Skip to content

Mimecast Mail

Mimecast

About

Mimecast’s cloud-based Secure Email Gateway protects organizations and employees using any cloud or on-premises email platform. It defends against inbound spear-phishing, malware, spam and zero-day attacks by combining innovative applications and policies with multiple detection engines and intelligence feeds.

Product Details

Vendor URL: Mimecast Mail

Product Type: Mail

Product Tier: Tier I

Integration Method: Custom

Integration URL: Mimecast mail integration

Log Guide: Log Files - Mimecast mail

Parser Details

Log Format: CEF:0

Expected Normalization Rate: near 100%

Data Label: MIMECAST_MAIL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"EMAIL_TRANSACTION", "GENERIC_EVENT" metadata.event_type
Delivered metadata.product_event_type
aCode metadata.product_log_id
"Mimecast MTA" metadata.product_name
"Mimecast" metadata.vendor_name
Dir network.direction
Sender network.email.from
MsgId network.email.mail_id
Subject network.email.subject
Rcpt network.email.to
MsgSize network.received_bytes
Snt network.sent_bytes
IP principal.asset.ip
IP principal.ip
Sender principal.user.email_addresses
Act security_result.action
Act, RejInfo security_result.action_details
RejType security_result.category_details
RegCode,RejType,RegInfo security_result.description
RejType security_result.severity
SpamInfo, SpamLimit, SpamScore security_result.severity_details
AttNames security_result.about.file.names
filename_for_malachite security_result.about.file.full_path
Error, Err security_result.summary
Definition security_result.threat_id
IP target.asset.ip
IP target.ip
Rcpt target.user.email_addresses
AttCnt additional.AttCnt

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
RECEIPT EMAIL_TRANSACTION
PROCESSING EMAIL_TRANSACTION
DELIVERY EMAIL_TRANSACTION

Log Sample

datetime=2022-01-07T09:24:09-0500|aCode=acode|acc=redacted|SpamLimit=28|IP=10.1.2.3|Dir=Outbound|Subject=Your Support Case: #12345|MsgId=msgid|headerFrom=email|Sender=jane.doe@domain.com|Rcpt=john.doe@domain.com|SpamInfo=[]|Act=Acc|TlsVer=TLSv1.2|Cphr=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|SpamScore=0

Sample Parsing

metadata.event_type = "EMAIL_TRANSACTION"
metadata.product_event_type = "Email DELIVERY"
metadata.product_log_id = "logid"
metadata.product_name = "Mimecast MTA"
metadata.vendor_name = "Mimecast"
network.direction = "INBOUND"
network.email.from = "jane.doe@domain.com"
network.email.mail_id = "msgid"
network.email.subject = "Customs Cleared"
network.email.to = "email"
principal.asset.ip = "10.13.14.15"
principal.ip = "10.13.14.15"
principal.user.email_addresses = "john.doe@domain.com"
security_result.action = "BLOCK"
security_result.action_details = "Rej"
security_result.category_details = "Invalid Recipient Address"
security_result.description = "RejCode=550, RejType=Invalid Recipient Address, RejInfo=Invalid Recipient"
security_result.severity = "LOW"
security_result.severity_details = "SpamInfo=[], SpamLimit=0, SpamScore=0"
security_result.summary = "Failed Known address verification"
target.asset.ip = "10.17.18.19"
target.ip = "10.17.18.19"
target.user.email_addresses = "john.doe@domain.com"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon