...
Mimecast is a cloud-based, anti-spam, and archive filtering service for securing email accounts and communications for businesses. This collector protects an enterprise’s email infrastructure from viruses, malware, phishing, and the rise of deep-fake attacks. It also makes it possible to automate the recovery of archived and affected emails for continuous use. It can predict and anticipate attacks and deal with losses from ransomware attacks using data archiving.
The Devo Mimecast Collector uses the Mimecast API to extract all the relevant information and send it as events to Devo.
...
There are some requirements to configure the Mimecast collector:
Accessing your API applications.
Creating user API keys. Refer to the Mimecast official documentation for more information.
Accessing your API applications.
Expand | ||
---|---|---|
| ||
Once your API applications display you can:
|
...
Expand | ||
---|---|---|
| ||
Scroll to the middle of API Concepts for detailed instructions. |
Authentication
The Mimecast Collector API 2.0 needs four two keys that the API uses, the four keys are:
API Application Client ID (
appclient_id
).API KeyClient secret (
app_key
).Access Key(
access_key
).Secret Key(
secret_key
).client_secret
)
Expand | ||
---|---|---|
| ||
API Application ID & API Key
2. Fill in the Details section below and click Next. 3. Fill in the Settings section as outlined below and click Next. 4. Review the Summary page to ensure all details are correct. To fix any errors:
5. Click on the Add button. The Add API Application panel will display. 6. Copy the Application ID and the Application Key. 7. Wait 30 minutes and click on the application. Click the X button to return to the list of API applications. Access Key & Secret Key
PermissionsFollow these steps if you want to create a custom administrative role for the API service account user:
|
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | |||||
---|---|---|---|---|---|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector: Code Block | Steps and information to generate these keys can be found in this article. |
Expand | ||
---|---|---|
| ||
Each API call has a prerequisite section that tells you what permissions are needed for the call. Usually, a basic administrator role will be enough, which should allow you to use the same API keys generated for multiple API calls under the application. If you want to create a custom administrative role for this API service account user, follow these steps:
If you want to add the service account user to an existing role:
Find more details in the Customer Community. |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below:
Download the DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in theimageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace The Docker image can be deployed on the following services: DockerExecute the following command on the root directory
To run the container using docker-compose, execute the following command from the
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration Code Block | Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration
Please replace the placeholders with real world values following the description table below: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Parameter | Data Type | Type | Value Range/ Format | Details | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| Mandatory | Minimum length: 1 | Alphanumeric identifier. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| Mandatory |
| Enables or disables the input. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| Mandatory | The region related to the API credentials, the string value has to be one of the valid URL’s in https://integrations.mimecast.com/documentation/api-overview/global-base-urls/. |
|
| Mandatory | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Code Block |
"id": "<short_unique_identifier>", "enabled": true, "requests_per_second": "requests_per_second_value", "base_url": "your_base_url", "auth_url": "your_auth_url", "pageSize": "page_size_value", "autoconfig": { "refresh_interval_in_seconds": "refresh_interval_value", "creation_timeout_in_second": "creation_timeout_value" }, "credentials": { "client_id": "your_ |
client_id", |
"client_secret": "your_client_secret |
"
|
Credentials to use the API.
endpoints
list
Mandatory
Minimum length: 1
Posible values:
}, |
"services": { |
"service_mimecast_siem_client_api": { |
"last_configuration_timestamp": " |
last_configuration_timestamp_value", |
"endpoints": |
{ |
"siem": { |
"initial_lookback_period": "1d" |
} |
} |
} } |
}
} |
Info |
---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Please replace the placeholders with real world values following the description table below:
Parameter | Data Type | Type | Value Range/ Format | Details | ||
---|---|---|---|---|---|---|
|
| Mandatory | Minimum length: 1 | Alphanumeric identifier. | ||
|
| Mandatory |
| Enables or disables the input. | ||
|
| Mandatory | The region related to the API credentials, the string value has to be one of the valid URL’s in https://integrations.mimecast.com/documentation/api-overview/global-base-urls/. | |||
|
| Mandatory |
| Credentials to use the API. | ||
|
| Mandatory | Minimum length: 1 Posible values:
| An array with at least one endpoint, the collector will pull from the selected endpoints. | ||
|
| Mandatory | Date following the next format:
| Change this value to a date after the initial configuration to reset the state of the collector. | ||
|
| Mandatory | Number of days, Example:
| This value will be subtracted from the current date to execute all queries in that range if no state is detected (Initial execution for example). This value only has an effect for |
| An array with at least one endpoint, the collector will pull from the selected endpoints. | |||
|
| Mandatory | Date following the next format:
| Change this value to a date after the initial configuration to reset the state of the collector. |
|
| Mandatory | Number of days, Example:
| This value will be subtracted from the current date to execute all queries in that range if no state is detected (Initial execution for example). This value only has an effect for |
We recommend to leave parameters not in the list with their default values.
Keep in mind that the Mimecast collector has two different inputs:
mimecast_input
mimecast_siem_input
The collector can use both inputs or just one. Each input uses different endpoints and feeds different tables in Devo. Make sure to check the credentials given to determine the inputs and endpoints to use. Using Postman is a great way to check the credentials to each input. Read more here.
Input | Endpoint | Tables |
---|---|---|
|
|
|
|
|
|