Collect Mimecast Mail logs
This document describes how you can collect Mimecast Secure Email Gateway logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the MIMECAST_MAIL
ingestion label.
Configure Mimecast Secure Email Gateway
- Enable logging for the login account.
- Create the API application.
- Get the application ID and application key.
Enable logging for the login account
- Sign in to the Mimecast Administration console.
- In the Account menu, click Account Settings.
- Expand Enhanced Logging.
- Select the types of logs to enable:
- Inbound: logs messages from external senders to internal recipients.
- Outbound: logs messages from internal senders to external recipients.
- Internal: logs messages within internal domains.
- Click Save to apply the changes.
Create the API application
- Sign in to the Mimecast Administration console.
- Click Add API Application.
- Enter the following details:
- Application name.
- Description for the application.
- Category: Enter one of the following categories:
- SIEM Integration: provides real-time analysis of the security alerts generated by the application.
- MSP Ordering and Provisioning: available for select partners to manage orders in the MSP Portal.
- Email / Archiving: refers to messages and alerts stored in Mimecast.
- Business Intelligence: enables application's infrastructure and tools to access and analyse information to improve and optimize decisions and performance.
- Process Automation: allows for automation of business processes.
- Other: in case the application doesn't fit within any other category.
- Click Next.
- Specify values for the following input parameters:
- Authentication HTTP Header Configuration: enter authentication details in the following format:
secret_key:{Access Secret}
access_key:{Access key}
app_id:{Application ID}
app_key:{application key}
- API Hostname: fully qualified domain name of your Mimecast API endpoint. The typical format is
xx-api.mimecast.com
. If not provided, it will be region-specific in the US and Europe. This field cannot be empty for other regions. - Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
- Authentication HTTP Header Configuration: enter authentication details in the following format:
- Click Next.
- Review the information displayed on the Summary Page.
- To fix errors, follow these steps:
- Click Edit buttons next to Details or Settings.
- Click Next and go to the Summary page again.
Get the application ID and application key
- Click Application and then click Services.
- Click API Application.
- Select the created API application.
- View the application details.
Creating API access and secret key
For information about generating access and secret key, see Creating User Association Key.
## Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds
- Content Hub > Content Packs
Set up feeds from SIEM Settings > Feeds
To configure multiple feeds for different log types within this product family, see Configure feeds by product.
To configure a single feed, follow these steps:
- Click SIEM Settings > Feeds.
- Click Add New.
- Enter the Feed Name.
- Select Third Party API as the Source Type.
- Select Mimecast as the Log Type to create a feed for Mimecast Secure Email Gateway.
- Click Next.
- Configure the Authentication HTTP header by providing the application ID, access key, secret ID, and application key.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.
Set up feeds from the Content Hub
Specify values for the following fields:
- Authentication HTTP header: provide the application ID, access key, secret ID, and application key.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Source Type: Method used to collect logs into Google SecOps.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
Field mapping reference
This parser extracts key-value pairs from Mimecast email server logs, categorizes the log entry stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic to handle security-related fields, determining the security result action, category, severity, and related details based on values like Act
, RejType
, SpamScore
, and Virus
.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
acc |
metadata.product_log_id |
The value of acc from the raw log is mapped to metadata.product_log_id . |
Act |
security_result.action |
If Act is Acc , the UDM field is set to ALLOW . If Act is Rej , the UDM field is set to BLOCK . If Act is Hld or Sdbx , the UDM field is set to QUARANTINE . |
AttNames |
about.file.full_path |
The AttNames field is parsed, removing quotes and spaces, and split into individual filenames. Each filename is then mapped to a separate about.file.full_path field within an about object. |
AttSize |
about.file.size |
The value of AttSize is converted to an unsigned integer and mapped to about.file.size . |
Dir |
network.direction |
If Dir is Internal or Inbound , the UDM field is set to INBOUND . If Dir is External or Outbound , the UDM field is set to OUTBOUND . Also used to populate a detection_fields entry in security_result . |
Err |
security_result.summary |
The value of Err is mapped to security_result.summary . |
Error |
security_result.summary |
The value of Error is mapped to security_result.summary . |
fileName |
principal.process.file.full_path |
The value of fileName is mapped to principal.process.file.full_path . |
filename_for_malachite |
principal.resource.name |
The value of filename_for_malachite is mapped to principal.resource.name . |
headerFrom |
network.email.from |
The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also used to populate a detection_fields entry in security_result . |
IP |
principal.ip or target.ip |
If stage is RECEIPT , the value of IP is mapped to principal.ip . If stage is DELIVERY , the value of IP is mapped to target.ip . |
MsgId |
network.email.mail_id |
The value of MsgId is mapped to network.email.mail_id . |
MsgSize |
network.received_bytes |
The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes . |
Rcpt |
target.user.email_addresses , network.email.to |
The value of Rcpt is added to target.user.email_addresses . If Rcpt is a valid email address, it is also added to network.email.to . |
Recipient |
network.email.to |
The value of Recipient is added to network.email.to if Rcpt is not a valid email address. |
RejCode |
security_result.description |
Used as part of the security_result.description field. |
RejInfo |
security_result.description |
Used as part of the security_result.description field. |
RejType |
security_result.description , security_result.category_details |
Used as part of the security_result.description field. The value of RejType is also mapped to security_result.category_details . Used to determine security_result.category and security_result.severity . |
Sender |
principal.user.email_addresses , network.email.from |
The value of Sender is added to principal.user.email_addresses . If Sender is a valid email address, it is also mapped to network.email.from . Also used to populate a detection_fields entry in security_result . |
Snt |
network.sent_bytes |
The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes . |
SourceIP |
principal.ip |
If stage is RECEIPT and IP is empty, the value of SourceIP is mapped to principal.ip . |
SpamInfo |
security_result.severity_details |
Used as part of the security_result.severity_details field. |
SpamLimit |
security_result.severity_details |
Used as part of the security_result.severity_details field. |
SpamScore |
security_result.severity_details |
Used as part of the security_result.severity_details field. Also used to determine security_result.severity if RejType is not set. |
Subject |
network.email.subject |
The value of Subject is mapped to network.email.subject . |
Virus |
security_result.threat_name |
The value of Virus is mapped to security_result.threat_name . Set to EMAIL_TRANSACTION by default, but changed to GENERIC_EVENT if neither Sender nor Recipient /Rcpt are valid email addresses. Always set to Mimecast . Always set to Mimecast MTA . Set to Email %{stage} , where stage is determined based on the presence and values of other log fields. Always set to MIMECAST_MAIL . Set based on RejType or SpamScore . Defaults to LOW if neither is available. |
sha1 |
target.file.sha1 |
The value of sha1 is mapped to target.file.sha1 . |
sha256 |
target.file.sha256 |
The value of sha256 is mapped to target.file.sha256 . |
ScanResultInfo |
security_result.threat_name |
The value of ScanResultInfo is mapped to security_result.threat_name . |
Definition |
security_result.summary |
The value of Definition is mapped to security_result.summary . |
Changes
2025-02-06
Enhancement:
- Changed mapping of
filename_for_malachite
fromtarget.process.file.full_path
toprincipal.resource.name
. - Changed mapping of
fileName
fromprincipal.process.file.full_path
totarget.process.file.full_path
.
2025-01-23
Enhancement:
- Mapped
md5
totarget.file.md5
. - Changed mapping of
filename_for_malachite
fromprincipal.resource.name
totarget.process.file.full_path
. - Mapped
urlCategory
toprincipal.url_metadata.categories
. - Mapped
credentialTheft
tosecurity_result.detection_fields
. - Mapped
reason
tosecurity_result.summary
.
2024-11-13
Enhancement:
- Mapped
URL
toprincipal.url
.
2024-08-05
Enhancement:
- Mapped
sourceIp
toprincipal.ip
andprincipal.asset.ip
. - Mapped
url
toprincipal.url
. - Mapped
msgid
tonetwork.email.mail_id
. - Mapped
subject
tonetwork.email.subject
. - Mapped
senderDomain
,AttNames
, andAttCnt
tosecurity_result.detection_fields
.
2023-03-31
Enhancement:
- Mapped
filename_for_malachite
toprincipal.resource.name
. - Mapped
fileName
toprincipal.process.file.full_path
. - Mapped
sha256
totarget.file.sha256
. - Mapped
sha1
totarget.file.sha1
. - Added conditional check for
aCode
.
Need more help? Get answers from Community members and Google SecOps professionals.