Mimecast collector

[ 1 Overview ] [ 2 Data sources ] [ 3 Vendor setup ] [ 4 Accepted authentication methods ] [ 5 Run the collector ]

Overview

Mimecast is a cloud-based, anti-spam, and archive filtering service for securing email accounts and communications for businesses. This collector protects an enterprise’s email infrastructure from viruses, malware, phishing, and the rise of deep-fake attacks. It also makes it possible to automate the recovery of archived and affected emails for continuous use. It can predict and anticipate attacks and deal with losses from ransomware attacks using data archiving. The Devo Mimecast Collector uses the Mimecast API to extract all the relevant information and send it as events to Devo.

Data sources

Data Source	Description	API Endpoint	Devo Table

Data Source	Description	API Endpoint	Devo Table
Audit	Audit Events	`/api/audit/get-audit-events`	`mail.mimecast.audit.events`
Attachments	Attachment Protection Logs	`/api/ttp/attachment/get-logs`	`mail.mimecast.ttp.attachment`
Impersonation	TTP Impersonation Protect Logs	`/api/ttp/impersonation/get-logs`	`mail.mimecast.ttp.impersonation`
Url	TTP URL Logs	`/api/ttp/url/get-logs`	`mail.mimecast.ttp.url`
Search	Search Logs	`/api/archive/get-search-logs`	`mail.mimecast.archive.search`
View	Archive Message View Logs	`/api/archive/get-view-logs`	`mail.mimecast.archive.messageview`
Threatfeed	Threat Intel Feed	`/api/ttp/threat-intel/get-feed`	`mail.mimecast.threat.feed`
Messageholdlist	Hold Message List	`/api/gateway/get-hold-message-list`	`mail.mimecast.message.list`
Messageholdsummary	Message Hold Summary List	`/api/gateway/get-hold-summary-list`	`mail.mimecast.message.summary`
Dashboard	Dashboard Notifications	`/api/account/get-dashboard-notifications`	`mail.mimecast.account.dashboard`
Siem	SIEM Logs	`/api/audit/get-siem-logs`	`mail.mimecast.siem.receipt` `mail.mimecast.siem.process` `mail.mimecast.siem.delivery` `mail.mimecast.siem.jrnl` `mail.mimecast.siem.av` `mail.mimecast.siem.iep` `mail.mimecast.siem.impersonation` `mail.mimecast.siem.spameventthread` `mail.mimecast.siem.ttp`

For more information on how the events are parsed, visit our page.

Vendor setup

There are some requirements to configure the Mimecast collector:

Creating user API keys. Refer to the Mimecast official documentation for more information.
Accessing your API applications.

Log in to the Administration Console.
Click on the Administration toolbar button.
Select the Services/API and Platform Integrations menu item.

Once your API applications display you can:

Add an application.
Edit an application.
Delete an application.

Refer to the Mimecast official documentation for more information.

Accepted authentication methods

The Mimecast Collector needs four keys that the API uses, the four keys are:

API Application ID(app_id).
API Key(app_key).
Access Key(access_key).
Secret Key(secret_key).

API Application ID & API Key

Click Add API Application.

2. Fill in the Details section below and click Next.

3. Fill in the Settings section as outlined below and click Next.

4. Review the Summary page to ensure all details are correct. To fix any errors:

Click on the Edit link next to the Details or Settings to return to the relevant page.
Make your changes and click on the Next button to proceed to the Summary page again.

5. Click on the Add button. The Add API Application panel will display.

6. Copy the Application ID and the Application Key.

7. Wait 30 minutes and click on the application. Click the X button to return to the list of API applications.

Access Key & Secret Key

Click on API Application from the application list.
Click Create Keys. A Create Keys wizard displays with the Account tab selected.
Enter the Email Address of your service account.
Click next.
Complete the Authentication dialog.
Enter the Code within 15 minutes.
Click Next. The keys tab is displayed with the generated keys hidden by default.

Permissions

Follow these steps if you want to create a custom administrative role for the API service account user:

Navigate to Administration → Account → Roles.
Click New Role.
Enter a Role Name and Description.
In the Application Permissions section select the boxes for each required role to be used by the service account. Click Save.
Locate the newly created role and click on the role name.
Click Add User to Role.
Click on the email address of the API service user account.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).