Mimecast

Mimecast is a cloud-based email management system that detects threats hidden in your email. If you have Mimecast licensed, you can send specific types of events to InsightIDR, where they will generate Virus Infection and Web Proxy alerts. InsightIDR currently ingests Mimecast data sent via API, and only reports on these Mimecast event types:

  • Receipt - These events show the actions taken on an email, including whether the email successfully made it to the recipient’s inbox, or if the email was rejected due to an invalid address
  • Targeted Threat Protection URL - These events are generated when there are malicious or phishing links in emails.
  • Targeted Threat Protection Attachment - These events show the results of attachment scanning from Mimecast.

To set up Mimecast, you’ll need to:

  1. Set up an API Application in Mimecast
  2. Set up a Mimecast Event Source in InsightIDR
  3. Verify the Configuration

Before You Begin

Before you can set up the Mimecast event source, you must do the following:

  • Verify that you have a Mimecast administrator account with Gateway | Tracking | Read permissions enabled.
  • Ensure enhanced logging for email is enabled.
  • Ensure that the account you’re going to use to authenticate is in the Basic Administrators group in Mimecast.

Step 1: Set up an API Application in Mimecast

Create an API application in Mimecast and obtain an access key and a secret key using the following instructions: https://community.mimecast.com/s/article/Managing-API-Applications-505230018 Learn more about creating the access key and secret key here: https://integrations.mimecast.com/documentation/api-overview/authentication-scripts-server-apps/

Select Enable Extended Session when configuring in Mimecast

When you’re adding an API application in Mimecast, select Enable Extended Session. Rapid7 does not refresh expired access keys, so the API access keys will never expire.

Step 2: Set up a Mimecast Event Source in InsightIDR

After you create your API application in Mimecast and obtain the necessary keys, you can set up your Mimecast event source in InsightIDR.

To set up this event source in InsightIDR

  1. From your dashboard, select Data Collection on the left-hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
  4. Select your collector and Mimecast from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs, if you are sending additional events beyond alerts
  7. Select an attribution source.
  8. Select your LDAP account attribution preference.
  9. Select your Mimecast credentials or optionally create a new credential. You can find the values for the new credential fields by logging in to your Mimecast environment, navigating to Services > API Applications, and selecting the application that you created.
    • Application ID
    • Application Key
    • Access Key
    • Secret Key
  10. Enter the Application ID.
  11. Enter the Application Key
  12. In the “Region” field, enter the region identifier for the relevant host based on the table below. For example, if your host is eu-api.mimecast.com then enter EU.

Region Identifier

Host

EU

eu-api.mimecast.com

DE

de-api.mimecast.com

US

us-api.mimecast.com

ZA

za-api.mimecast.com

AU

au-api.mimecast.com

Offshore

jer-api.mimecast.com

  1. Click Save.

Step 3: Verify the Configuration

To verify that your configuration is correct, go to Log Search to view your raw log data.

Attribution source options

Mimecast product logs can contain information about hosts and accounts. When setting up Mimecast as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

View Your Alert Data

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Mimecast logs flow into these Log Sets:
    • Virus Infection
    • Web Proxy
  2. Next, perform a Log Search to make sure Mimecast events are coming through.

Review Sample Log Examples

The following are samples of input logs that Mimecast sends to InsightIDR.

Receipt event:

json
1
{"datetime": "2019-09-09T10:12:59-0400", "aCode": "l_HDhK8OM2avmWQksxFovQ", "acc": "CUSA123", "IP": "123.123.123.123", "RejType": "Virus Signature Detection", "Error": "Malware detected by AV Scan policy: [clam.[Doc.Malware.00536d-6923173-0], clam.[Doc.Malware.00536d-6923173-0], sole.[Remote_Object, Macro, Malicious_Macro]]", "RejCode": "554", "Dir": "Inbound", "MsgId": "<499184835@rapid7.com>", "Subject": "Outstanding balance requiring attention", "headerFrom": "user@rapid7.com", "Sender": "rapid7.user@rapid7.com", "Virus": "[clam.[Doc.Malware.00536d-6923173-0], clam.[Doc.Malware.00536d-6923173-0], sole.[Remote_Object, Macro, Malicious_Macro]]", "Rcpt": "r7user@rapid7", "Act": "Rej", "RejInfo": "[clam.[Doc.Malware.00536d-6923173-0], clam.[Doc.Malware.00536d-6923173-0], sole.[Remote_Object, Macro, Malicious_Macro]]", "TlsVer": "TLSv1.2", "Cphr": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}

Targeted threat protection URL protect:

json
1
{"datetime": "2019-09-09T13:36:17-0400", "acc": "CUSA107A62", "reason": "malicious", "url": "http://www.malicious.com", "route": "inbound", "sourceIp": "123.123.123.123", "sender": "evildude@evil.com", "recipient": "user@rapid7.co.uk", "urlCategory": "Phishing & Fraud", "senderDomain": "gmail.com"}

Targeted threat protection Attachment protect:

json
1
{"datetime": "2017-05-23T21:45:21+0100", "acc": "C1A1", "fileName": "1XCOLUMN.PVC", "sha256": "8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83", "Size": "378368", "IP": "123.123.123.123", "Recipient": "auser@mimecast.com", "SenderDomain": "domain.com", "fileExt":"doc", "sha1":"a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2", "Sender":"from@domain.com", "fileMime": "application/vnd.ms-office", "Route": "Inbound", "md5": "7b52770644da336a9a59141c80807f37"}

Troubleshooting

This section outlines common troubleshooting scenarios that you can experience with the Mimecast event source.

InsightIDR displays the error codes that Mimecast returns on the Mimecast event source listed in the Event Source tab of the Data Collection Management page. For more information about the error codes displayed on your Mimecast event source, see the Mimecast Response Codes documentation: https://www.mimecast.com/de/developer/documentation/response-codes/

Mimecast plugin encountered un-retryable error

Two issues can cause this error message:

  • The Service Account is not in the Basic Administrators group in Mimecast.
  • You don’t have a multi-factor authentication (MFA) bypass for the Service Account IP ranges.

Mimecast API response contains error: 401 0004 Invalid Signature

This error is caused by the following:

  • The credentials entered are not correct. You should regenerate the API key in Mimecast and make sure you are copying and pasting it correctly.

Service Account is not in the Basic Administrators group

You can receive this error message if the Service Account you’re using to login to the API is not in the Basic Administrators group in Mimecast.

To add the Service Account to the group:

  1. In the Mimecast console, click Administration > Account > Roles.
  2. Click on the Basic Administrators role name.
  3. Click the Add User to Role button.
  4. When a list of users populates, search for the name of the Service Account that you want to add to the Basic Administrators group.
  5. Select the check box next to the name of the Service Account.
  6. Click the Add Selected Users button.

MFA bypass needed for IP ranges

You can also receive this error message if you have MFA enabled for Mimecast, and you don’t have an MFA bypass for the IP ranges that the Service Account connects from.

To set up an MFA bypass:

  1. In the Mimecast console, click Administration > Service > Applications.
  2. Select the profile that applies to administrators on the account. For example, this could be “Account Administrators Authentication Profile”.
  3. Select the check box next to Disable 2-Step Authentication for Trusted IP Ranges.
  4. Enter the trusted IP ranges into the box that appears. You must enter the IP range in CIDR format. For example, the format must look like: 92.168.1.1/32.
  5. Click the Save button or the Save and Exit button to save your changes.