Mimecast Impersonation¶
About¶
Mimecast Impersonation is an advanced email security technology that protects employees against targeted social engineering attacks in email.
Product Details¶
Vendor URL: Mimecast Impersonation
Product Type: Mail
Product Tier: Tier II
Integration Method: Custom
Integration URL: Mimecast integration
Log Guide: Log Files - Mimecast logs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: MIMECAST_IMPERSONATION_LOGS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| description | metadata.description |
| "Mimecast" | metadata.product_name |
| "Impersonation Logs" | metadata.vendor_name |
| id | metadata.product_log_id |
| senderAddress | network.email.from |
| messageId | network.email.mail_id |
| subject | network.email.subject |
| recipientAddress | network.email.to |
| senderIpAddress | principal.ip |
| action | security_result.action_details |
| identifier | security_result.category_details |
| impersonationResults | security_result.detection_fields |
| definition | security_result.threat_id |
Product Event Types¶
| type | UDM Event Classification | |
|---|---|---|
| All | EMAIL_TRANSACTION |
Log Sample¶
{"action":"none","definition":"Newly Observed Domains","eventTime":"2023-05-18T15:19:28+0000","hits":1,"id":"MTOKEN:id_number","identifiers":["newly_observed_domain"],"impersonationResults":[{"impersonationDomainSource":"newly_observed_domain","similarDomain":"similar_domain_value","stringSimilarToDomain":"similar_string"}, {"impersonationDomainSource":"newly_observed_domain1","similarDomain":"similar_domain_value1","stringSimilarToDomain":"similar_string_value1"}],"messageId":"<messageId>","recipientAddress":"emailto@someemail.com","senderAddress":"senderemail@someemail.com","senderIpAddress":"10.10.236.159","subject":"Email subject!","taggedExternal":true,"taggedMalicious":true}
Sample Parsing¶
metadata.event_type = "EMAIL_TRANSACTION"
metadata.product_log_id = "MTOKEN:id_number"
metadata.product_name = "Impersonation Logs"
metadata.vendor_name = "Mimecast"
metadata.description = "Newly Observed Domains"
additional.fields.key = "taggedExternal"
additional.fields.value.string_value = "true"
additional.fields.key = "taggedMalicious"
additional.fields.value.string_value = "true"
principal.ip = "10.10.236.159"
security_result.action_details = "none"
security_result.category_details = "newly_observed_domain"
security_result.detection_fields.key = "similarDomain_0"
security_result.detection_fields.value = "similar_domain_value"
security_result.detection_fields.key = "stringSimilarToDomain_0"
security_result.detection_fields.value = "similar_string"
security_result.detection_fields.key = "impersonationDomainSource_0"
security_result.detection_fields.key = "newly_observed_domain"
security_result.detection_fields.key = "impersonationDomainSource_1"
security_result.detection_fields.key = "newly_observed_domain1"
security_result.detection_fields.key = "similarDomain_1"
security_result.detection_fields.key = "similar_domain_value1"
security_result.detection_fields.key = "stringSimilarToDomain_1"
security_result.detection_fields.key = "similar_string_value1"
security_result.threat_id = "Newly Observed Domains"
network.email.from = "senderemail@someemail.com"
network.email.mail_id = "<messageId>"
network.email.subject = "Email subject!"
network.email.to = "emailto@someemail.com"