Mimecast

Integration version: 9.0

Use Cases

  1. Perform ingestion of the messages
  2. Perform triaging action (Reject/Release/Report message)

Configure Mimecast integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https:/<<api root>> Yes API root of the Mimecast instance.
Application ID String N/A Yes Application ID of the Mimecast instance.
Application Key Password N/A Yes Application Key of the Mimecast instance.
Access Key Password N/A Yes Access Key of the Mimecast instance.
Secret Key Password N/A Yes Secret Key of the Mimecast instance.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Mimecast server is valid.

Integration Configuration Nuances

  1. Google Security Operations SOAR server needs to be synced with the Mimecast server.
  2. Information about all of the needed parameters for the configuration are available in the following links: https://community.mimecast.com/s/article/Managing-API-Applications-505230018 and https://community.mimecast.com/s/article/Mimecast-Data-Centers-and-URLs-61190061

Actions

Ping

Description

Test connectivity to Mimecast with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Mimecast server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Mimecast server! Error is {0}".format(exception.stacktrace)

General

Description

Search archive emails using defined parameters in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Fields To Return CSV

attachmentcount,status,subject,
size,receiveddate,displayfrom,
displayfromaddress,id,displayto,
displaytoaddresslist,smash

Yes Specify a comma-separated list of fields that needs to be returned.
Mailboxes CSV N/A No Specify a comma-separated list of mailboxes that need to be searched.
From CSV N/A No Specify a comma-separated list of email addresses from which the emails were sent.
To CSV N/A No Specify a comma-separated list of email addresses to which the emails were sent.
Subject String N/A No Specify a subject that needs to be searched.
Time Frame DDL

Last Hour

Possible Values:

Last Hour

Last 6 Hours

Last 24 Hours

Last Week

Last Month

Custom

Yes Specify a time frame for the search. If "Custom" is selected, you also need to provide "Start Time".
Start Time String N/A No Specify the start time for the search. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601
End Time String N/A No Specify the end time for the search. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter will use current time.
Max Emails To Return Integration 50 No Specify how many emails to return. Default: 50.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast".

If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast"



The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Simple Archive Search". Reason: {0}''.format(error.Stacktrace)

If Start Time is empty, when "Time Frame" is "Custom": "Error executing action "Simple Archive Search". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter."

If fail/errors has values: Error executing action "Simple Archive Search". Reason: fail/errors/message".

General
Case Wall Table

Name: Results

Columns:

All keys from the response

General

Description

Search archive emails using a custom XML query in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
XML Query XML N/A Yes Specify an XML query that should be used when searching for archive emails. Please visit documentation for more details.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast".

If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Advanced Archive Search". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Advanced Archive Search". Reason: fail/errors/message".

General
Case Wall Table

Name: Results

Columns:

All keys from the response

General

Reject Message

Description

Reject message in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Message ID String N/A Yes Specify the ID of the message that needs to be rejected.
Note String N/A No Specify an additional note containing an explanation regarding why the message was rejected.
Reason DLL

Select One

Possible Values:

Select One

Inappropriate Communication

Confidential Information

Against Email Policy

Restricted Content

No Specify the reason for rejection.
Notify Sender Checkbox Unchecked No If enabled, action will notify the sender about rejection.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully rejected message with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Reject Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Reject Message". Reason: fail/errors/message".

General

Release Message

Description

Release message in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Message ID String N/A Yes Specify the ID of the message that needs to be released.
Release to Sandbox Checkbox N/A No If enabled, action will release the message to the sandbox.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully released message with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Release Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Release Message". Reason: fail/errors/message".

General

Report Message

Description

Report message in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Message IDs String N/A Yes Specify the ID of the message that needs to be reported.
Report as DDL

Spam

Possible Values:

Spam

Malware

Phishing

No Specify the report type for the message.
Comment String N/A No Specify the comment for the report.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully reported the following messages with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Report Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Report Message". Reason: fail/errors/message".

General

Block Sender

Description

Block sender in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Sender String N/A Yes Specify the email address of the sender to block.
Recipient String N/A Yes Specify the email address of the recipient to block.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully blocked sender {sender} for recipient {recipient} in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Block Sender". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Block Sender". Reason: fail/errors/message".

General

Permit Sender

Description

Permit sender in Mimecast.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Sender String N/A Yes Specify the email address of the sender to permit.
Recipient String N/A Yes Specify the email address of the recipient to permit.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully permitted sender {sender} for recipient {recipient} in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Permit Sender". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Permit Sender". Reason: fail/errors/message".

General

Connector

Mimecast - Message Tracking Connector

Description

Pull information about messages from the "Message Tracking" tab in Mimecast.

Configure Mimecast - Message Tracking Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String event_type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Int 180 Yes Timeout limit for the python process running the current script.
API Root String https:/<<api root>> Yes API root of the Mimecast instance.
Application ID String N/A Yes Application ID of the Mimecast instance.
Application Key Password N/A Yes Application Key of the Mimecast instance.
Access Key Password N/A Yes Access Key of the Mimecast instance.
Secret Key Password N/A Yes Secret Key of the Mimecast instance.
Domains CSV N/A Yes A comma-separated list of domains for which to query messages.
Lowest Risk To Fetch String N/A No

Lowest risk that will be used to fetch messages. Possible values:

Negligible, Low, Medium, High.

If nothing is provided, the connector will ingest all messages.

Status Filter CSV held

A comma-separated list of status filters for the messages. Possible values: delivery, held, accepted, bounced, deferred, rejected, archived.

If nothing is provided, the connector will ingest all messages.

Route Filter CSV N/A

A comma-separated route filters for the messages. Possible values: internal, outbound, inbound.

If nothing is provided, the connector will ingest all messages.

Ingest Messages Without Risk Checkbox If enabled, the connector will ingest messages even if there is no info about risk. Google Security Operations SOAR Alerts generated from those messages will have priority set to Informational.
Max Hours Backwards Integer 1 No Amount of hours from where to fetch messages. Default: 1 hour. Max: 30 days.
Max Messages To Return Integer 100 No How many messages to process per one connector iteration. Default: 100.
Use whitelist as a blacklist Checkbox Checked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Mimecast server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.