Cyware Orchestrate

Add Group Member

This action adds user email addresses or domains to a profile group.

Create Address Alteration Definition (Beta)

This action creates an address alteration definition within an address alteration set or at the root level.

Create Address Alteration Policy

This action creates a new address alteration policy that applies an alteration definition based on sender and recipient values.

Create Address Alteration Set

This action creates a new address alteration set.

Create Anti-Spoofing Policy

This action creates an anti-spoofing spf-based bypass policy. you can create a maximum of 50 policies simultaneously.

Create Blocked Sender Policy

This action creates new policies for blocked senders, enabling management of sender and recipient restrictions.

Create Group

This action creates new profile groups at the root level or as child groups. groups can be used to apply permissions and policies.

Create Managed URL

This action adds new URL entries in managed URLs for URL protection.

Create Policy with Targets (Beta)

This action creates a Web Security Block or Allow List policy for domains or URLs.

Create Remediation Incident (Beta)

This action creates a new remediation incident by messageid, file hash, or a URL contained in an email.

Decode URL

This action decodes a list of Mimecast-encoded URLs.

Delete Address Alteration Definition

This action removes an existing address alteration definition within an address alteration set.

Delete Address Alteration Policy

This action removes an existing address alteration policy.

Delete Anti-Spoofing Policy

This action deletes an existing Anti-Spoofing SPF-based Bypass policy.

Delete Policy with Targets (Beta)

This action deletes an existing Web Security Block or Allow List policy for domains or URLs.

Find Remediation Incidents

This action searches for existing remediation incidents.

Get Address Alteration Definition

This action retrieves an existing address alteration definition. to make a successful request, you must include at least one action parameter.

Get Address Alteration Policy

This action retrieves the details of an existing address alteration policy.

Get Address Alteration Set

This action retrieves an existing address alteration set.

Get Anti-Spoofing Policy

This action retrieves the details of existing Anti-Spoofing SPF-based Bypass policies.

Get Archive File (Beta)

This action retrieves the archived file or attachment for the given ID.

Get Blocked Sender Policies

This action retrieves blocked sender policies.

Get Current Account Details

This action retrieves the details of a configured Mimecast account.

Get Email Queues

This action retrieves the count of inbound and outbound email queues for the specified times.

Get File (Beta)

This action retrieves the file attachment based on the provided ID.

Get Group Members

This action retrieves group members from groups that exist on a tenant.

Get Held Message List

This action retrieves the count of currently held messages for each hold reason.

Get Hold Message List

This action retrieves information about held messages, including the reason, hold level, sender, and recipients.

Get Managed URLs

This action retrieves all the entries that are currently in an account's Managed URL list.

Get Message Details (Beta)

This action retrieves details about a specific message with the provided ID.

Get Message Info

This action retrieves detailed information about a specific message.

Get Policy with Targets (Beta)

This action retrieves the information about an existing Web Security Block or Allow List policy for domains or URLs.

Get Remediation Incident (Beta)

This action retrieves the information of an existing incident.

Get TTP Attachment Protection Logs

This action returns TTP attachment protection logs from Mimecast.

Get TTP Impersonation Protect Logs

This action retrieves messages containing information flagged by an impersonation protection configuration.

Get TTP URL Logs

This action retrieves TTP URL logs from Mimecast.

List Messages

This action lists archived messages. To perform this action, your user role must have archive, search, or read permission.

Nullify Blocked Sender Policy

This action nullifies a blocked sender policy based on the given ID by creating a new policy with the same items, setting the action to no_action, and marking it as an override.

Permit or Block Sender

This action permits or blocks emails between a provided sender and recipient.

Reject Held Message

This action rejects a currently held message.

Release Held Message

This action releases a currently held message.

Remove Group Member

This action removes members from mimecast profile groups.

Search

This action searches the Mimecast email environment for messages that match the provided criteria. you must provide either advanced track and trace options or a message ID.

Search File Hash

This action searches for the given file hashes within messages.

Search Groups

This action searches for groups in mimecast.

Update Address Alteration Policy

This action updates an existing address alteration policy.

Update Anti-Spoofing Policy

This action updates an existing Anti-Spoofing SPF-based Bypass policy.

Update Group

This action updates the description of mimecast profile groups. You can update a maximum of 10 groups simultaneously.

Update Policy with Targets (Beta)

This action updates an existing Web Security Block or Allow List policy for domains or URLs.

Generic Action

This is a generic action used to make requests to any Mimecast endpoint.

Base URL

Enter the base URL to access Mimecast API.

Text

Required

For more information on supported base URLs, see Mimecast API Documentation.

Client ID

Enter the client ID to authenticate with Mimecast API.

Text

Required

Client Secret

Enter the client secret to authenticate with Mimecast API.

Password

Required

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Mimecast.

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is disabled.

Member Information

Enter the information of members to be added as a list.

List

Required

Allowed fields:

id, domain, emailAddress, notes

Address Type

Enter the type of the address to be altered.

Text

Required

Allowed values:

all, envelope_from, envelope_to, from, reply_to, to_cc_bcc, sender

New Address

Enter the new address structure. All domains must be internal.

Text

Required

Allowed formats:

localpart@domainpart, @domainpart, localpart@

Original Address

Enter the original address being considered to rewrite. All domains must be internal.

Text

Required

Allowed formats:

localpart@domainpart, @domainpart, localpart@

Routing

Enter the address alteration definition route.

Text

Required

Allowed values:

all, inbound, outbound

Folder ID

Enter the mimecast secure ID of an address alteration set. If you do not enter the ID, the definition will be created at the root level and will apply to messages without an associated policy.

Text

Optional

You can retrieve the Folder ID using the action Get Address Alteration Set.

Data

Enter the data to create an address alteration policy.

Example:

$JSON[[{"addressAlterationSetId" : "test", "policy" : {"comment":"test", "description" :"test", "to":{"type":"everyone"}, "from":{"type":"everyone"}}}]].

List

Required

Allowed keys:

addressAlterationSetId, policy

Allowed keys for policy:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

Description

Enter the name of the Address Alteration Set (folder) to be created.

Text

Required

Parent ID

Enter the Mimecast secure ID of an existing alteration set to create the new set within it. If you do not enter the parent ID, the new set will be created at the root level.

Text

Optional

You can retrieve the Parent ID using the action Get Address Alteration Set.

Data

Enter the anti-spoofing policy data to create the policy.

Example:

$JSON[[{"option": "disable_bypass", "policy": {"comment":"test", "description":"test", "to":{"type":"everyone"},"from":{"type":"everyone"}, "conditions": { "spfdomains": ["test.com"]}}}]]

List

Required

Allowed keys:

option, policy

Allowed keys for policy:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

Policy Action

Enter the policy action.

Text

Required

Allowed values:

no_action, block_sender

Policy Information

Enter the policy information.

Key Value

Required

Allowed keys:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

Group Information

Enter the information of the new group as a list.

List

Required

Allowed fields:

description (mandatory), parentId

URL Information

Enter the information of the URL to be added as a $JSON[[{action}]].

List

Required

Allowed fields for each URL object:

action (mandatory): Allowed values are permit or block, disableLogClick, comment, disableRewrite, disableUserAwareness, matchType, url

Description

Enter a description of the policy.

Text

Required

Policies

Enter the policy scoping details to create the policy.

Key Value

Required

Allowed keys:

bidirectional, comment, conditions, description, enabled, enforced, from, to, fromDate, fromEternal, fromPart, override, toDate, toEternal

URLs

Enter the URLs along with the corresponding actions for each URL to be applied by this policy.

Key Value

Required

Allowed keys:

action (mandatory), id, type (mandatory), value (mandatory)

Reason

Specify the reason for creating the remediation incident.

Text

Required

Hash or Message ID

Enter the file hash value or the message ID based on the value specified in the search by field. You can leave this empty if you are searching by URL.

Text

Optional

Search by

Enter the message component to search by.

Text

Optional

Allowed values:

hash, messageId, url

Start Date

Enter the start date (in yyyy-mm-dd't'hh:mm:ssz format) of the earliest messages to remediate.

Text

Optional

By default, it starts from the last calendar month.

End Date

Enter the end date (in yyyy-mm-dd't'hh:mm:ssz format) of the most recent messages to remediate.

Text

Optional

By default, it ends at the time of the request.

URL Value

Enter the URL present in the email that requires remediation. This field is mandatory when Search by is set to 'url'. Ensure the URL is decoded and is not the Mimecast-rewritten version.

Text

Optional

Encoded URLs

Enter the list of Mimecast encoded URLs. You can enter a maximum of 25 URLs.

Example:

[{"url": "https://protect-xx.mimecast.com/"}]

List

Required

ID

Enter the Mimecast secure ID of the address alteration definition to delete.

Text

Required

You can retrieve the ID using the action Get Address Alteration Definition.

Policy ID

Enter one or more Mimecast secure IDs of the policies to delete. You can delete a maximum of 500 policies simultaneously.

Example:

{"id":"eNo1jk0LgjAAQP_LrgZumq6CDqYGMxGjFI0uNldq-ZG6mUT_PTt0f4_33qBjlLcsT8EKCOGrXH2dhsK0encTtUeL2vtqsEQcGoru6kHmhWc58Cxzsb1r2nOfSjaWSmdJsgif5ZsT7VSh6MM4wqTMVJ_TisAOL_0Y2o538JKQOEV84dekJ2swA039yOn4aysIYzQDlHd9XbKW1imbhszgsEEGgspcn2jB2i6vK7BCf_M4NoxM9kRA-PkCaGtApA"}

Key Value

Required

You can retrieve the Policy ID using the action Get Address Alteration Policy.

Policy ID

Enter one or more policy IDs to delete. You can delete a maximum of 500 anti-spoofing policies simultaneously.

Key Value

Required

You can retrieve the Policy ID using the action Get Anti-Spoofing Policy.

ID

Enter the ID of an existing policy to delete. You can delete a maximum of 10 policies simultaneously.

Key Value

Required

You can retrieve the ID using the action Get Policy with Targets.

Filter by

Enter the value to filter the response based on the incident type.

Key Value

Optional

Allowed keys:

fieldName, value

Search by

Enter the value to search the results.

Key Value

Optional

Allowed keys:

fieldName, value

Start Date

Enter the start date of the earliest incident to return in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

End Date

Enter the end date of the latest incident to return in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

Folder ID

Enter the folder ID that contains the address alteration definitions.

Text

Optional

You can retrieve the Folder ID using the action Get Address Alteration Set.

New Address

Enter the new address structure. All domains must be internal.

Example:

sample1@sample.com

Text

Optional

Allowed formats:

localpart@domainpart, @domainpart, localpart@

Original Address

Enter the original address to be rewritten. All domains must be internal.

Example:

sample@sample.com

Text

Optional

Allowed formats:

localpart@domainpart, @domainpart, localpart@

Routing

Enter the address alteration definition route.

Text

Optional

Allowed values:

all, inbound, outbound

Policy ID

Enter the policy ID to retrieve its details.

If you do not enter an ID, this action retrieves the details of all policies.

Key Value

Optional

You can retrieve the Policy ID using the action Get Address Alteration Policy.

Folder ID

Enter the mimecast secure ID of the alteration set (folder). If you do not enter an ID, this action retrieves all sets.

Text

Optional

You can retrieve the folder ID using the action Get Address Alteration Set.

Depth

Enter the depth for recursing the address alteration set.

Integer

Optional

Default value:

1

Policy IDs

Enter the ID of the policy to retrieve the details. If you do not enter the ID, this action retrieves details of all the policies.

Key Value

Optional

You can retrieve the policy ID using the action Get Anti-Spoofing Policy.

File or Attachment ID

Enter the Mimecast ID of the message attachment.

Text

Required

Policy IDs

Enter the list of IDs of blocked sender policies. If you do not enter any ID, all blocked sender policies will be returned.

Example:

$LIST["eNo1jk0LgjAAQP_LrgZtU6cGHcwKpmFFKRpdbC618iN1mkT_PTt0f4_33qDhTNQ8i8EM6GbveEQS8gkZ25cJIy1hVlL0yy70TUw2xEtd_zz13KWlr--q-tzH0kqTctugaaCdp4kdOHKHST8MMMpTeSdYQWGjGbsQrmz34EY-tW_hRVyjls7BBFTlI2PDr42RouIJYKJpy5zXrIz5OGR5hwUyEcQKGemO101WFmCG_uZxqDgdbQShAj9fpGo_lQ"]

List

Optional

You can retrieve the policy ID using the action Get Blocked Sender Policies.

End

Enter the most recent date for message queues in ISO 8601 format.

Example:

2015-11-16t14:49:18+0000

Text

Required

Start

Enter the earliest date for message queues in ISO 8601 format.

Example:

2015-11-16t14:49:18+0000

Text

Required

File or Attachment ID

Enter the Mimecast ID of the message attachment.

Text

Required

Group ID

Enter the Mimecast ID of the group.

Text

Required

Admin

Choose true to return results for all recipients. Id you choose false, it returns results only for the currently authenticated user.

Boolean

Optional

Default value:

false

Field Name

Enter the message fields to filter the response.

Text

Optional

Allowed values:

all, subject, sender, recipient, reasonCode, senderIP

Value

Enter the text to filter the results.

Text

Optional

Start Date

Enter the start time of the earliest message to return in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

End Date

Enter the end time of the latest message to return in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

Page Size

Enter the number of results to retrieve on each page.

Integer

Optional

Default value:

100

Number of Pages

Enter the number of result pages to retrieve.

Integer

Optional

Domain or Content

Enter the domain or content to search in managed URLs.

Text

Optional

Domain or URL

Enter the domain or URL to filter the results.

Text

Optional

Exact Match

Choose true to retrieve results that exactly match the value provided for the domain or URL parameter. If you choose false, this will return results that include partial matches as well.

Boolean

Optional

Default value:

false

Filter by

Enter the filters for the override type field.

List

Optional

Allowed values:

all, permitted, blocked

Sort by URL

Choose true to sort the response by URL.

Boolean

Optional

Default value:

false

Sort Order

Sort the response in either ascending or descending order. You can use this only when Sort by URL is used.

Text

Optional

Allowed values:

asc, desc

Default value:

asc

Message ID

Enter the ID of the message to retrieve details.

Text

Required

You can retrieve the message ID using the action List Messages.

Message ID

Enter the Mimecast ID of the message.

Text

Required

You can retrieve the message ID using the action List Messages.

ID

Enter the ID of an existing policy to retrieve the details.

Text

Required

Remediation Incident IDs

Enter the list of remediation incident IDs.

List

Required

You can retrieve the remediation incident ID using the action Find Remediation Incidents.

Result

Enter the result of the scan to filter logs.

Text

Optional

Allowed values:

safe, malicious, timeout, error, unsafe, all

Default value:

all

Oldest First

Choose true to retrieve results with the oldest logs first.

Boolean

Optional

Default value:

false

Route

Enter the value of the route to filter the response.

Text

Optional

Allowed values:

inbound, outbound, internal, all

Default value:

all

Start Date

Enter the start date in yyyy-mm-dd't'hh:mm:ssz format from which you want to retrieve the logs.

Text

Optional

By default, it starts from the beginning of the current day.

End Date

Enter the end date in yyyy-mm-dd't'hh:mm:ssz format up to which you want to retrieve the logs.

Text

Optional

By default, it ends at the time of the request.

Page Size

Enter the number of results to retrieve on each page.

Integer

Optional

Default value:

100

Number of Pages

Enter the number of result pages to retrieve.

Integer

Optional

Actions

Enter the actions to filter the response.

List

Optional

Allowed values:

hold, bounce, none

Identifiers

Enter the identifiers to filter the response.

List

Optional

Allowed values:

similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, targeted_threat_dictionary, custom_external_domain, mimecast_external_domain, advanced_similar_internal_domain, advanced_custom_external_domain, advanced_mimecast_external_domain, custom_name_list

Oldest First

Choose true to retrieve results with the oldest logs first.

Boolean

Optional

Default value:

false

Query

Enter the query to search.

This parameter is required if Search Field parameter is not null.

Text

Optional

Search Field

Enter the field to search for logs.

If a search string is provided, this defaults to all.

Text

Optional

Allowed values:

senderAddress, recipientAddress, subject, definition, all

Tagged Malicious

Choose true to filter for messages that are tagged malicious.

Boolean

Optional

Start Date

Enter the start date in yyyy-mm-dd't'hh:mm:ssz format from which you want to retrieve the logs.

Text

Optional

By default, it starts from the beginning of the current day.

End Date

Enter the end date in yyyy-mm-dd't'hh:mm:ssz format up to which you want to retrieve the logs.

Text

Optional

By default, it ends at the time of the request.

Page Size

Enter the number of results to retrieve on each page.

Integer

Optional

Default value:

100

Number of Pages

Enter the number of result pages to retrieve.

Integer

Optional

Scan Result

Enter the result of the scan to filter logs.

Text

Optional

Allowed values:

clean, malicious, suspicious, all

Default value:

all

Route

Enter the value of the route to filter the response.

Text

Optional

Allowed values:

inbound, outbound, internal, all

Default value:

all

Oldest First

Choose true to retrieve results with the oldest logs first.

Boolean

Optional

Default value:

false

Start Date

Enter the start date in yyyy-mm-dd't'hh:mm:ssz format from which you want to retrieve the logs.

Text

Optional

By default, it starts from the beginning of the current day.

End Date

Enter the end date in yyyy-mm-dd't'hh:mm:ssz format up to which you want to retrieve the logs.

Text

Optional

By default, it ends at the time of the request.

Page Size

Enter the number of results to retrieve on each page.

Integer

Optional

Default value:

100

Number of Pages

Enter the number of result pages to retrieve.

Integer

Optional

View

Enter the type of the message list.

Text

Required

Allowed values:

inbox, sent

Start

Enter the earliest date in ISO 8601 format from which to retrieve messages.

Example:

2015-11-16t14:49:18+0000

Text

Optional

By default, this is set to the last calendar month.

Mailbox

Enter the email address to retrieve the message lis.

Text

Optional

By default, messages for the logged-in user are returned.

Include Delegates

Choose true to include messages for addresses to which the mailbox has delegate permissions.

Boolean

Optional

Default value:

false

Include Aliases

Choose true to include messages sent to alias addresses of the mailbox.

Boolean

Optional

Default value:

true

End

Enter the latest date in ISO 8601 format to retrieve messages up to.

Example:

2015-11-16t14:49:18+0000

Text

Optional

By default, this is set to the end of the current day.

Policy ID

Enter the ID of the policy.

Text

Required

Permit Block Information

Enter the information to permit or block the sender or recipient.

List

Required

Allowed keys:

sender, to, action

IDs

Enter one or more ,imecast secure IDs of the messages to be rejected.

List

Required

You can retrieve the ID using the action List Messages.

Message

Enter the rejection message to be returned to the sender.

Text

Optional

Notify

Choose true to notify the sender about the rejection.

Boolean

Optional

Default value:

false

Reason Type

Enter the code of reason for rejecting the message.

Text

Optional

Allowed values:

MESSAGE CONTAINS UNDESIRABLE CONTENT, MESSAGE CONTAINS CONFIDENTIAL INFORMATION, REVIEWER DISAPPROVES OF CONTENT, INAPPROPRIATE COMMUNICATION, MESSAGE GOES AGAINST EMAIL POLICIES

ID

Enter one or more IDs of the messages to release.

Key Value

Required

You can retrieve the ID using the action List Messages.

Member Information

Enter the information of the members to be removed as a list.

List

Required

Allowed fields:

id, domain, emailAddress.

Advanced Track and Trace Options

Enter the advanced filters as key-value pairs to use in the tracking query.

Key Value

Optional

Allowed keys:

from, senderIp, subject, to, url

Message ID

Enter the internet message ID of the message to track.

Text

Optional

You can retrieve the message ID using the action List Messages.

Search Reason

Enter the reason for tracking an email. This information is used for activity-tracking purposes.

Text

Optional

Route

Enter the values of the route to filter the result.

List

Optional

Allowed values:

internal, inbound, outbound

Status

Enter the list of email statuses to filter the result.

List

Optional

Allowed values:

accepted, processing, bulk_processing, delivery, bulk_delivery, held, bounced, deferred, rejected, archived

Attachments

Choose true to search for emails with attachments.

Boolean

Optional

Start Date

Enter the start date of the earliest message to track in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

End Date

Enter the end date of the latest message to track in yyyy-mm-dd't'hh:mm:ssz format.

Text

Optional

Hashes

Enter the list of file hashes to determine if they have been seen within an account.

List

Required

Query

Enter the query string to search for groups.

Text

Optional

Source

Enter the group source to filter the search.

Text

Optional

Allowed values:

cloud, ldap

ID

Enter the Mimecast secure ID of the address alteration policy to be modified.

Text

Required

You can retrieve the ID using the action Get Address Alteration Policy.

Policy

Enter the policy conditions that determine when to apply the alteration set.

Key Value

Required

Allowed keys:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

Address Alteration Set ID

Enter the Mimecast secure ID of the address alteration set (folder) to apply this policy.

Text

Optional

You can retrieve the address alteration set ID using the action Get Address Alteration Set.

ID

Enter the ID of an existing policy.

Text

Required

You can retrieve the ID using the action Get Anti-Spoofing Policy.

Option

Enter the action to be performed on the policy.

Text

Required

Allowed values:

disable_bypass, enable_bypass

Policy

Enter the policy scoping details to update.

Key Value

Required

Allowed keys:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

Data

Enter the data to update the group.

Example:

$JSON[[{"id" : "test"}]]

List

Required

Allowed keys:

description, id (mandatory), parentId

ID

Enter the ID of the policy to update.

Text

Required

Policies

Enter at least one policy scoping detail to update.

Key Value

Required

Allowed keys:

bidirectional, comment, conditions, description, enabled, enforced, from, fromDate, fromEternal, fromPart, override, to, toDate, toEternal

URLs

Enter the URLs along with the corresponding actions for each URL.

Key Value

Optional

Allowed keys:

action (mandatory), id, type (mandatory), value (mandatory)

Description

Enter the description of the policies for future reference.

Text

Optional

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint

Enter the endpoint to make the request to.

Example:

api/directory/execute-sync

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload to pass to the API.

Any

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

payload_json, download, files, filename, retry_wait, retry_count, custom_output, response_type