
"cc": [],
"subject": "test 1233",
"sent": "2021-05-25T12:34:29-07:00",
"processed": "2021-05-25T12:34:29-07:00",
"transmissionInfo": "<pre>\nReceived: from null (*****.***.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n ***.mimecast.***; with ESMTP id\r\n us-*****; Tue, 25 May 2021\r\n 15:34:29 -0400\r\nX-MC-Unique: *****\r\nSubject: test 1233\r\nMessage-Id: &lt;Mimecast.fdd.*****@*****.***.mimecast.lan&gt;\r\nFrom: &quot;Admin account&quot; &lt;*****@*****.***&gt;\r\nTo: &lt;*****@*****.***&gt;\r\nDate: Tue, 25 May 2021 15:34:29 -0400\r\nMime-Version: 1.0\r\nAuthentication-Results: ***.mimecast.***;;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***\r\nX-Mimecast-Spam-Score: 0\r\nContent-Type: multipart/mixed;\r\n\tboundary=&quot;MCBoundary=_12105251534290011&quot;\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\nx-mimecast-att: mailfile=&quot;12105251534330041&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011\r\nContent-Transfer-Encoding: base64\r\nContent-Type: application/octet-stream;\r\n name=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;\r\nContent-Disposition: attachment;\r\n filename=&quot;Mimecast_AccountAssessment_*****_Monthly_20210430.pdf&quot;;\r\n size=591260\r\nx-mimecast-att: mailfile=&quot;12105251534330761&quot;\r\n\r\n\r\n--MCBoundary=_12105251534290011--\r\n\n</pre>",
"route": "internal"
},
"policyInfo": [
{
"policyType": "AV Scan On Release",
"policyName": "Enable AV scan on release",
"inherited": false
},
{
"policyType": "Greylisting",
"policyName": "Apply Greylisting",
"inherited": false
},
{
"policyType": "Secure Receipt",
"policyName": "Opportunistic TLS",
"inherited": false
},
{
"policyType": "Auto Allow",
"policyName": "Apply Auto Allow",
"inherited": false
},
{
"policyType": "Message Actions",
"policyName": "Enable Message Actions",
"inherited": false
},
{
"policyType": "Secure Delivery",
"policyName": "Opportunistic TLS",
"inherited": false
},
{
"policyType": "Anti-Spoofing",
"policyName": "Apply Anti-Spoofing (Exclude Mimecast IPs)",
"inherited": false
},
{
"policyType": "Suspected Malware",
"policyName": "Default Suspected Malware Definition",
"inherited": false
},
{
"policyType": "Attachment Protection",
"policyName": "Default Inbound Attachment Protect Definition",
"inherited": false
},
{
"policyType": "URL Protection",
"policyName": "Default Inbound URL Protect Definition",
"inherited": false
},
{
"policyType": "Attachment Management",
"policyName": "Default Attachment Management Definition - Block Dangerous File Types",
"inherited": false
},
{
"policyType": "Spam Scanning",
"policyName": "Relaxed Spam Detection",
"inherited": false
}
],
"deliveryMetaInfo": {
"deliveryEvent": "Email Delivered via MX resolution",
"emailAddress": "*****@*****.***",
"messageExpiresIn": 28,
"processingServer": "us-***.**.***.***",
"transmissionSize": 592471,
"remoteIp": "***.***.***.***",
"remoteHost": "***.***.***.***",
"remoteServerGreeting": "220 mx.google.com ESMTP da21si15823601edb.214 - gsmtp",
"receiptAcknowledgement": "250 2.0.0 OK 1621971277 da21si15823601edb.214 - gsmtp",
"transmissionStart": "2021-05-25T12:34:35-07:00",
"transmissionEnd": "2021-05-25T12:34:37-07:00",
"encryptionInfo": "TLS",
"components": [
{
"type": "Email Primary Body HTML",
"name": "body.htm",
"extension": "txt",
"mimeType": "text/plain",
"size": 16,
"hash": "*****"
},
{
"type": "Email Attachment",
"name": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
"extension": "pdf",
"mimeType": "application/pdf",
"size": 591260,
"hash": "*****"
},
{
"type": "Email Transmission File",
"name": "transmission.eml",
"extension": "eml",
"mimeType": "message/rfc822-stubbed",
"size": 1255,
"hash": "*****"
}
]
}
}
},
"retentionInfo": {
"currentPurgeDate": "2021-06-24T12:34:29-07:00",
"purgeBasedOn": "original",
"originalPurgeDate": "2021-06-24T12:34:29-07:00",
"retentionAdjustmentDays": -1,
"litigationHoldInfo": [],
"fbrStamps": [],
"smartTags": [],
"fbrExpireCheck": [],
"audits": []
},
"status": "archived",
"id": "*****"
}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Related Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Fetch Related Events failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get Files

Retrieves attachments from the currently stored messages.

READER NOTE

Attachment IDs is a required parameter to run this command.

  • Run the Get Message Detail command to obtain Attachment IDs. Attachment IDs can be found in the returned raw data at the path $.data[*].attachments[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Attachment IDs

Required

The ID of attachment to retrieve files. Attachment IDs can be obtained using the Get Message Detail command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "fileId": "***",
            "fileName": "forgetpassword.jpg",
            "md5": "*****",
            "sha1": "*****",
            "sha256": "*****"
        }
    ],
    "D3Errors": []
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileId

fileName

md5

sha1

sha256

*****

forgetpassword.jpg

*****

*****

*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get Files failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get Group Members

Retrieves members from the specified group.

READER NOTE

Group ID are required parameters to run this command.

  • Run the Get Groups command to obtain Group ID. Group IDs can be found in the returned data at the path $.data[*].folder[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Group ID

Required

The ID of the group to retrieve members. Group ID can be obtained using the Get Groups command.

*****

Page Size

Optional

The size of the page. This can be used for the pagination and it can specify the number of items to return in one page. The default value is 10, the maximum value 500.

10

Page Token

Optional

The page token serves as the index for pagination. This value can be sourced from the "NextPageToken" or "PreviousPageToken" fields in the response of a prior request.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 9,
            "totalCount": 9
        }
    },
    "data": [
        {
            "groupMembers": [
                {
                    "emailAddress": "*****@*****.***",
                    "name": "***",
                    "internal": true,
                    "domain": "*****.***",
                    "type": "created_manually"
                },
                {
                    "emailAddress": "*****@*****.***",
                    "name": "",
                    "internal": true,
                    "domain": "*****.***",
                    "type": "created_manually"
                },
                {
                    "emailAddress": "*****@*****.***",
                    "name": "",
                    "internal": true,
                    "domain": "*****.***",
                    "type": "created_manually"
                }
            ]
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data[*].groupMembers in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "emailAddress": "*****@*****.***",
        "name": "***",
        "internal": true,
        "domain": "*****.***",
        "type": "created_manually"
    },
    {
        "emailAddress": "*****@*****.***",
        "name": "***",
        "internal": true,
        "domain": "*****.***",
        "type": "created_manually"
    },
    {
        "emailAddress": "*****@*****.***",
        "name": "***",
        "internal": true,
        "domain": "*****.***",
        "type": "created_manually"
    
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EmailAddress": [
    "*****@*****.***",
    "*****@*****.***",
    "*****@*****.***"
    ],
    "Name": ["***","***","***"],
    "Domain": [true,true,true],
    "Type": ["created_manually","created_manually","created_manually"],
    "Internal": [true,true,true],
    "NextPageToken": "*****"
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

emailAddress

name

internal

domain

type

*****@*****.***

***

True

*****.***

created_manually

*****@*****.***

****

True

*****.***

created_manually

*****@*****.***

***

True

*****.***

created_manually

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Group Members failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Page Size) is invalid.

Error Sample Data

Get Group Members failed.

Status Code: 400.

Message: The value for parameter (Page Size) is invalid.

Get Groups

Retrieves groups.

READER NOTE

If no groups are found, the command will successfully return without any result.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query string to retrieve groups.

test

Source

Optional

The source (i.e., cloud or ldap) of the group to filter returned results.

cloud

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 31,
            "totalCount": 31
        }
    },
    "data": [
        {
            "source": "cloud",
            "query": "test",
            "folders": [
                {
                    "id": "*****",
                    "description": "testGroup33",
                    "source": "cloud",
                    "parentId": "*****
                    "userCount": 0,
                    "folderCount": 0
                },
                {
                    "id": "*****
                    "description": "testGroup34",
                    "source": "cloud",
                    "parentId": "*****
                    "userCount": 3,
                    "folderCount": 0
                },
                {
                    "id": "*****",
                    "description": "*****",
                    "source": "cloud",
                    "parentId": "*****
                    "userCount": 0,
                    "folderCount": 0
                }
            ]
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data[*].folders in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "description": "testGroup33",
        "source": "cloud",
        "parentId": "*****
        "userCount": 0,
        "folderCount": 0
    },
    {
        "id": "*****
        "description": "testGroup34",
        "source": "cloud",
        "parentId": "*****
        "userCount": 3,
        "folderCount": 0
    },
    {
        "id": "*****",
        "description": "*****",
        "source": "cloud",
        "parentId": "*****
        "userCount": 0,
        "folderCount": 0
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupId": ["*****","*****","*****"],
    "GroupName": ["testGroup33","testGroup34","testGroup355"],
    "ParentId": ["*****","*****","*****"],
    "UserCount": [0,3,0],
    "FolderCount": [0,0,0]    
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

description

source

parentId

userCount

folderCount

*****

testGroup33

cloud

*****

0

0

*****

testGroup34

cloud

*****

3

0

*****

*****

cloud

*****

0

0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get Groups failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get Hold Message List

Retrieves information about the held messages based on the given search conditions.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start time of the time range to retrieve the hold message list, in UTC time.

2021-06-01 00:00

End Time

Optional

The end time of the time range to retrieve the hold message list, in UTC time.

2021-06-15 00:00

Field Name

Optional

The field to filter results. The available options are: all, subject, sender, recipient, reasonCode.

subject

Field Value

Optional

The value of the field to filter results as selected in the Field Name parameter.

test

Admin

Optional

The level of results to return. If false, only results for the currently authenticated user will be returned. If true, held messages for all recipients will be returned.

True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 9,
            "totalCount": 9
        }
    },
    "data": [
        {
            "id": "*****
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "subject": "test 1735 20210611",
            "route": "INTERNAL",
            "hasAttachments": true,
            "size": 592551,
            "dateReceived": "2021-06-11T17:36:47-07:00",
            "policyInfo": "Attachment Hold on Size"
        },
        {
            "id": "*****",
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "subject": "test 1557 20210611",
            "route": "INTERNAL",
            "hasAttachments": true,
            "size": 592550,
            "dateReceived": "2021-06-11T15:58:43-07:00",
            "policyInfo": "Attachment Hold on Size"
        },
        {
            "id": "*****",
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": ""
            },
            "subject": "test 1557 20210611",
            "route": "OUTBOUND",
            "hasAttachments": true,
            "size": 593718,
            "dateReceived": "2021-06-11T15:58:43-07:00",
            "policyInfo": "Attachment Hold on Size"
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 9,
            "totalCount": 9
        }
    },
    "data": [
        {
            "id": "*****
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "subject": "test 1735 20210611",
            "route": "INTERNAL",
            "hasAttachments": true,
            "size": 592551,
            "dateReceived": "2021-06-11T17:36:47-07:00",
            "policyInfo": "Attachment Hold on Size"
        },
        {
            "id": "*****",
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "subject": "test 1557 20210611",
            "route": "INTERNAL",
            "hasAttachments": true,
            "size": 592550,
            "dateReceived": "2021-06-11T15:58:43-07:00",
            "policyInfo": "Attachment Hold on Size"
        },
        {
            "id": "*****",
            "reason": "Message Hold Applied - Attachment type policy",
            "reasonId": "ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY",
            "reasonCode": "admin_message_hold_applied_attachment_type_policy",
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "fromHeader": {
                "emailAddress": "*****@*****.***",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "*****@*****.***",
                "displayableName": ""
            },
            "subject": "test 1557 20210611",
            "route": "OUTBOUND",
            "hasAttachments": true,
            "size": 593718,
            "dateReceived": "2021-06-11T15:58:43-07:00",
            "policyInfo": "Attachment Hold on Size"
        }
    ],
    "fail": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageIds": [
      "*****",
      "*****",
      "*****"
     ],
     "FromEmailAddresses": [
        "*****@*****.***",
        "*****@*****.***",
        "*****@*****.***",
      ],
      "ToEmailAddresses": [
        "*****@*****.***",
        "*****@*****.***",
        "*****@*****.***",
      ],
      "Subjects": [
        "test 1735 20210611",
        "test 1557 20210611",
        "test 1557 20210611"
      ],
      "DateReceived": [
        "2021-06-11T17:36:47-07:00",
        "2021-06-11T15:58:43-07:00",
        "2021-06-11T15:58:43-07:00"
      ],
      "Reasons": [
        "Message Hold Applied - Attachment type policy",
        "Message Hold Applied - Attachment type policy",
        "Message Hold Applied - Attachment type policy"
      ],
      "Routes": [
          "INTERNAL",
          "INTERNAL",
          "OUTBOUND"
      ]
 }
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

{

"status": 200,

"pagination": {

"pageSize": 9,

"totalCount": 9

}

}

data

  • {

    &quot;id&quot;: &quot;*****&quot;,

    &quot;reason&quot;: &quot;Message Hold Applied - Attachment type policy&quot;,

    &quot;reasonId&quot;: &quot;ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY&quot;,

    &quot;reasonCode&quot;: &quot;admin_message_hold_applied_attachment_type_policy&quot;,

    &quot;from&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;fromHeader&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;to&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;subject&quot;: &quot;test 1735 20210611&quot;,

    &quot;route&quot;: &quot;INTERNAL&quot;,

    &quot;hasAttachments&quot;: true,

    &quot;size&quot;: 592551,

    &quot;dateReceived&quot;: &quot;2021-06-11T17:36:47-07:00&quot;,

    &quot;policyInfo&quot;: &quot;Attachment Hold on Size&quot;

    }

  • {

    &quot;id&quot;: &quot;*****&quot;,

    &quot;reason&quot;: &quot;Message Hold Applied - Attachment type policy&quot;,

    &quot;reasonId&quot;: &quot;ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY&quot;,

    &quot;reasonCode&quot;: &quot;admin_message_hold_applied_attachment_type_policy&quot;,

    &quot;from&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;fromHeader&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;to&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;subject&quot;: &quot;test 1557 20210611&quot;,

    &quot;route&quot;: &quot;INTERNAL&quot;,

    &quot;hasAttachments&quot;: true,

    &quot;size&quot;: 592550,

    &quot;dateReceived&quot;: &quot;2021-06-11T15:58:43-07:00&quot;,

    &quot;policyInfo&quot;: &quot;Attachment Hold on Size&quot;

    }

  • {

    &quot;id&quot;: &quot;*****&quot;,

    &quot;reason&quot;: &quot;Message Hold Applied - Attachment type policy&quot;,

    &quot;reasonId&quot;: &quot;ADMIN_MESSAGE_HOLD_APPLIED_ATTACHMENT_TYPE_POLICY&quot;,

    &quot;reasonCode&quot;: &quot;admin_message_hold_applied_attachment_type_policy&quot;,

    &quot;from&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;fromHeader&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;Admin account&quot;

    },

    &quot;to&quot;: {

    &quot;emailAddress&quot;: &quot;*****@*****.***&quot;,

    &quot;displayableName&quot;: &quot;&quot;

    },

    &quot;subject&quot;: &quot;test 1557 20210611&quot;,

    &quot;route&quot;: &quot;OUTBOUND&quot;,

    &quot;hasAttachments&quot;: true,

    &quot;size&quot;: 593718,

    &quot;dateReceived&quot;: &quot;2021-06-11T15:58:43-07:00&quot;,

    &quot;policyInfo&quot;: &quot;Attachment Hold on Size&quot;

    }

fail

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Hold Message List failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid payload.

Error Sample Data

Get Hold Message List failed.

Status Code: 400.

Message: Invalid payload.

Get Managed URL

Retrieves a managed URL which can be used to return all entries currently in an accounts Managed URL list.

Input

Input Parameter

Required/Optional

Description

Example

Url

Required

The domain or URL to filter results.

["www.*****.com"]

Action

Required

The action to take when the URL is clicked. The available options are block or permit.

permit

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": "*****",
        "scheme": "http",
        "domain": "www.*****.com",
        "port": -1,
        "path": "",
        "queryString": "",
        "matchType": "domain",
        "action": "permit",
        "comment": "",
        "disableUserAwareness": false,
        "disableRewrite": false,
        "disableLogClick": false
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "scheme": "http",
        "domain": "www.*****.com",
        "port": -1,
        "path": "",
        "queryString": "",
        "matchType": "domain",
        "action": "permit",
        "comment": "",
        "disableUserAwareness": false,
        "disableRewrite": false,
        "disableLogClick": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "URLid": ["*****"],
    "Domain": ["www.*****.com"],
    "Action": ["permit"],
    "Path": [""],
    "MatchType": ["domain"],
    "DisableRewrite": [false],
    "DisableLogClick": [false]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

scheme

domain

port

path

queryString

matchType

action

comment

disableUserAwareness

disableRewrite

disableLogClick

*****

http

http://www.*****.***

-1

domain

permit

False

False

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Managed URL failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get Managed URL failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get Message Attachment

Retrieves the attachment of the specified message.

READER NOTE

Message ID is a required parameter to run this command.

  • Run the Get Message List command to obtain Message ID. Message IDs can be found in the returned raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Message ID

Optional

The ID of the message to retrieve its attachment. Message IDs can be obtained using the Get Message List command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "fileId": "*****",
    "fileName": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
    "md5": "*****",
    "sha1": "*****",
    "sha256": "*****"
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "fileId": "*****",
        "fileName": "Mimecast_AccountAssessment_*****_Monthly_20210430.pdf",
        "md5": "*****",
        "sha1": "*****",
        "sha256": "*****"
    }
] 
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "FileId": ["*****"],
    "AttachmentID": ["*****"]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

File Id

File Name

MD5 Hash

SHA1 Hash

SHA256 Hash

89

Mimecast_AccountAssessment_*****_Monthly_20210430.pdf

*****

*****

*****

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Message Attachment failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to the Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid token.

Error Sample Data

Get Message Attachment failed.

Status Code: 400.

Message: Invalid token.

Get Message Detail

Retrieves details on the specified message.

READER NOTE

Message ID is a required parameter to run this command.

  • Run the Get Message List command to obtain Message ID. Message IDs can be found in the returned raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Message ID

Required

The ID of the message to retrieve details. Message IDs can be obtained using the Get Message List command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "id": "*****",
            "mimeMessageId": "*****",
            "smash": "*****",
            "subject": "test email jon_test",
            "size": 2896,
            "received": "2021-04-30T22:33:07-07:00",
            "processed": "2021-04-30T22:33:07-07:00",
            "status": "Archived",
            "hasHtmlBody": true,
            "hasTextBody": true,
            "isPassthrough": false,
            "envelopeFrom": {
                "emailAddress": "*****@*****.***",
                "displayableName": "sysint sender"
            },
            "from": {
                "emailAddress": "*****@*****.***",
                "displayableName": "sysint sender"
            },
            "to": [
                {
                    "displayableName": "*****@*****.*****.***",
                    "emailAddress": "*****@*****.*****.***"
                }
            ],
            "cc": [],
            "headerDate": "Sat, 01 May 2021 01:33:07 -0400",
            "headers": [
                {
                    "name": "X-Mimecast-Spam-Score",
                    "values": [
                        "0"
                    ]
                },
                {
                    "name": "Received",
                    "values": [
                        "from null (us-sl-61.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n us-*****; Sat, 01 May 2021\r\n 01:33:07 -0400"
                    ]
                },
                {
                    "name": "Authentication-Results",
                    "values": [
                        "*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***"
                    ]
                },
                {
                    "name": "Message-Id",
                    "values": [
                        "*****"
                    ]
                },
                {
                    "name": "From",
                    "values": [
                        "\"sysint sender\" <*****@*****.***>"
                    ]
                },
                {
                    "name": "To",
                    "values": [
                        "\"*****@*****.*****.***\" <*****@*****.*****.***>"
                    ]
                },
                {
                    "name": "Mime-Version",
                    "values": [
                        "1.0"
                    ]
                },
                {
                    "name": "X-MC-Unique",
                    "values": [
                        "*****"
                    ]
                },
                {
                    "name": "Subject",
                    "values": [
                        "test email jon_test"
                    ]
                },
                {
                    "name": "Date",
                    "values": [
                        "Sat, 01 May 2021 01:33:07 -0400"
                    ]
                }
            ],
            "attachments": [
                {
                    "id": "*****",
                    "filename": "bodypart.txt",
                    "size": 1453,
                    "extension": "txt",
                    "contentType": "text/plain",
                    "contentId": "",
                    "sha256": "*****",
                    "bodyType": 5
                }
            ],
            "messageBodyPreview": "Hello world",
            "isCcm": false
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "mimeMessageId": "*****",
        "smash": "*****",
        "subject": "test email jon_test",
        "size": 2896,
        "received": "2021-04-30T22:33:07-07:00",
        "processed": "2021-04-30T22:33:07-07:00",
        "status": "Archived",
        "hasHtmlBody": true,
        "hasTextBody": true,
        "isPassthrough": false,
        "envelopeFrom": {
            "emailAddress": "*****@*****.***",
            "displayableName": "sysint sender"
        },
        "from": {
            "emailAddress": "*****@*****.***",
            "displayableName": "sysint sender"
        },
        "to": [
            {
                "displayableName": "*****@*****.*****.***",
                "emailAddress": "*****@*****.*****.***"
            }
        ],
        "cc": [],
        "headerDate": "Sat, 01 May 2021 01:33:07 -0400",
        "headers": [
            {
                "name": "X-Mimecast-Spam-Score",
                "values": [
                    "0"
                ]
            },
            {
                "name": "Received",
                "values": [
                    "from null (us-sl-61.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n us-*****; Sat, 01 May 2021\r\n 01:33:07 -0400"
                ]
            },
            {
                "name": "Authentication-Results",
                "values": [
                    "*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***"
                ]
            },
            {
                "name": "Message-Id",
                "values": [
                    "*****"
                ]
            },
            {
                "name": "From",
                "values": [
                    "\"sysint sender\" &lt;*****@*****.***&gt;"
                ]
            },
            {
                "name": "To",
                "values": [
                    "\"*****@*****.*****.***\" &lt;*****@*****.*****.***&gt;"
                ]
            },
            {
                "name": "Mime-Version",
                "values": [
                    "1.0"
                ]
            },
            {
                "name": "X-MC-Unique",
                "values": [
                    "*****"
                ]
            },
            {
                "name": "Subject",
                "values": [
                    "test email jon_test"
                ]
            },
            {
                "name": "Date",
                "values": [
                    "Sat, 01 May 2021 01:33:07 -0400"
                ]
            }
        ],
        "attachments": [
            {
                "id": "*****",
                "filename": "bodypart.txt",
                "size": 1453,
                "extension": "txt",
                "contentType": "text/plain",
                "contentId": "",
                "sha256": "*****",
                "bodyType": 5
            }
        ],
        "messageBodyPreview": "Hello world",
        "isCcm": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageID": ["*****"],
    "Subject": [ "test email jon_test" ],
    "MessageSize": [2896],
    "From": [ { "emailAddress": "*****@*****.***", "displayableName": "sysint sender" } ],
    "To": [
      {
        "displayableName": "*****@*****.*****.***",
        "emailAddress": "*****@*****.*****.***"
      }
    ],
    "CC": [],
    "AttachmentsFileName": ["bodypart.txt"],
    "AttachmentsSHA256": ["*****"],
    "AttachmentsID": ["*****"],
    "AttachmentsSize": [1453],
    "MessageProcessedDate": ["2021-04-30T22:33:07-07:00"],
    "MessageHasHtmlBody": [true]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

mimeMessageId

smash

subject

size

received

processed

status

hasHtmlBody

hasTextBody

isPassthrough

envelopeFrom

from

to

cc

headerDate

headers

attachments

messageBodyPreview

isCcm

*****

*****

*****

test email jon_test

2896

4/30/2021 10:33:07 PM

4/30/2021 10:33:07 PM

Archived

True

True

False

{
"emailAddress": "*****@*****.***",
"displayableName": "sysint sender"
}

{
"emailAddress": "*****@*****.***",
"displayableName": "sysint sender"
}

[
{
"displayableName": "*****@*****.*****.***",
"emailAddress": "*****@*****.*****.***"
}
]

[]

Sat, 01 May 2021 01:33:07 -0400

[
{
"name": "X-Mimecast-Spam-Score",
"values": [
"0"
]
},
{
"name": "Received",
"values": [
"from null (us-sl-61.us.mimecast.lan [**.**.**.**]) (Using TLS) by\r\n *****.*****.*** with ESMTP id\r\n us-*****; Sat, 01 May 2021\r\n 01:33:07 -0400"
]
},
{
"name": "Authentication-Results",
"values": [
"*****.*****.***;\r\n\tauth=pass smtp.auth=***** smtp.mailfrom=*****@*****.***"
]
},
{
"name": "Message-Id",
"values": [
"*****"
]
},
{
"name": "From",
"values": [
"\"sysint sender\" <*****@*****.***>"
]
},
{
"name": "To",
"values": [
"\"*****@*****.*****.***\" <*****@*****.*****.***>"
]
},
{
"name": "Mime-Version",
"values": [
"1.0"
]
},
{
"name": "X-MC-Unique",
"values": [
"*****"
]
},
{
"name": "Subject",
"values": [
"test email jon_test"
]
},
{
"name": "Date",
"values": [
"Sat, 01 May 2021 01:33:07 -0400"
]
}
]

[
{
"id": "*****",
"filename": "bodypart.txt",
"size": 1453,
"extension": "txt",
"contentType": "text/plain",
"contentId": "",
"sha256": "*****",
"bodyType": 5
}
]

Hello world

Fal

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Message Detail failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid token.

Error Sample Data

Get Message Detail failed.

Status Code: 400.

Message: Invalid token.

Get Message List

Request message lists for any user

Input

Input Parameter

Required/Optional

Description

Example

View

Required

The message list type. Must be one of: INBOX or SENT

INBOX

MailBox

Required

The mailbox of the message list

*****@*****.***

Start Time

Optional

The start date of messages to return in UTC time

2023-07-01 00:00

End Time

Optional

The end date of messages to return in UTC time.

2023-07-11 00:00

Limit

Optional

The number of messages to get. If the value is 0, a negative number, or not specified, the command will use the default value number to get the messages. The default value is 25

10

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "recordStart": 0,
            "pageSize": 25,
            "next": "*****"
        }
    },
    "data": [
        {
            "id": "*****",
            "from": {
                "emailAddress": "Admin account",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "Eddie and 1 other(s)",
                "displayableName": "Eddie and 1 other(s)"
            },
            "received": "2021-04-28T15:14:00-07:00",
            "subject": "Test_Subject",
            "size": 1067,
            "attachmentCount": 0,
            "status": "Archived",
            "smash": "*****",
            "read": false,
            "expired": false,
            "recalled": false,
            "ccm": false
        },
        {
            "id": "*****
            "from": {
                "emailAddress": "Admin account",
                "displayableName": "Admin account"
            },
            "to": {
                "emailAddress": "Eddie and 1 other(s)",
                "displayableName": "Eddie and 1 other(s)"
            },
            "received": "2021-04-28T15:13:00-07:00",
            "subject": "String",
            "size": 1060,
            "attachmentCount": 0,
            "status": "Archived",
            "smash": "*****",
            "read": false,
            "expired": false,
            "recalled": false,
            "ccm": false
        },
        {
            "id": "*****
            "from": {
                "emailAddress": "Domain postMaster address",
                "displayableName": "Domain postMaster address"
            },
            "to": {
                "emailAddress": "Admin account",
                "displayableName": "Admin account"
            },
            "received": "2021-04-28T12:04:00-07:00",
            "subject": "Here's your authentication code",
            "size": 36175,
            "attachmentCount": 0,
            "status": "Archived",
            "smash": "*****",
            "read": false,
            "expired": false,
            "recalled": false,
            "ccm": false
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "from": {
            "emailAddress": "Admin account",
            "displayableName": "Admin account"
        },
        "to": {
            "emailAddress": "Eddie and 1 other(s)",
            "displayableName": "Eddie and 1 other(s)"
        },
        "received": "2021-04-28T15:14:00-07:00",
        "subject": "Test_Subject",
        "size": 1067,
        "attachmentCount": 0,
        "status": "Archived",
        "smash": "*****",
        "read": false,
        "expired": false,
        "recalled": false,
        "ccm": false
    },
    {
        "id": "*****
        "from": {
            "emailAddress": "Admin account",
            "displayableName": "Admin account"
        },
        "to": {
            "emailAddress": "Eddie and 1 other(s)",
            "displayableName": "Eddie and 1 other(s)"
        },
        "received": "2021-04-28T15:13:00-07:00",
        "subject": "String",
        "size": 1060,
        "attachmentCount": 0,
        "status": "Archived",
        "smash": "*****",
        "read": false,
        "expired": false,
        "recalled": false,
        "ccm": false
    },
    {
        "id": "*****
        "from": {
            "emailAddress": "Domain postMaster address",
            "displayableName": "Domain postMaster address"
        },
        "to": {
            "emailAddress": "Admin account",
            "displayableName": "Admin account"
        },
        "received": "2021-04-28T12:04:00-07:00",
        "subject": "Here's your authentication code",
        "size": 36175,
        "attachmentCount": 0,
        "status": "Archived",
        "smash": "*****",
        "read": false,
        "expired": false,
        "recalled": false,
        "ccm": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MessageIDs": ["*****","*****","*****"],
    "FromEmailAddress": ["*****","*****","*****"],
    "ToEmailAddress": [
        "Eddie and 1 other(s)",
        "Eddie and 1 other(s)",
        "Admin account"
    ],
    "ReceivedTime": ["2021-04-28T15:14:00-07:00","2021-04-28T15:13:00-07:00","2021-04-28T12:04:00-07:00"],
    "ReceivedTimeUTC": ["2021-04-28T22:14:00+00:00","2021-04-28T22:13:00+00:00","2021-04-28T19:04:00+00:00"],
    "Subject": [ "Test_Subject", "String", "Here's your authentication code"],
    "AttachmentAccount": [0,0,0]    
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

from

to

received

subject

size

attachmentCount

status

smash

read

expired

recalled

ccm

*****

{
"emailAddress": "Admin account",
"displayableName": "Admin account"
}

{
"emailAddress": "Eddie and 1 other(s)",
"displayableName": "Eddie and 1 other(s)"
}

4/28/2021 3:14:00 PM

Test_Subject

1067

0

Archived

*****

False

False

False

False

*****

{
"emailAddress": "Admin account",
"displayableName": "Admin account"
}

{
"emailAddress": "Eddie and 1 other(s)",
"displayableName": "Eddie and 1 other(s)"
}

4/28/2021 3:13:00 PM

String

1060

0

Archived

*****

False

False

False

False

*****

{
"emailAddress": "Domain postMaster address",
"displayableName": "Domain postMaster address"
}

{
"emailAddress": "Admin account",
"displayableName": "Admin account"
}

4/28/2021 12:04:00 PM

Here's your authentication code

36175

0

Archived

*****

False

False

False

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Message List failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get Message List failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get Policy

Retrieves a blocked sender policy.

Input

Input Parameter

Required/Optional

Description

Example

Policy ID

Optional

The ID of the blocked sender policy to return. If this parameter is not defined, all blocked sender policies will be returned.

["*****"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "option": "no_action",
                "id": "*****
                "policy": {
                    "description": "Test Policy 1404",
                    "fromPart": "envelope_from",
                    "from": {
                        "type": "external_addresses"
                    },
                    "to": {
                        "type": "everyone"
                    },
                    "fromType": "external_addresses",
                    "toType": "everyone",
                    "fromEternal": true,
                    "toEternal": true,
                    "fromDate": "1899-12-31T16:00:00-08:00",
                    "toDate": "2100-01-01T15:59:59-08:00",
                    "override": false,
                    "bidirectional": false,
                    "conditions": {},
                    "enabled": true,
                    "enforced": false,
                    "createTime": "2021-05-17T10:57:00-07:00",
                    "lastUpdated": "2021-05-17T10:57:00-07:00"
                }
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "option": "no_action",
        "id": "*****
        "policy": {
            "description": "Test Policy 1404",
            "fromPart": "envelope_from",
            "from": {
                "type": "external_addresses"
            },
            "to": {
                "type": "everyone"
            },
            "fromType": "external_addresses",
            "toType": "everyone",
            "fromEternal": true,
            "toEternal": true,
            "fromDate": "1899-12-31T16:00:00-08:00",
            "toDate": "2100-01-01T15:59:59-08:00",
            "override": false,
            "bidirectional": false,
            "conditions": {},
            "enabled": true,
            "enforced": false,
            "createTime": "2021-05-17T10:57:00-07:00",
            "lastUpdated": "2021-05-17T10:57:00-07:00"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PolicyId": ["*****"],
    "Description": [ "Test Policy 1404" ],
    "FromType": ["external_addresses"],
    "PolicyBidirectional": [false],
    "ToType": ["everyone"],
    "FromDate": ["1899-12-31T16:00:00-08:00"],
    "ToDate": ["2100-01-01T15:59:59-08:00"]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

option

id

policy

no_action

*****

{
"description": "Test Policy 1404",
"fromPart": "envelope_from",
"from": {
"type": "external_addresses"
},
"to": {
"type": "everyone"
},
"fromType": "external_addresses",
"toType": "everyone",
"fromEternal": true,
"toEternal": true,
"fromDate": "1899-12-31T16:00:00-08:00",
"toDate": "2100-01-01T15:59:59-08:00",
"override": false,
"bidirectional": false,
"conditions": {},
"enabled": true,
"enforced": false,
"createTime": "2021-05-17T10:57:00-07:00",
"lastUpdated": "2021-05-17T10:57:00-07:00"
}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid policy ID.

Error Sample Data

Get Policy failed.

Status Code: 400.

Message:Invalid policy ID.

Get Remediation Incident

Retrieves information about an existing incident.

Input

Input Parameter

Required/Optional

Description

Example

Incident ID

Required

The ID of the incident from the remediation incident list to retrieve information.

["*****"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "code": "*****",
                "type": "manual",
                "reason": "test remove 17:33",
                "searchCriteria": {
                    "from": "*****@*****.***",
                    "start": "2021-04-06T16:51:46-07:00",
                    "end": "2021-05-06T16:51:46-07:00"
                },
                "create": "2021-05-06T16:52:40-07:00",
                "modified": "2021-05-06T16:56:21-07:00",
                "remediatedBy": "*****@*****.***",
                "identified": 2,
                "successful": 0,
                "failed": 2,
                "restored": 0,
                "id": "*****"
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "code": "*****",
        "type": "manual",
        "reason": "test remove 17:33",
        "searchCriteria": {
            "from": "*****@*****.***",
            "start": "2021-04-06T16:51:46-07:00",
            "end": "2021-05-06T16:51:46-07:00"
        },
        "create": "2021-05-06T16:52:40-07:00",
        "modified": "2021-05-06T16:56:21-07:00",
        "remediatedBy": "*****@*****.***",
        "identified": 2,
        "successful": 0,
        "failed": 2,
        "restored": 0,
        "id": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IncidentId":["*****"],
    "IncidentCode": ["*****"],
    "IncidentType": ["manual"],
    "IncidentReason": [ "test remove 17:33" ],
    "IdentifiedMessages": [2],
    "SuccessfullyRemediatedMessages": [0],
    "FailedRemediatedMessages": [2],
    "MessagesRestored": [0] 
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

code

type

reason

searchCriteria

create

modified

remediatedBy

identified

successful

failed

restored

id

*****

manual

test remove 17:33

{
"from": "*****@*****.***",
"start": "2021-04-06T16:51:46-07:00",
"end": "2021-05-06T16:51:46-07:00"
}

5/6/2021 4:52:40 PM

5/6/2021 4:56:21 PM

*****@*****.***

2

0

2

0

*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Remediation Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get Remediation Incident failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get TTP Attachment Log

Retrieves TTP attachment logs.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to retrieve TTP attachment logs, in UTC time.

2021-03-01 00:00

End Time

Required

The end time of the time range to retrieve TTP attachment logs, in UTC time.

2021-04-27 00:00

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 1,
            "totalCount": 1
        }
    },
    "data": [
        {
            "attachmentLogs": [
                {
                    "senderAddress": "*****@*****.***",
                    "recipientAddress": "*****@*****.***",
                    "fileName": "Mimecast_AccountAssessment_CUSA73A507_Monthly_20210331.pdf",
                    "fileType": "application/pdf",
                    "result": "safe",
                    "actionTriggered": "",
                    "date": "2021-04-01T11:40:51-07:00",
                    "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec",
                    "route": "inbound",
                    "messageId": "*****",
                    "subject": "Mimecast Account Assessment for March 2021",
                    "fileHash": "*****",
                    "definition": "Default Inbound Attachment Protect Definition"
                }
            ]
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data[*].attachmentLogs in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "senderAddress": "*****@*****.***",
        "recipientAddress": "*****@*****.***",
        "fileName": "Mimecast_AccountAssessment_CUSA73A507_Monthly_20210331.pdf",
        "fileType": "application/pdf",
        "result": "safe",
        "actionTriggered": "",
        "date": "2021-04-01T11:40:51-07:00",
        "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec",
        "route": "inbound",
        "messageId": "*****",
        "subject": "Mimecast Account Assessment for March 2021",
        "fileHash": "*****",
        "definition": "Default Inbound Attachment Protect Definition"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "SenderAddresses": ["*****@*****.***"],
    "RecipientAddresses": ["*****@*****.***"],
    "Subjects": [ "Mimecast Account Assessment for March 2021" ],
    "FileNames": ["Mimecast_AccountAssessment_CUSA73A507_Monthly_20210331.pdf"],
    "FileTypes": ["application/pdf"],
    "Result": ["safe"],
    "ActionTriggered": [""],
    "Details": [ "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" ],
    "MessageIDs": [""],
    "FileHash": ["*****"]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

senderAddress

recipientAddress

fileName

fileType

result

actionTriggered

date

details

route

messageId

subject

fileHash

definition

*****@*****.***

*****@*****.***

Mimecast_AccountAssessment_CUSA73A507_Monthly_20210331.pdf

application/pdf

safe

4/1/2021 11:40:51 AM

Safe
Time taken: 0 hrs, 0 min, 4 sec

inbound

*****

Mimecast Account Assessment for March 2021

*****

Default Inbound Attachment Protect Definition

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get TTP Attachment Log failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get TTP Attachment Log failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Get URL Logs

Retrieves URL logs.

Input

Input Parameter

Required/Optional

Description

Example

From Date

Optional

The start date of the date range to retrieve URL logs.

2021-05-01 00:00

To Date

Optional

The end date of the date range to retrieve URL logs.

2021-05-26 00:00

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200,
        "pagination": {
            "pageSize": 0
        }
    },
    "data": [
        {
            "clickLogs": []
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Urls": [],
    "DatesActions ": [],
    "Actions": [] 
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get URL Logs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Get URL Logs failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Permit Or Block Sender

Permits or blocks a sender.

Input

Input Parameter

Required/Optional

Description

Example

Action

Required

The action to take against the specified sender. Select "permit" to bypass spam checks, or choose "block" to reject the email.

permit

Recipient

Required

The recipient email to perform the action on.

["*****@*****.***"]

Sender

Required

The sender email to perform the action on.

["*****@*****.***"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "id": "MTOKEN:*****
                "sender": "*****@*****.***",
                "to": "*****@*****.***",
                "type": "Permit"
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "id": "MTOKEN:*****
                "sender": "*****@*****.***",
                "to": "*****@*****.***",
                "type": "Permit"
            }
        ],
        "fail": []
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ID": ["MTOKEN:*****@*****.***"]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

meta

data

fail

{
"status": 200
}

[
{
"id": "MTOKEN:*****
"sender": "*****@*****.***",
"to": "*****@*****.***",
"type": "Permit"
}
]

[]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Permit Or Block Sender failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: To address is not a valid internal address.

Error Sample Data

Permit Or Block Sender failed.

Status Code: 400.

Message: To address is not a valid internal address.

Release Message

Release a currently held message.

READER NOTE

Message ID is a required parameter to run this command.

  • Run the Get Message List command to obtain Message ID. Message IDs can be found in the returned raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Message ID

Optional

The ID of the message to release. Message IDs can be obtained using the Get Message List command.

*****

Output

Raw Data

SAMPLE DATA

JSON
No Sample Data
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

SAMPLE DATA

JSON
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Release Message failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Release Message failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Remove Group Member

Removes the specified group member.

READER NOTE

Group ID are required parameters to run this command.

  • Run the Get Groups command to obtain Group ID. Group IDs can be found in the returned data at the path $.data[*].folder[*].id.

  • Ensure the input email address is already part of the group. If you are unsure, run the Get Group command to retrieve the relevant group ID. Once you have the group ID, you can then use the Get Group Members command to accurately identify and select the member you intend to remove.

Input

Input Parameter

Required/Optional

Description

Example

Email Address

Required

The email address of the group member to remove.

["*****@*****.***"]

Group ID

Required

The ID of the group to remove the group member from. Group ID can be obtained using the Get Groups command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "meta": {
            "status": 200
        },
        "data": [
            {
                "id": "*****",
                "folderId": "*****
                "emailAddress": "*****@*****.***",
                "internal": true
            }
        ],
        "fail": []
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "*****",
        "folderId": "*****
        "emailAddress": "*****@*****.***",
        "internal": true
    }
]
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

folderId

emailAddress

internal

*****

*****

*****@*****.***

True

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Group Member failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Error email address not found.

Error Sample Data

Remove Group Member failed.

Status Code: 404.

Message: Error email address not found.

Search File Hash

Identifies if an account has seen a specific file hash within messages over the last year. A maximum of 100 hashes can be submitted in a single call. Note: The command does not currently support image file hashes.

Input

Input Parameter

Required/Optional

Description

Example

Hash

Required

The file hashes to search.

["eNo*****Fzw"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "hashStatus": [
                {
                    "hash": "*****",
                    "detected": false
                }
            ],
            "failedHashes": []
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data[*].hashStatus in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "hash": "*****",
        "detected": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "HashStatusDetected":  [false]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

hash

detected

*****

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File Hash failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Search File Hash failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Update Group

Updates the specified group.

READER NOTE

Group ID are required parameters to run this command.

  • Run the Get Groups command to obtain Group ID. Group IDs can be found in the returned data at the path $.data[*].folder[*].id.

Parent ID is an optional parameter to run this command.

  • Run the Get Groups command to obtain a Parent ID. Parent IDs can be found in the returned raw data at the path $.data[*].folders[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Group ID

Required

The ID of the group to update. Parent ID can be found from the Get Groups command.

*****

Group Name

Required

The name of the group to update.

testgroup34

Parent ID

Optional

The ID of the group's parent group. Parent ID can be found from the Get Groups command.

*****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "meta": {
        "status": 200
    },
    "data": [
        {
            "hashStatus": [
                {
                    "hash": "*****",
                    "detected": false
                }
            ],
            "failedHashes": []
        }
    ],
    "fail": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from the path $.data in the API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": "******
        "description": "testgroup34",
        "source": "cloud",
        "parentId": "******
        "userCount": 0,
        "folderCount": 0
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupId": ["*****"],
    "GroupName": ["testgroup34"],
    "ParentId": ["*****"]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

description

source

parentId

userCount

folderCount

*****

testgroup34

cloud

*****

0

0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Update Group failed.

Status Code: 400.

Message: App ID is invalid: xxx.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, a 404 means that the request URL does not exist. Refer to Response Codes | Mimecast for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: App ID is invalid: xxx.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: App ID is invalid: xxx.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.