Skip to content

Mimecast API 2.0 - Email Security Cloud Gateway Integration Guide🔗

Use the following instructions to configure Mimecast API 2.0 for log ingestion into Secureworks® Taegis™ XDR. XDR supports Mimecast API 2.0 integrations for:

  • SIEM Logs
  • Targeted Threat Protection (TTP)

Data Provided from Integration🔗

The following Mimecast Logs and Statistics API Endpoints are supported by XDR.

  • Get SIEM Logs
  • Get TTP Attachment Protection Logs
  • Get TTP Impersonation Protect Logs
  • Get TTP URL Logs
Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Mimecast   HTTP Email

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Prerequisites🔗

Create a Role With the Required Permissions🔗

In the Mimecast Administrator Console:

  1. Go to AccountRoles.
  2. Click New Role and enter a name. For example, Taegis Integration Role.

  3. In Application Permissions, select the following permissions:

    • Monitoring MenuAttachment ProtectionRead
    • Monitoring MenuURL ProtectionRead
    • Monitoring MenuImpersonation Protection LogsRead
    • Security Events and Data RetrievalThreat and security events (SIEM)Read
    • Security Events and Data RetrievalThreat and security statisticsRead

  4. Click Save and Exit.

Turn On Logging in Mimecast🔗

To turn on logging in Mimecast, do as follows:

In the Mimecast Administrator Console:

  1. Go to AdministrationAccountAccount Settings.

  2. In Enhanced Logging, choose the following logging types:

    • Inbound
    • Outbound
    • Internal

  3. Click Save.

Mimecast Platform Configuration🔗

Follow the instructions in the Mimecast documentation, API & Integrations - Managing API 2.0 for Cloud Gateway, to create an API 2.0 application for the XDR integration.

  1. In the Application Details section, enter the following values:
    • Application Name. For example, Taegis Integration.
    • Category, select XDR Integration.
    • Products, choose Select All.
    • Application Role, select the role created previously.
  2. In the Notification Settings section, provide email contact details in case Mimecast needs to speak to you about the use of this API.
  3. Review the summary and click Add and Generate Keys.
  4. Your Client ID and Client Secret keys are shown. Copy the keys to a safe place. They will be used to complete the integration.

Important

Record your keys at the time of creation as they cannot be viewed or retrieved again after this point. If lost, you must generate new ones.

Add Integration in XDR🔗

Note

Separate integrations for Mimecast TTP and SIEM logs have been implemented to maximize the efficiency of ingestion given the difference between the way the API endpoints deliver log messages to Taegis.

  1. From the Taegis Menu, select Integrations → Cloud APIs.

  2. Select Add an Integration from the top of the page.

    Add an Integration

  3. From the Optimized tab, select Mimecast 2.0 SIEM.

    Creating a New Mimecast Integration

  4. Enter the following values:

    • Taegis Integration Name — This serves as a unique name for your integration; it can include any valid values up to 100 characters.
    • Mimecast Client ID
    • Mimecast Client Secret

  5. Select Done. The Cloud API Integrations page is displayed with the successfully added Mimecast integration.

  6. Repeat steps 1-5 for the Mimecast 2.0 TTP integration. The same Client ID/Secret created for the SIEM Logs inetgration can be used for the TTP integration.

Once the above steps are completed, Mimecast integration details are available on the Cloud APIs page. From the Taegis Menu, select Integrations → Cloud APIs.

Searching for Events and Alerts in XDR🔗

The Sensor Type is Mimecast. Mimecast 1.0 and 2.0 events and alerts can be differentiated using the API integration name.

For example, if you named the integration Mimecast2.0Demo, the following query can be used in Advanced Search. 

WHERE sensor_type = 'mimecast' AND ingest.integration_id = 'mimecast2.0demo'

Advanced Search using the Query Language🔗

Mimecast Advanced Search

Example Query Language Searches🔗

To search for Mimecast email events from the last 24 hours:

FROM email WHERE sensor_type = 'Mimecast' and EARLIEST=-24h

To search for Mimecast email events classified as "Delivered":

FROM email WHERE sensor_type = 'Mimecast' AND status = 'delivered'

To search for Mimecast email events that were NOT blocked:

FROM email WHERE sensor_type = 'Mimecast' AND original_data CONTAINS 'virus'

Event Details🔗

Mimecast Event Details

Data Normalized by XDR🔗

Mimecast Normalized Data

Alert Details🔗

Mimecast Alert Details