Mimecast API 2.0

Mimecast is a cloud-based email management system that detects threats hidden in your email. If you have Mimecast licensed, you can send specific types of events to InsightIDR, where they will generate Virus Infection and Web Proxy detections.

To set up the Mimecast API 2.0 event source, complete these steps:

1. Read the requirements and complete the prerequisite steps.
2. Configure Mimecast to send data to InsightIDR.
3. Configure InsightIDR to receive data from the event source.
4. Test the configuration.

Requirements

Before you start the configuration:

• Create a service account with the Administrator role and ensure that it is in the Basic Administrators group. View the third party instructions.
• Ensure that the Administrator service account has the following Application Permissions enabled:
  • Gateway Menu > Tracking > Read
  • Security Events and Data Retrieval > Threat
  • Security Events (SIEM) > Read
• Ensure the Security Permissions setting for the Administrator service account permits the Management of Application Roles.
• Ensure enhanced logging for email is enabled. View the third party instructions.

Configure Mimecast to send data to InsightIDR

To allow InsightIDR to receive data from Mimecast, you must create an API 2.0 application and configure specific settings in your Mimecast account.

1. Log in to the Mimecast Administration Console and create an API 2.0 Application. Note it may take several minutes for the application to be available. View the instructions through the third party documentation.
2. Copy the Client ID and Client Secret and save these in a secure location for later.

Configure InsightIDR to recieve data from the event souce

After you create your API 2.0 application in Mimecast and obtain the necessary keys, you can set up your Mimecast event source in InsightIDR.

Task 1: Select Mimecast

1. Go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Mimecast in the event sources search bar.
   • In the Product Type filter, select Cloud Service.
3. Select the Mimecast event source tile.

Task 2: Set up the Cloud Connection

1. In the Add Event Source panel, select Run On Cloud.
2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Mimecast
3. Optionally, select the option to send unparsed data.
4. Select your Account Attribution preference:
   • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
   • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
5. Optionally, specify the Active Directory Domain for Multi-domain Environments.
6. Select an attribution source.
7. Click Add a New Connection.
8. In the Create a Cloud Connection screen, enter a name for the new connection.
9. In the Client ID field, enter your Mimecast Client ID you obtained previously.
10. In the Client Secret field, add a new credential:
    1. Name your credential.
    2. Describe your credential.
    3. Select the credential type.
    4. Enter the Mimecast Client Secret you obtained previously.
    5. Specify the product access for this credential.
11. Click Save Connection.
12. Click Save.

Test the configuration

InsightIDR currently ingests Mimecast data sent via API and parses only these Mimecast event types:

• Receipt - These events show the actions taken on an email, including whether the email successfully made it to the recipient’s inbox or if the email was rejected due to an invalid address
• Targeted Threat Protection URL - These events are generated when there are malicious or phishing links in emails.
• Targeted Threat Protection Attachment - These events show the results of attachment scanning from Mimecast.

To test that event data is flowing into InsightIDR through the Cloud Connection:

1. View the raw logs:
   1. From the Data Collection Management page, click the Event Sources tab.
   2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
   1. From the left menu, go to Log Search.
   2. In the Log Search filter, search for the new event source you created.
   3. Select the log sets and the log names under each log set. Mimecast logs flow into these log sets:
      • Virus Infection
      • Web Proxy
   4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.