Mimecast offers an Enhanced Logging feature allowing log file data to be programmatically downloaded from the Mimecast service.
The following data types are available:
Inbound - logs for messages from external senders to internal recipients Outbound - logs for messages from internal senders to external recipients Internal - logs for messages between internal domains
Data Types
- MIMECAST_MAIL
Configuration
The Mimecast integration requires the following authentication information to pull data via Mimecast's API endpoint.
- App ID
- App Key
- Account Email Address
- Account Access Key
- Account Secret Key
Create a New User
- Log in to the Mimecast Administrator Console
- Navigate to the Administration --> Directories -->Internal Directories menu time to display a list of internal domains
- Select the internal domain where the new user will be created
- Select the New Address from the menu bar
- Complete the new address form and select Save and Exit to create the new user
- Keep note of the password.
Add the User to an Administrative Role
- While logged into the Mimecast Administrator Console, navigate to the Administration --> Account --> Role’s menu item to display the Roles page
- Right click the Basic Administrator role and select Add users to the role
- Browse or search to find the new user created previously
- Select the tick box to the left of the user
- Select the Add selected users button to add the user to the role
Create a New Group and Add New User
- While logged into the Mimecast Administration Console, navigate to Administration --> Directories --> Profile Groups menu item to display the Profile groups page.
- Create a new group by selecting the plus icon on the parent folder to create the group.
This creates a new group with the name "New Folder". - To rename the group, select the "New Folder" group. Then from the Edit group text box, type the name of the folder. For example, the folder could be named EXAMPLE ADMIN. Press the Enter key to apply the changes.
- With the group selected, select the Build drop down button and select Add Email Addresses
- Type the name of the new user created in the previous set of steps.
- Select Save and Exit to add the new user to the group.
Create a New Authentication Profile
- While logged into the Mimecast Administration Console, navigate to the Administration | Services | Applications menu item to display the Application Settings page.
- Select the Authentication Profiles button.
- Select the New Authentication Profile button.
- Type a Description for the new profile.
- Set the Authentication TTL settings to Never Expire. This will make sure that the Authentication Token will not expire and impact the data collection of the app.
- Leave all other settings at their defaults.
- Select Save and Exit to create the profile.
Create a New Application Setting
- While logged into the Mimecast Administration Console, navigate to Administration | Services | Applications menu item to display the Application Settings page.
- Select the New Application Settings button.
- Type a Description
- Use the Group Lookup button to select the Group that was created in the previous steps.
- Use the Authentication Profile Lookup button to select the Authentication Profile created in the previous steps.
- Leave all other settings as their defaults.
- Select Save and Exit to create and apply the Application Settings to the new user and group.
Enable Logging
- While logged into the Mimecast Administration Console, navigate to Administration | Account | Account Settings menu item to display the Account Settings page.
- Select the Enhanced Logging section.
- Enable all three types of logs available: Inbound, Outbound, Internal
- Select Save to apply the changes.
NOTE: Once these settings have been saved, the Mimecast MTA will start logging data for the account. Logs should become available for download up to thirty minutes later.
Obtain Authentication Token
Windows(Powershell)
- Copy/paste the below script into a PowerShell window.
- When prompted, enter the Application ID value received when the application was registered
- Enter the email address and password of the user created for API access
- Copy and paste the accessKey and secretKey values printed to the bottom of the PowerShell window.
$appId = Read-Host -Prompt 'Input your registered application id'
$creds = Get-Credential
$discoverPostBody = @{"data" = ,@{"emailAddress" = $creds.UserName}}
$discoverPostBodyJson = ConvertTo-Json $discoverPostBody
$discoverRequestId = [GUID]::NewGuid().guid
$discoverRequestHeaders = @{"x-mc-app-id" = "9fe88fff-8494-452f-ac67-3757fb27493a";
"x-mc-req-id" = $discoverRequestId; "Content-Type" = "application/json"}
$discoveryData = Invoke-RestMethod -Method Post -Headers $discoverRequestHeaders
-Body $discoverPostBodyJson -Uri
"https://api.mimecast.com/api/login/discover-authentication"
$baseUrl = $discoveryData.data.region.api
$keys = @{}
$uri = $baseUrl + "/api/login/login"
$requestId = [GUID]::NewGuid()
$netCred = $creds.GetNetworkCredential()
$PlainPassword = $netCred.Password
$credsBytes = [System.Text.Encoding]::ASCII.GetBytes($creds.UserName + ":" +$PlainPassword)
$creds64 = [System.Convert]::ToBase64String($credsBytes)
$headers = @{"Authorization" = "Basic-Cloud " + $creds64; "x-mc-app-id" = $appId;
"x-mc-req-id" = $requestId; "Content-Type" = "application/json"}
$postBody = @{"data" = ,@{"username" = $creds.UserName}}
$postBodyJson = ConvertTo-Json $postBody
$data = Invoke-RestMethod -Method Post -Headers $headers -Body $postBodyJson -Uri $uri
"Meta: " + $data.met
"Access key: " + $data.data.accessKey
"Secret key: " + $data.data.secretKey
"Fail: " + $data.fail.errors
MacOS/Linux(Bash)
Open the terminal application and type the following command to generate a base64 encoded string from the administrator account's email address and password (created in the previous steps above). Replace email_address and password in the below command.
Be sure to include the :
between the email_address
and password
values as authentication will fail in a later step without this character.
echo-n
'email_address:password'|
openssl base64
Type the following command to use curl
to log into the Mimecast API and generate an authentication token:
curl -i -H
'Authorization: Basic-Cloud base64_encoded_username_password'-H
'x-mc-app-id: app_id'-H
'Content-Type:application/json''{"data":[{"username": "email_address"}]}'
https://xx-api.mimecast.com/api/login/login --data-binary
The above command needs the following values replaced: a. base64_encoded_username_password
: the value generated in the previous step b. app_id
: The application ID value received when the application was registered in a previous step c. xx-api
: Base URL for the region where the Mimecast account is hosted as documented in the Systems Requirement
section. d. email_address
: Email address of the administrator user account created previously.
An example response to the last step follows:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-control: no-store
Pragma: no-cache
Content-Length: 375
Content-MD5: 124911b164dbd3b9e823610a2eb4996a
Date: Mon, 25 Jul 2016 16:19:37 +0100
Connection: Keep-Alive
{"meta":{"status":200},"data":[{"accessKey":"LOWgx__TRUNCATED__Ect2nN",
"secretKey":"jD9DVicE2__TRUNCATED__EJdC4e/Q\u003d\u003d","duration":3153600000000,
"bindingType":"one_step","extendOnValidate":false}],"fail":[]}
Copy and paste theaccessKey
andsecretKey
values from the response.
IMPORTANT!!!
Make sure to replace the \u003d\u003d
characters at the end of the secretKey
with the characters ==
. \u003d
is the URI encoded value for the equal sign, =
. The actual string is a base64-encoded string and should end with the ==
padding.
Configure a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the mimecast logs:
- Go to Chronicle Settings and click Feeds.
- Click Add New.
3. Select Third Party API for Source Type.
4. Select Mimecast for Log Type.
5. Click Next.
6. Under Authentication HTTP Header Configuration, paste the ID’s collected by the above process.
7. Click Next and Finish.
Sample Logs
The following are the logs that Mimecast sends to the Chronicle.
filename_for_malachite=receipt_tse_us01_71_141_00_1c5e8_f69652d4-9c1b-01e4-8c66-75f5afa474d2_20230724.siem|
datetime=2023-07-17T04:00:13-0400|aCode=rMrLeTYxOlyRzB8tAEeeZg|acc=CONT103A400|SpamLimit=28|IP=0.0.0.0|Dir=Outbound|
Subject=RE: Contoso - P61, A95, P01, P02 Project - HW - DN File Jul WK3|
MsgId=<DM8RR02NB7976F23B5E3F216FBC7021DDAF2BA@1M8PR02MB7976.conprd02.prod.outlook.com>|
headerFrom=test@Contosoworldwide.com|Sender=test@Contosoworldwide.com|Rcpt=euser1@contoso.io|
SpamInfo=[]|Act=Acc|TlsVer=TLSv1.2|Cphr=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|SpamScore=0
Comments
0 comments
Please sign in to leave a comment.