Skip to content

Mimecast

Mimecast offers an Enhanced Logging feature allowing you to programmatically download log file data from your Mimecast service.

The following data types are available:

  • Inbound - logs for messages from external senders to internal recipients
  • Outbound - logs for messages from internal senders to external recipients
  • Internal - logs for messages between internal domains

CYDERES will request that customers enable logging of all three log types and provide necessary authentication credentials to pull Mimecast data.

Reference: https://www.mimecast.com/tech-connect/documentation/tutorials/downloading-siem-logs/

Configuration

The Mimecast integration requires the following authentication information to pull SIEM data via Mimecast's API endpoint. The following information will need to be provided to CYDERES at the end of the configuration steps below:

  • App ID
  • App Key
  • Account Email Address
  • Account Access Key
  • Account Secret Key

Create a New User

  1. Log in to the Mimecast Administrator Console
  2. Navigate to the Administration | Directories | Internal Directories menu time to display a list of internal domains.
  3. Select the internal domain where you would like to create your new user.
  4. Select the New Address button from the menu bar.
  5. Complete the new address form and select Save and Exit to create the new user.
  6. Keep note of the password. You will need this in a later step (or provide securely to CYDERES to execute the final step)

Add the User to an Administrative Role

  1. While logged into the Mimecast Administrator Console, navigate to the Administration | Account | Roles menu item to display the Roles page.
  2. Right click the Basic Administrator role and select Add users to the role.
  3. Browse or search to find the new user created previously.
  4. Select the tick box to the left of the user.
  5. Select the Add selected users button to add the user to the role.

Create a New Group and Add Your New User

  1. While logged into the Mimecast Administration Console, navigate to Administration | Directories | Profile Groups menu item to display the Profile groups page.
  2. Create a new group by selecting the plus icon on the parent folder where you would like to create the group. This creates a new group with the name "New Folder".
  3. To rename the group, select the newly created "New Folder" group. Then from the Edit group text box type the name you want to give the folder. For example, name the folder CYDERES ADMIN. Press the Enter key to apply the changes.
  4. With the group selected, select the Build drop down button and select Add Email Addresses.
  5. Type the name of the new user created in the previous set of steps.
  6. Select Save and Exit to add the new user to the group.

Create a New Authentication Profile

  1. While logged into the Mimecast Administration Console, navigate to the Administration | Services | Applications menu item to display the Application Settings page.
  2. Select the Authentication Profiles button.
  3. Select the New Authentication Profile button.
  4. Type a Description for the new profile.
  5. Set the Authentication TTL settings to Never Expire. This will make sure that when you create your Authentication Token it will not expire and impact the data collection of the app.
  6. Leave all other settings at their defaults.
  7. Select Save and Exit to create the profile.

Create a New Application Setting

  1. While logged into the Mimecast Administration Console, navigate to Administration | Services | Applications menu item to display the Application Settings page.
  2. Select the New Application Settings button.
  3. Type a Description.
  4. Use the Group Lookup button to select the Group that you created in the previous steps.
  5. Use the Authentication Profile Lookup button to select the Authentication Profile created in the previous steps.
  6. Leave all other settings as their defaults.
  7. Select Save and Exit to create and apply the Application Settings to your new user and group.

Enable Logging

  1. While logged into the Mimecast Administration Console, navigate to Administration | Account | Account Settings menu item to display the Account Settings page.
  2. Select the Enhanced Logging section.
  3. Enable all three types of logs available: Inbound, Outbound, Internal
  4. Select Save to apply the changes.

NOTE: Once these settings have been save the Mimecast MTA will start logging data for you account. Logs should start to become available for download up to thirty minutes later.

Obtain Authentication Token

Windows (Powershell)

  1. Copy/paste the below script into a Powershell window.
  2. When prompted, enter the Application ID value received when you registered your application.
  3. Enter the email address and password of the user created for API access.
  4. Copy and paste the accessKey and secretKey values printed to the bottom of the Powershell window for use by CYDERES.
$appId = Read-Host -Prompt 'Input your registered application id'

$creds = Get-Credential

$discoverPostBody = @{"data" = ,@{"emailAddress" = $creds.UserName}}

$discoverPostBodyJson = ConvertTo-Json $discoverPostBody

$discoverRequestId = [GUID]::NewGuid().guid

$discoverRequestHeaders = @{"x-mc-app-id" = "9fe88fff-8494-452f-ac67-3757fb27493a"; "x-mc-req-id" = $discoverRequestId; "Content-Type" = "application/json"}

$discoveryData = Invoke-RestMethod -Method Post -Headers $discoverRequestHeaders -Body $discoverPostBodyJson -Uri "https://api.mimecast.com/api/login/discover-authentication"

$baseUrl = $discoveryData.data.region.api

$keys = @{}

$uri = $baseUrl + "/api/login/login"

$requestId = [GUID]::NewGuid()

$netCred = $creds.GetNetworkCredential()

$PlainPassword = $netCred.Password

$credsBytes = [System.Text.Encoding]::ASCII.GetBytes($creds.UserName + ":" + $PlainPassword)

$creds64 = [System.Convert]::ToBase64String($credsBytes)

$headers = @{"Authorization" = "Basic-Cloud " + $creds64; "x-mc-app-id" = $appId; "x-mc-req-id" = $requestId; "Content-Type" = "application/json"}

$postBody = @{"data" = ,@{"username" = $creds.UserName}}

$postBodyJson = ConvertTo-Json $postBody

$data = Invoke-RestMethod -Method Post -Headers $headers -Body $postBodyJson -Uri $uri

"Meta: " + $data.meta

"Access key: " + $data.data.accessKey

"Secret key: " + $data.data.secretKey

"Fail: " + $data.fail.errors

MacOS/Linux (Bash)

Open the terminal application and type the following command to generate a base64 encoded string from your administrator account's email address and password (created in the previous steps above). Replace email_address and password in the below command.

Be sure to include the : between the email_address and password values as authentication will fail in a later step without this character.

echo -n 'email_address:password' | openssl base64

Type the following command to use curl to log into the Mimecast API and generate an authentication token:

curl -i -H 'Authorization: Basic-Cloud base64_encoded_username_password' -H 'x-mc-app-id: app_id' -H 'Content-Type:application/json' https://xx-api.mimecast.com/api/login/login --data-binary '{"data":[{"username": "email_address"}]}'

The above command needs the following values replaced: a. base64_encoded_username_password: the value generated in the previous step b. app_id: The application ID value received when you registered you application in a previous step c. xx-api: Base URL for the region where your Mimecast account is hosted as documented in the Systems Requirement section. d. email_address: Email address of the administrator user account created previously.

An example response to the last step follows:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-control: no-store
Pragma: no-cache
Content-Length: 375
Content-MD5: 124911b164dbd3b9e823610a2eb4996a
Date: Mon, 25 Jul 2016 16:19:37 +0100
Connection: Keep-Alive

{"meta":{"status":200},"data":[{"accessKey":"LOWgx__TRUNCATED__Ect2nN","secretKey":"jD9DVicE2__TRUNCATED__EJdC4e/Q\u003d\u003d","duration":3153600000000,"bindingType":"one_step","extendOnValidate":false}],"fail":[]}

Copy and paste the accessKey and secretKey values from the response to provide to CYDERES.

IMPORTANT: Make sure to replace the \u003d\u003d characters at the end of the secretKey with the characters ==. \u003d is the URI encoded value for the equal sign, =. The actual string is a base64-encoded string and should end with the == padding.