Since setting up Mimecast 2.0 Cloud Collector, all Attachment Protect logs get grouped under ‘Virus Alerts’ under Log Sources and key information such as Scan result etc. isn’t included in the logs.
If the Virus Alert Detection Rule is set to Create Investigations, every Attachment Protect log triggers an Alert/investigation regardless of the Scan result.
Ideally, we only want an Investigation for where Scan Result is malicious, and the Action is none. Both these fields aren’t in the Attachment Protect log so we can’t configure exceptions or filter.
Is anyone else seeing the same?