Mimecast 2.0 - Cloud Collector - Attachment Protect logs

Since setting up Mimecast 2.0 Cloud Collector, all Attachment Protect logs get grouped under ‘Virus Alerts’ under Log Sources and key information such as Scan result etc. isn’t included in the logs.

If the Virus Alert Detection Rule is set to Create Investigations, every Attachment Protect log triggers an Alert/investigation regardless of the Scan result.

Ideally, we only want an Investigation for where Scan Result is malicious, and the Action is none. Both these fields aren’t in the Attachment Protect log so we can’t configure exceptions or filter.

Is anyone else seeing the same?

Same thing here as soon as we changed to the 2.0 connector. it’s a waste of time going through them individually but there’s not much you can do other than bulk closing.

We are looking at how this works with a view to only creating investigations for malicious alerts.

If you have specific feedback on how to make it better in your environment, please reach out to your account team and they will connect you to the product manager.