Collect Mimecast Mail logs

This document describes how you can collect Mimecast Secure Email Gateway logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations .

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MIMECAST_MAIL ingestion label.

Configure Mimecast Secure Email Gateway

1. Enable logging for the login account .
2. Create the API application .
3. Get the application ID and application key .

Enable logging for the login account

1. Sign in to the Mimecast Administration console.
2. In the Accountmenu, click Account Settings.
3. Expand Enhanced Logging.
4. Select the types of logs to enable:
   • Inbound: logs messages from external senders to internal recipients.
   • Outbound: logs messages from internal senders to external recipients.
   • Internal: logs messages within internal domains.
5. Click Saveto apply the changes.

Create the API application

1. Sign in to the Mimecast Administration console.
2. Click Add API Application.
3. Enter the following details:
   1. Application name.
   2. Description for the application.
   3. Category: Enter one of the following categories:
   • SIEM Integration: provides real-time analysis of the security alerts generated by the application.
   • MSP Ordering and Provisioning: available for select partners to manage orders in the MSP Portal.
   • Email / Archiving: refers to messages and alerts stored in Mimecast.
   • Business Intelligence: enables application's infrastructure and tools to access and analyse information to improve and optimize decisions and performance.
   • Process Automation: allows for automation of business processes.
   • Other: in case the application doesn't fit within any other category.
4. Click Next.
5. Specify values for the following input parameters:
   • Authentication HTTP Header Configuration:enter authentication details in the following format: secret_key:{Access Secret}
access_key:{Access key}
app_id:{Application ID}
app_key:{application key}
   • API Hostname:fully qualified domain name of your Mimecast API endpoint. The typical format is xx-api.mimecast.com . If not provided, it will be region-specific in the US and Europe. This field cannot be empty for other regions.
   • Asset namespace: the asset namespace .
   • Ingestion labels: the label applied to the events from this feed.
6. Click Next.
7. Review the information displayed on the Summary Page.
8. To fix errors, follow these steps:
   • Click Editbuttons next to Detailsor Settings.
   • Click Nextand go to the Summarypage again.

Get the application ID and application key

1. Click Applicationand then click Services.
2. Click API Application.
3. Select the created API application.
4. View the application details.

Creating API access and secret key

For information about generating access and secret key, see Creating User Association Key .

Set up feeds

To configure this log type, follow these steps:

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Click the Mimecastfeed pack.

4. Specify the values for the following fields:

   • Source Type: Third party API (recommended)
   • Authentication HTTP header: provide the providing the application ID, access key, secret ID, and application key.
   • API Hostname: specify the domain name of your Mimecast host.

   Advanced options

   • Feed Name: A prepopulated value that identifies the feed.
   • Asset Namespace: Namespace associated with the feed .
   • Ingestion Labels: Labels applied to all events from this feed.

5. Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Field mapping reference

This parser extracts key-value pairs from Mimecast email server logs, categorizes the log entry stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic to handle security-related fields, determining the security result action, category, severity, and related details based on values like Act , RejType , SpamScore , and Virus .

UDM mapping table

Log Field	UDM Mapping	Logic
acc	metadata.product_log_id	The value of acc from the raw log is mapped to metadata.product_log_id .
Act	security_result.action	If Act is Acc , the UDM field is set to ALLOW . If Act is Rej , the UDM field is set to BLOCK . If Act is Hld or Sdbx , the UDM field is set to QUARANTINE .
AttNames	about.file.full_path	The AttNames field is parsed, removing quotes and spaces, and split into individual filenames. Each filename is then mapped to a separate about.file.full_path field within an about object.
AttSize	about.file.size	The value of AttSize is converted to an unsigned integer and mapped to about.file.size .
Dir	network.direction	If Dir is Internal or Inbound , the UDM field is set to INBOUND . If Dir is External or Outbound , the UDM field is set to OUTBOUND . Also used to populate a detection_fields entry in security_result .
Err	security_result.summary	The value of Err is mapped to security_result.summary .
Error	security_result.summary	The value of Error is mapped to security_result.summary .
fileName	principal.process.file.full_path	The value of fileName is mapped to principal.process.file.full_path .
filename_for_malachite	principal.resource.name	The value of filename_for_malachite is mapped to principal.resource.name .
headerFrom	network.email.from	The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also used to populate a detection_fields entry in security_result .
IP	principal.ip or target.ip	If stage is RECEIPT , the value of IP is mapped to principal.ip . If stage is DELIVERY , the value of IP is mapped to target.ip .
MsgId	network.email.mail_id	The value of MsgId is mapped to network.email.mail_id .
MsgSize	network.received_bytes	The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes .
Rcpt	target.user.email_addresses , network.email.to	The value of Rcpt is added to target.user.email_addresses . If Rcpt is a valid email address, it is also added to network.email.to .
Recipient	network.email.to	The value of Recipient is added to network.email.to if Rcpt is not a valid email address.
RejCode	security_result.description	Used as part of the security_result.description field.
RejInfo	security_result.description	Used as part of the security_result.description field.
RejType	security_result.description , security_result.category_details	Used as part of the security_result.description field. The value of RejType is also mapped to security_result.category_details . Used to determine security_result.category and security_result.severity .
Sender	principal.user.email_addresses , network.email.from	The value of Sender is added to principal.user.email_addresses . If Sender is a valid email address, it is also mapped to network.email.from . Also used to populate a detection_fields entry in security_result .
Snt	network.sent_bytes	The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes .
SourceIP	principal.ip	If stage is RECEIPT and IP is empty, the value of SourceIP is mapped to principal.ip .
SpamInfo	security_result.severity_details	Used as part of the security_result.severity_details field.
SpamLimit	security_result.severity_details	Used as part of the security_result.severity_details field.
SpamScore	security_result.severity_details	Used as part of the security_result.severity_details field. Also used to determine security_result.severity if RejType is not set.
Subject	network.email.subject	The value of Subject is mapped to network.email.subject .
Virus	security_result.threat_name	The value of Virus is mapped to security_result.threat_name . Set to EMAIL_TRANSACTION by default, but changed to GENERIC_EVENT if neither Sender nor Recipient / Rcpt are valid email addresses. Always set to Mimecast . Always set to Mimecast MTA . Set to Email %{stage} , where stage is determined based on the presence and values of other log fields. Always set to MIMECAST_MAIL . Set based on RejType or SpamScore . Defaults to LOW if neither is available.
sha1	target.file.sha1	The value of sha1 is mapped to target.file.sha1 .
sha256	target.file.sha256	The value of sha256 is mapped to target.file.sha256 .
ScanResultInfo	security_result.threat_name	The value of ScanResultInfo is mapped to security_result.threat_name .
Definition	security_result.summary	The value of Definition is mapped to security_result.summary .

Need more help? Get answers from Community members and Google SecOps professionals.