Skip to main content
Skip table of contents

Flat File - Mimecast Email V 2.0 : Email Logs

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : Email Logs

Base Rule

Email Handling Message

Information

V 2.0 : Anti-Spoofing Lockout Messages

Sub Rule

Failed Spoofing Activity

Failed Attack

V 2.0 : Connection Attempt Messages

Sub Rule

Connection Information

Information

V 2.0 : Envelope Rejected Messages

Sub Rule

Couldn't Get Envelope Of Message In Inbox Folder

Error

V 2.0 : Invalid Recipient Address Messages

Sub Rule

Blocked Message No Valid Recipients

Failed Activity

V 2.0 : IP Found In RBL Messages

Sub Rule

Blocked Message RBL Match

Failed Activity

V 2.0 : Manual Envelope Rejection Messages

Sub Rule

ReadFromMessage : Unable To Get Message Envelope

Error

V 2.0 : Message Loop Detected Messages

Sub Rule

Infinite Loop Detected

Warning

V 2.0 : Virus Signature Detection Messages

Sub Rule

Suspicious E-mail Activity

Suspicious

V 2.0 : DMARC Sender Invalid Messages

Sub Rule

Blocked Message Sender Address Rejected

Failed Activity

V 2.0 : Email Accepted

Sub Rule

Email Accepted

Information

V 2.0 : Email Rejected

Sub Rule

Email Session Disposed - Reject

Information

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

datetime

N/A

N/A

The date and time that the email was received by the Mimecast MTA.

aCode

<vmid>

Text/String

The unique ID used to track the email through the different log types.

acc

N/A

N/A

The Mimecast account code for your account.

MimecastIP

N/A

N/A

The source IP is one of the Mimecast IPs e.g. Mimecast Personal Portal

reason

<reason>

Text/String

The reason that the click was blocked.

fileName

<objectname>

Text/String

N/A

Sender

<sender>

Text/String

The sender of the email.

SpamLimit

<quantity>

Number

The Spam limit defined for the given sender and recipient.

HLD

N/A

N/A

The reason the email was held for review (quarantined), if applicable.

Delivered

<status>

Text/String

If the email was delivered successfully or not.

URL

<url>

Text/String

The URL clicked.

SHA256

<hash>

Text/String

SHA256 hash.

IP

<sip>

IP Address

The source IP of the sending mail server.

Source IP

<snatip>

IP Address

The source IP of the original message.

AttSize

<size>

Number

The total size of all attachments on the email.

UrlCategory

N/A

N/A

The category of the URL that was clicked.

Receipient

<recipient>

Text/String

The recipient of the original message.

Size

N/A

N/A

Size.

Act

<action>
<tag1>

Text/String

N/A

DIR

N/A

N/A

The direction of the email based on the sending and receiving domains.

AttCnt

N/A

N/A

The number of attachments on the email.

ScanResultInfo

N/A

N/A

The reason that the click was blocked.

MsgId

<object>

Text/String

The internet message ID of the email.

IPNewDomain

N/A

N/A

For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain.

SenderDomain

<domainorigin>

Text/String

The sender domain.

Subject

<subject>

Text/String

The subject of the email, limited to 150 characters.

IPReplyMismatch

N/A

N/A

For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address.

ReceiptAck

N/A

N/A

The receipt acknowledgment message received by Mimecast from the receiving mail server.

Definition

N/A

N/A

The definition

headerFrom

<login>

Text/String

The sender address found in the from header of the email.

Hits

N/A

N/A

Number of items flagged for the message.

fileExt

<objecttype>

Text/String

The file extention.

IPInternalName

N/A

N/A

For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name.

Route

<policy>

Text/String

The Mimecast delivery route used.

Action

N/A

N/A

The action taken for this message.

sha1

N/A

N/A

SHA1 hash.

Rcpt

<recipient>

Text/String

The recipient of the email.

AttNames

N/A

N/A

The filenames of all attachments on the email

Latency

<amount>

Number

The time in milliseconds that the delivery attempt took.

TaggedExternal

N/A

N/A

The message has been tagged as originating from a external source.

SpamInfo

N/A

N/A

Information from Mimecast Spam scanners for messages found to be Spam.

MsgSize

N/A

N/A

The total size of the email.

TaggedMalicious

N/A

N/A

The message has been tagged as malicious.

fileMime

N/A

N/A

The file Mime type.

TlsVer

<protname>

Text/String

The TLS version used if the email was received using TLS.

IPThreadDict

N/A

N/A

For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary.

Virus

<threatname>

Text/String

The name of the virus found on the email, if applicable.

InternalName

N/A

N/A

The email was detected to be from an internal user name.

md5

N/A

N/A

MD5 Hash.

Cphr

N/A

N/A

The TLS Cipher used if the email was received using TLS.

IPSimilarDomain

N/A

N/A

For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain.

Attempt

N/A

N/A

The count of attempts that the Mimecast MTA has made to deliver the email.

CustomName

N/A

N/A

The message has matched a custom name.

SpamProcessingDetail

N/A

N/A

The Spam processing details for DKIM, SPF, DMARC

SenderDomainInternal

N/A

N/A

The sender domain is a registered internal domain.

NewDomain

N/A

N/A

The email was detected to be from a new domain

SpamScore

N/A

N/A

The Spam score the email was given.

SimilarInternalDomain

N/A

N/A

The senders domain is similar to a registered internal domain.

Error

N/A

N/A

Information about any errors that occurred during receipt.

Snt

<bytesout>

Number

The amount of data in bytes that were delivered.

CustomerIP

N/A

N/A

The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account.

SimilarCustomExternalDomain

N/A

N/A

The senders domain is similar to a custom external domain list.

RejCode

<responsecode>

Number

The rejection code, for messages rejected by the receiving mail server.

UseTls

N/A

N/A

N/A

SimilarMimecastExternalDomain

N/A

N/A

The senders domain is similar to a Mimecast managed list of domains.

RejInfo

N/A

N/A

The rejection information if the email was rejected at the receipt stage.

ReplyMismatch

N/A

N/A

The reply address does not correspond to the senders address.

RejType

<result>
<tag2>

Text/String

The rejection type if the email was rejected at the receipt stage.

Err

N/A

N/A

Information about any errors that occurred during receipt.

ThreatDictionary

N/A

N/A

The content of the email was detected to contain words in the Mimecast threat dictionary.

CustomThreatDictionary

N/A

N/A

The content of the email was detected to contain words in a custom threat dictionary.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.