Document toolboxDocument toolbox

Mimecast collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
7 min read
[ 1 Overview ] [ 2 Data sources ] [ 3 Vendor setup ] [ 4 Accepted authentication methods ] [ 5 Run the collector ]

Overview

Mimecast is a cloud-based, anti-spam, and archive filtering service for securing email accounts and communications for businesses. This collector protects an enterprise’s email infrastructure from viruses, malware, phishing, and the rise of deep-fake attacks. It also makes it possible to automate the recovery of archived and affected emails for continuous use. It can predict and anticipate attacks and deal with losses from ransomware attacks using data archiving. The Devo Mimecast Collector uses the Mimecast API to extract all the relevant information and send it as events to Devo.

Data sources

Data Source

Description

API Endpoint

Devo Table

Data Source

Description

API Endpoint

Devo Table

Audit

Audit Events

/api/audit/get-audit-events

mail.mimecast.audit.events

Attachments

Attachment Protection Logs

/api/ttp/attachment/get-logs

mail.mimecast.ttp.attachment

Impersonation

TTP Impersonation Protect Logs

/api/ttp/impersonation/get-logs

mail.mimecast.ttp.impersonation

Url

TTP URL Logs

/api/ttp/url/get-logs

mail.mimecast.ttp.url

Search

Search Logs

/api/archive/get-search-logs

mail.mimecast.archive.search

View

Archive Message View Logs

/api/archive/get-view-logs

mail.mimecast.archive.messageview

Threatfeed

Threat Intel Feed

/api/ttp/threat-intel/get-feed

mail.mimecast.threat.feed

Messageholdlist

Hold Message List

/api/gateway/get-hold-message-list

mail.mimecast.message.list

Messageholdsummary

Message Hold Summary List

/api/gateway/get-hold-summary-list

mail.mimecast.message.summary

Dashboard

Dashboard Notifications

/api/account/get-dashboard-notifications

mail.mimecast.account.dashboard

Siem

SIEM Logs

/api/audit/get-siem-logs

mail.mimecast.siem.receipt
mail.mimecast.siem.process
mail.mimecast.siem.delivery
mail.mimecast.siem.jrnl
mail.mimecast.siem.av
mail.mimecast.siem.iep
mail.mimecast.siem.impersonation
mail.mimecast.siem.spameventthread
mail.mimecast.siem.ttp

For more information on how the events are parsed, visit our page.

Vendor setup

There are some requirements to configure the Mimecast collector:

  • Creating user API keys. Refer to the Mimecast official documentation for more information.

  • Accessing your API applications.

  1. Log in to the Administration Console.

  2. Click on the Administration toolbar button.

  3. Select the Services/API and Platform Integrations menu item.

Once your API applications display you can:

  • Add an application.

  • Edit an application.

  • Delete an application.

Refer to the Mimecast official documentation for more information.

Accepted authentication methods

The Mimecast Collector needs four keys that the API uses, the four keys are:

  • API Application ID(app_id).

  • API Key(app_key).

  • Access Key(access_key).

  • Secret Key(secret_key).

API Application ID & API Key

  1. Click Add API Application.

2. Fill in the Details section below and click Next.

3. Fill in the Settings section as outlined below and click Next.

4. Review the Summary page to ensure all details are correct. To fix any errors:

  • Click on the Edit link next to the Details or Settings to return to the relevant page.

  • Make your changes and click on the Next button to proceed to the Summary page again.

5. Click on the Add button. The Add API Application panel will display.

6. Copy the Application ID and the Application Key.

7. Wait 30 minutes and click on the application. Click the X button to return to the list of API applications.

Access Key & Secret Key

  1. Click on API Application from the application list.

  2. Click Create Keys. A Create Keys wizard displays with the Account tab selected.

  3. Enter the Email Address of your service account.

  4. Click next.

  5. Complete the Authentication dialog.

  6. Enter the Code within 15 minutes.

  7. Click Next. The keys tab is displayed with the generated keys hidden by default.

Permissions

Follow these steps if you want to create a custom administrative role for the API service account user:

  1. Navigate to Administration → Account → Roles.

  2. Click New Role.

  3. Enter a Role Name and Description.

  4. In the Application Permissions section select the boxes for each required role to be used by the service account. Click Save.

  5. Locate the newly created role and click on the role name.

  6. Click Add User to Role.

  7. Click on the email address of the API service user account.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).