Collect Mimecast Mail logs

Supported in:

This document describes how you can collect Mimecast Secure Email Gateway logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MIMECAST_MAIL ingestion label.

Configure Mimecast Secure Email Gateway

  1. Enable logging for the login account.
  2. Create the API application.
  3. Get the application ID and application key.

Enable logging for the login account

  1. Sign in to the Mimecast Administration console.
  2. In the Account menu, click Account Settings.
  3. Expand Enhanced Logging.
  4. Select the types of logs to enable:
    • Inbound: logs messages from external senders to internal recipients.
    • Outbound: logs messages from internal senders to external recipients.
    • Internal: logs messages within internal domains.
  5. Click Save to apply the changes.

Create the API application

  1. Sign in to the Mimecast Administration console.
  2. Click Add API Application.
  3. Enter the following details:
    1. Application name.
    2. Description for the application.
    3. Category: Enter one of the following categories:
      • SIEM Integration: provides real-time analysis of the security alerts generated by the application.
      • MSP Ordering and Provisioning: available for select partners to manage orders in the MSP Portal.
      • Email / Archiving: refers to messages and alerts stored in Mimecast.
      • Business Intelligence: enables application's infrastructure and tools to access and analyse information to improve and optimize decisions and performance.
      • Process Automation: allows for automation of business processes.
      • Other: in case the application doesn't fit within any other category.
  4. Click Next.
  5. Specify values for the following input parameters:
    • Authentication HTTP Header Configuration: enter authentication details in the following format: secret_key:{Access Secret}
      access_key:{Access key}
      app_id:{Application ID}
      app_key:{application key}
    • API Hostname: fully qualified domain name of your Mimecast API endpoint. The typical format is xx-api.mimecast.com. If not provided, it will be region-specific in the US and Europe. This field cannot be empty for other regions.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  6. Click Next.
  7. Review the information displayed on the Summary Page.
  8. To fix errors, follow these steps:
    • Click Edit buttons next to Details or Settings.
    • Click Next and go to the Summary page again.

Get the application ID and application key

  1. Click Application and then click Services.
  2. Click API Application.
  3. Select the created API application.
  4. View the application details.

Creating API access and secret key

For information about generating access and secret key, see Creating User Association Key.

Set up feeds

To configure this log type, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Click the Mimecast feed pack.

  4. Specify the values for the following fields:

    • Source Type: Third party API (recommended)
    • Authentication HTTP header: provide the providing the application ID, access key, secret ID, and application key.
    • API Hostname: specify the domain name of your Mimecast host.

    Advanced options

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset Namespace: Namespace associated with the feed.
    • Ingestion Labels: Labels applied to all events from this feed.

  5. Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Field mapping reference

This parser extracts key-value pairs from Mimecast email server logs, categorizes the log entry stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic to handle security-related fields, determining the security result action, category, severity, and related details based on values like Act, RejType, SpamScore, and Virus.

UDM mapping table

Log Field UDM Mapping Logic
acc metadata.product_log_id The value of acc from the raw log is mapped to metadata.product_log_id.
Act security_result.action If Act is Acc, the UDM field is set to ALLOW. If Act is Rej, the UDM field is set to BLOCK. If Act is Hld or Sdbx, the UDM field is set to QUARANTINE.
AttNames about.file.full_path The AttNames field is parsed, removing quotes and spaces, and split into individual filenames. Each filename is then mapped to a separate about.file.full_path field within an about object.
AttSize about.file.size The value of AttSize is converted to an unsigned integer and mapped to about.file.size.
Dir network.direction If Dir is Internal or Inbound, the UDM field is set to INBOUND. If Dir is External or Outbound, the UDM field is set to OUTBOUND. Also used to populate a detection_fields entry in security_result.
Err security_result.summary The value of Err is mapped to security_result.summary.
Error security_result.summary The value of Error is mapped to security_result.summary.
fileName principal.process.file.full_path The value of fileName is mapped to principal.process.file.full_path.
filename_for_malachite principal.resource.name The value of filename_for_malachite is mapped to principal.resource.name.
headerFrom network.email.from The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also used to populate a detection_fields entry in security_result.
IP principal.ip or target.ip If stage is RECEIPT, the value of IP is mapped to principal.ip. If stage is DELIVERY, the value of IP is mapped to target.ip.
MsgId network.email.mail_id The value of MsgId is mapped to network.email.mail_id.
MsgSize network.received_bytes The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes.
Rcpt target.user.email_addresses, network.email.to The value of Rcpt is added to target.user.email_addresses. If Rcpt is a valid email address, it is also added to network.email.to.
Recipient network.email.to The value of Recipient is added to network.email.to if Rcpt is not a valid email address.
RejCode security_result.description Used as part of the security_result.description field.
RejInfo security_result.description Used as part of the security_result.description field.
RejType security_result.description, security_result.category_details Used as part of the security_result.description field. The value of RejType is also mapped to security_result.category_details. Used to determine security_result.category and security_result.severity.
Sender principal.user.email_addresses, network.email.from The value of Sender is added to principal.user.email_addresses. If Sender is a valid email address, it is also mapped to network.email.from. Also used to populate a detection_fields entry in security_result.
Snt network.sent_bytes The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes.
SourceIP principal.ip If stage is RECEIPT and IP is empty, the value of SourceIP is mapped to principal.ip.
SpamInfo security_result.severity_details Used as part of the security_result.severity_details field.
SpamLimit security_result.severity_details Used as part of the security_result.severity_details field.
SpamScore security_result.severity_details Used as part of the security_result.severity_details field. Also used to determine security_result.severity if RejType is not set.
Subject network.email.subject The value of Subject is mapped to network.email.subject.
Virus security_result.threat_name The value of Virus is mapped to security_result.threat_name. Set to EMAIL_TRANSACTION by default, but changed to GENERIC_EVENT if neither Sender nor Recipient/Rcpt are valid email addresses. Always set to Mimecast. Always set to Mimecast MTA. Set to Email %{stage}, where stage is determined based on the presence and values of other log fields. Always set to MIMECAST_MAIL. Set based on RejType or SpamScore. Defaults to LOW if neither is available.
sha1 target.file.sha1 The value of sha1 is mapped to target.file.sha1.
sha256 target.file.sha256 The value of sha256 is mapped to target.file.sha256.
ScanResultInfo security_result.threat_name The value of ScanResultInfo is mapped to security_result.threat_name.
Definition security_result.summary The value of Definition is mapped to security_result.summary.

Need more help? Get answers from Community members and Google SecOps professionals.