Collect Mimecast Mail logs

Supported in:

This document explains how to ingest Mimecast Mail logs to Google Security Operations using API. This parser extracts key-value pairs from Mimecast email server logs, categorizes the log stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic for handling security results, including determining the action, category, severity, and threat information based on various fields like Act, RejType, SpamScore, and Virus.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Mimecast Mail.

Configure Logging in Mimecast

  1. Sign in to the Mimecast Administration Console.
  2. Go to Administration > Account > Account Settings.
  3. Select Enhanced Logging.
  4. Enable the following log types:
    • Inbound
    • Outbound
    • Internal
  5. Click Save.

Configure API in Mimecast

  1. Go to Services > API and Platform Integrations.
  2. Locate Mimecast API 1.0 and click Generate Keys.
  3. Provide the following configuration details:
    • Application Name: (for example, Google SecOps).
    • Category: choose SIEM Integration.
    • Enable Extended Session on the Service Application.
    • Description: (for example, Google SecOps API integration).
    • Click Next.
  4. Provide the following Notification configuration details:
    • Developer: enter the name of the technical point of contact.
    • Email: enter an email address for the technical point of contact.
    • Click Next.
  5. Review the Summary information and click Add.
  6. Copy and save the Application ID and Application Key.

Configure User Access and Secret Keys in Mimecast

  1. Click the newly registered API Application from the application list.
  2. Click Create Keys.
  3. Provide the following configuration details:
    • Email Address: enter the email address of the dedicated administrator user account.
    • Click Next.
    • Authentication Type: select Cloud or Domain, depending on your configured authentication method.
    • Password: enter the password for the dedicated administrator user.
    • Click Next.
    • Copy both Access and Secret keys.
    • Click Next to exit the wizard.

Configure a feed in Google SecOps to ingest Mimecast Mail logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Mimecast Mail Logs.
  4. Select Third party API as the Source type.
  5. Select Mimecast as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • Authentication HTTP Header Configuration: enter authentication details in the following format: secret_key:{Access Secret}
      access_key:{Access key}
      app_id:{Application ID}
      app_key:{application key}
    • API Hostname: fully qualified domain name of your Mimecast API endpoint. The typical format is xx-api.mimecast.com. If not provided, it will be region-specific in the US and Europe. This field cannot be empty for other regions.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
acc metadata.product_log_id The value of acc from the raw log is mapped to metadata.product_log_id.
Act security_result.action If Act is Acc, the UDM field is set to ALLOW. If Act is Rej, the UDM field is set to BLOCK. If Act is Hld or Sdbx, the UDM field is set to QUARANTINE.
AttNames about.file.full_path The AttNames field is parsed, removing quotes and spaces, and split into individual filenames. Each filename is then mapped to a separate about.file.full_path field within an about object.
AttSize about.file.size The value of AttSize is converted to an unsigned integer and mapped to about.file.size.
Dir network.direction If Dir is Internal or Inbound, the UDM field is set to INBOUND. If Dir is External or Outbound, the UDM field is set to OUTBOUND. Also used to populate a detection_fields entry in security_result.
Err security_result.summary The value of Err is mapped to security_result.summary.
Error security_result.summary The value of Error is mapped to security_result.summary.
fileName principal.process.file.full_path The value of fileName is mapped to principal.process.file.full_path.
filename_for_malachite principal.resource.name The value of filename_for_malachite is mapped to principal.resource.name.
headerFrom network.email.from The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also used to populate a detection_fields entry in security_result.
IP principal.ip or target.ip If stage is RECEIPT, the value of IP is mapped to principal.ip. If stage is DELIVERY, the value of IP is mapped to target.ip.
MsgId network.email.mail_id The value of MsgId is mapped to network.email.mail_id.
MsgSize network.received_bytes The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes.
Rcpt target.user.email_addresses, network.email.to The value of Rcpt is added to target.user.email_addresses. If Rcpt is a valid email address, it is also added to network.email.to.
Recipient network.email.to The value of Recipient is added to network.email.to if Rcpt is not a valid email address.
RejCode security_result.description Used as part of the security_result.description field.
RejInfo security_result.description Used as part of the security_result.description field.
RejType security_result.description, security_result.category_details Used as part of the security_result.description field. The value of RejType is also mapped to security_result.category_details. Used to determine security_result.category and security_result.severity.
Sender principal.user.email_addresses, network.email.from The value of Sender is added to principal.user.email_addresses. If Sender is a valid email address, it is also mapped to network.email.from. Also used to populate a detection_fields entry in security_result.
Snt network.sent_bytes The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes.
SourceIP principal.ip If stage is RECEIPT and IP is empty, the value of SourceIP is mapped to principal.ip.
SpamInfo security_result.severity_details Used as part of the security_result.severity_details field.
SpamLimit security_result.severity_details Used as part of the security_result.severity_details field.
SpamScore security_result.severity_details Used as part of the security_result.severity_details field. Also used to determine security_result.severity if RejType is not set.
Subject network.email.subject The value of Subject is mapped to network.email.subject.
Virus security_result.threat_name The value of Virus is mapped to security_result.threat_name. Set to EMAIL_TRANSACTION by default, but changed to GENERIC_EVENT if neither Sender nor Recipient/Rcpt are valid email addresses. Always set to Mimecast. Always set to Mimecast MTA. Set to Email %{stage}, where stage is determined based on the presence and values of other log fields. Always set to MIMECAST_MAIL. Set based on RejType or SpamScore. Defaults to LOW if neither is available.
sha1 target.file.sha1 The value of sha1 is mapped to target.file.sha1.
sha256 target.file.sha256 The value of sha256 is mapped to target.file.sha256.
ScanResultInfo security_result.threat_name The value of ScanResultInfo is mapped to security_result.threat_name.
Definition security_result.summary The value of Definition is mapped to security_result.summary.

Changes

2025-02-06

Enhancement:

  • Changed mapping of filename_for_malachite from target.process.file.full_path to principal.resource.name.
  • Changed mapping of fileName from principal.process.file.full_path to target.process.file.full_path.

2025-01-23

Enhancement:

  • Mapped md5 to target.file.md5.
  • Changed mapping of filename_for_malachite from principal.resource.name to target.process.file.full_path.
  • Mapped urlCategory to principal.url_metadata.categories.
  • Mapped credentialTheft to security_result.detection_fields.
  • Mapped reason to security_result.summary.

2024-11-13

Enhancement:

  • Mapped URL to principal.url.

2024-08-05

Enhancement:

  • Mapped sourceIp to principal.ip and principal.asset.ip.
  • Mapped url to principal.url.
  • Mapped msgid to network.email.mail_id.
  • Mapped subject to network.email.subject.
  • Mapped senderDomain, AttNames, and AttCnt to security_result.detection_fields.

2023-03-31

Enhancement:

  • Mapped filename_for_malachite to principal.resource.name.
  • Mapped fileName to principal.process.file.full_path.
  • Mapped sha256 to target.file.sha256.
  • Mapped sha1 to target.file.sha1.
  • Added conditional check for aCode.

Need more help? Get answers from Community members and Google SecOps professionals.