Overview

Mimecast is a cloud-based, anti-spam, and archive filtering service for securing email accounts and communications for businesses.

Mimecast protects an enterprise’s email infrastructure from viruses, malware, phishing, and the rise of deep-fake attacks. It does this by deploying a layered cyber resilience solution that prevents email-borne infections and reduces data loss by archiving emails. This cloud-based cybersecurity solution also makes it possible to automate the recovery of archived and affected emails for continuous use.

The Mimecast approach to protecting email structures means it can predict or anticipate attacks in order to handle real-time threats. It also deals with data loss from ransomware attacks using data archiving, which eliminates the need to meet ransom demands, as well as struggle with downtime. Mimecast can also be deployed to tackle those annoyingly ‘spammy’ messages that keep cluttering inboxes.

For those who already use any of the popular email management brands such as Microsoft Office 365, Outlook, or Google’s Gsuite, Mimecast’s cloud-based nature makes it compatible with them. It can be deployed to tackle spam, ransomware, or other cybersecurity challenges.

The Devo Mimecast Collector uses the Mimecast API to extract all the relevant information an send it as events to Devo.

Data sources

Data source	Description	API endpoint	Devo table
Attachments	Attachment Protection Logs	`/api/ttp/attachment/get-logs`	`mail.mimecast.ttp.attachment`
Audit	Audit Events	`/api/audit/get-audit-events`	`mail.mimecast.audit.events`
Dashboard	Dashboard Notifications	`/api/account/get-dashboard-notifications`	`mail.mimecast.account.dashboard`
Impersonation	TTP Impersonation Protect Logs	`/api/ttp/impersonation/get-logs`	`mail.mimecast.ttp.impersonation`
Messageholdlist	Hold Message List	`/api/gateway/get-hold-message-list`	`mail.mimecast.message.list`
Messageholdsummary	Message Hold Summary List	`/api/gateway/get-hold-summary-list`	`mail.mimecast.message.summary`
Search	Search Logs	`/api/archive/get-search-logs`	`mail.mimecast.archive.search`
Siem	SIEM Logs	`/api/audit/get-siem-logs`	`mail.mimecast.siem.receipt` `mail.mimecast.siem.process` `mail.mimecast.siem.delivery` `mail.mimecast.siem.jrnl` `mail.mimecast.siem.av` `mail.mimecast.siem.iep` `mail.mimecast.siem.impersonation` `mail.mimecast.siem.spameventthread` `mail.mimecast.siem.ttp`
Siem (API v2)	SIEM Batch Logs	`/siem/v1/batch/events/cg`	`mail.mimecast.siem.av_v2` `mail.mimecast.siem.delivery_v2` `mail.mimecast.siem.ieo_v2` `mail.mimecast.siem.impersonation_v2` `mail.mimecast.siem.jrnl_v2` `mail.mimecast.siem.process_v2` `mail.mimecast.siem.receipt_v2` `mail.mimecast.siem.attachment_v2` `mail.mimecast.siem.spam_v2` `mail.mimecast.siem.url_v2`
Threatfeed	Threat Intel Feed	`/api/ttp/threat-intel/get-feed`	`mail.mimecast.threat.feed`
Url	TTP URL Logs	`/api/ttp/url/get-logs`	`mail.mimecast.ttp.url`
View	Archive Message View Logs	`/api/archive/get-view-logs`	`mail.mimecast.archive.messageview`

For more information on how the events are parsed, visit our page.

Vendor setup

Version 2 of the API

Overview

Mimecast API 2.0 uses OAuth 2.0 to authenticate with the new Mimecast API Gateway using a dedicated Application (created and configured by the customer). To register and configure an Application:

For Email Security Cloud Gateway customers:
- From Mimecast Administration Console navigate to: Administration | Services | API and Platform Integrations | Available Integrations, locate the Mimecast API 2.0 tile and select Generate Keys. Please see the following KB article for further information on Managing API 2.0 Applications: https://community.mimecast.com/s/article/api-integrations-managing-mimecast-api-2-0-applications
- To successfully create and manage Mimecast API 2.0 applications, the Security Permissions setting for a logged in administrators' role, must be able to Manage Application Roles. Please see the following KB article for further information on managing roles: Customer Community
For Email Security Cloud Integrated customers
- Navigate to Configuration | API 2.0 Applications
- Select New Application

Authentication

After this process, the two keys that the Mimecast Collector API 2.0 needs are created, the keys are:

Client ID(client_id).
Client Secret ( client_secret)

Version 1 of the API

Overview

Following steps are necessary for setup at the Mimecast side.

Log in from https://www.mimecast.com/tech-connect/documentation/api-overview/api-concepts/

Accessing your API applications:

Log on to the Administration Console.
Click on the Administration toolbar button.
Select the Services | API and Platform Integrations menu item.

With your API applications displayed you can:

Add an application
Edit an application
Delete an application

Further information may be found here: https://community.mimecast.com/s/article/Managing-API-Applications-505230018

Creating user API keys:

Scroll to middle of: https://www.mimecast.com/tech-connect/documentation/api-overview/api-concepts/ for detailed instructions.

Authentication

The Mimecast Collector needs four keys that the API uses, the four keys are:

API Application ID(app_id).
API Key(app_key).
Access Key(access_key).
Secret Key(secret_key).

Credentials

API Application ID & API Key

	Steps
1	Click Add API Application.
2	Fill in the Details section as outlined below:
3	Click Next.
4	Fill in the Settings section as outlined below:
5	Click Next.
6	Review the Summary page to ensure all details are correct. To fix any errors: Click on the Edit link next to the Details or Settings to return to the relevant page. Make your changes and click on the Next button to proceed to the Summary page again.
7	Click on the Add button. The application's details display in a slide-in panel.
8	Copy and paste the Application ID and Application Key to a safe place for use later in the process.
9	Wait 30 minutes and click on the application in your list. A panel opens. While waiting for the application to become live, you may go through the Prerequisites section of Creating User Association Keys.
10	Click on the X to return to the list of API applications.

More details https://community.mimecast.com/s/article/Managing-API-Applications-505230018#Creating-an-API-user-Authentication-Profile .

Access Key & Secret Key

1	Click on API Application from the application list.
2	Click Create Keys. A "Create Keys" wizard is displayed with the Account tab selected.
3	Enter the Email Address of your service account
4	Click Next.
5	Complete the Authentication dialog:
6	Click Next. The Verification tab is displayed.
7	If you are using a 2-step authentication mechanism, a verification code is sent to you by SMS or email.
8	Enter the Code within 15 minutes.
9	Click Next. The Keys tab is displayed with the generated keys hidden by default. Click on the icon to display a key. Click on the icon to copy the key to your clipboard.
10	Click on the Finish button to exit the wizard and return to the application list.

More details https://community.mimecast.com/s/article/Managing-API-Applications-505230018#Creating-an-API-user-Authentication-Profile .

Permissions (both API 1 and 2)

Each API call has a prerequisite section that tells you what permissions are needed for the call. Usually, a Basic Administrator role will suffice, which should allow you to use the same API keys generated for multiple API calls under the application.

Service	Permissions
SIEM Audit	Gateway \| Tracking \| Read
Audit	Account \| Logs \| Read
TTP attachment	Monitoring \| Attachment Protection \| Read
TTP impersonation	Monitoring \| Impersonation Protection \| Read
TTP URL	Monitoring \| URL Protection \| Read
Archive search	Archive \| Search Logs \| Read
Archive view	Archive \| View Logs \| Read
TTP Thread intel	Services \| Gateway \| Tracking \| Read
Message Hold List	Account \| Dashboard \| Read
Message Hold Summary	Account \| Monitoring \| Held Summary \| Read
Dashboard	Account \| Dashboard \| Read

If you want to create a custom administrative role for this API service account user:

Navigate to Administration | Account | Roles.
Click New Role.
Enter a Role Name and Description.
In the Application Permissions section, select the boxes for each required role to be used by the service user account.
Click Save and Exit.
Locate the newly created role and click on the role name.
Click Add User to Role.
Click on the email address of the API service user account.

If you want to add the service account user to an existing role:

Navigate to Administration | Account | Roles.
Click on the administrator role the user will be added to.
Click Add User to Role.
Click on the email address of the API service user account.

More details https://community.mimecast.com/s/article/Managing-API-Applications-505230018#Creating-an-API-user-Authentication-Profile .

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

API limits and duplicates

The Mimecast API has some call rate limits. When a limit is reached, the collector shows a 429 error. More details about MImecast limits can be found here and here

The Mimecast API sometimes sends duplicate events (it is not common). The collector tries to filter out the duplicates, but it is not possible to guarantee that all duplicates are deleted.

Change log

Release	Released on	Release type	Recommendations
`v2.1.1`	24 Sep 2024	BUG FIXING	`Recommended version`
`v2.1.1`	Details Bug fixes Solved CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 updating base image.
`v2.1.0`	20 Sep 2024	NEW FEATURES IMPROVEMENTS
`v2.1.0`	Details New features Integrated Mimecast API v2 for SIEM events, using Batch download New tables for new event formats mail.mimecast.siem.av_v2 mail.mimecast.siem.delivery_v2 mail.mimecast.siem.ieo_v2 mail.mimecast.siem.impersonation_v2 mail.mimecast.siem.jrnl_v2 mail.mimecast.siem.process_v2 mail.mimecast.siem.receipt_v2 mail.mimecast.siem.attachment_v2 mail.mimecast.siem.spam_v2 mail.mimecast.siem.url_v2 Improvements Changed default cycle value to 300 seconds for SIEM service, to avoid 429 from the API Migrated to DCSDK version 1.12.4 Fixed error related a ValueError exception not well controlled. Fixed error related with loss of some values in internal messages (collector_name, collector_id and job_id) Improve Controlled stop when InputProcess is killed Change internal queue management for protecting against OOMK Extracted ModuleThread structure from PullerAbstract Improve Controlled stop when both processes fails to instatiate
`v2.0.1`	05 Aug 2024	NEW FEATURES IMPROVEMENTS	`-`
`v2.0.1`	Details New features Integrated both Mimecast API v2 and API v1 Deleted duplited SIEM events New parameter for SIEM service inicialization Improvements Some small fixes and changes for robustness Migrated to DCSDK version 1.12.2 Added new sender for relay in house + TLS Added persistence functionality for gzip sending buffer Added Automatic activation of gzip sending Improved behaviour when persistence fails Upgraded DevoSDK dependency to v5.4.0 Fixed console log encoding Restructured python classes Improved behaviour with non-utf8 characters Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB) New persistence format/structure (compression in some cases) Removed dmesg execution (It was invalid for docker execution)
`v1.2.0`	10 May 2024	IMPROVEMENTS	`-`
`v1.2.0`	Details Improvements Upgraded the mimecast api from v1 to v2. Updated DCSDK from 1.10.2 to 1.11.1

Mimecast collector

Overview

Data sources

Vendor setup

Overview

Authentication

Overview

Authentication

Credentials

Permissions (both API 1 and 2)

Run the collector

API limits and duplicates

Change log