Mimecast Mail¶
About¶
Mimecast’s cloud-based Secure Email Gateway protects organizations and employees using any cloud or on-premises email platform. It defends against inbound spear-phishing, malware, spam and zero-day attacks by combining innovative applications and policies with multiple detection engines and intelligence feeds.
Product Details¶
Vendor URL: Mimecast Mail
Product Type: Mail
Product Tier: Tier I
Integration Method: Custom
Integration URL: Mimecast mail integration
Log Guide: Log Files - Mimecast mail
Parser Details¶
Log Format: CEF:0
Expected Normalization Rate: near 100%
Data Label: MIMECAST_MAIL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
"EMAIL_TRANSACTION", "GENERIC_EVENT" | metadata.event_type |
Delivered | metadata.product_event_type |
aCode | metadata.product_log_id |
"Mimecast MTA" | metadata.product_name |
"Mimecast" | metadata.vendor_name |
Dir | network.direction |
Sender | network.email.from |
MsgId | network.email.mail_id |
Subject | network.email.subject |
Rcpt | network.email.to |
MsgSize | network.received_bytes |
Snt | network.sent_bytes |
IP | principal.asset.ip |
IP | principal.ip |
Sender | principal.user.email_addresses |
Act | security_result.action |
Act, RejInfo | security_result.action_details |
RejType | security_result.category_details |
RegCode,RejType,RegInfo | security_result.description |
RejType | security_result.severity |
SpamInfo, SpamLimit, SpamScore | security_result.severity_details |
AttNames | security_result.about.file.names |
filename_for_malachite | security_result.about.file.full_path |
Error, Err | security_result.summary |
Definition | security_result.threat_id |
IP | target.asset.ip |
IP | target.ip |
Rcpt | target.user.email_addresses |
AttCnt | additional.AttCnt |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
RECEIPT | EMAIL_TRANSACTION | ||
PROCESSING | EMAIL_TRANSACTION | ||
DELIVERY | EMAIL_TRANSACTION |
Log Sample¶
datetime=2022-01-07T09:24:09-0500|aCode=acode|acc=redacted|SpamLimit=28|IP=10.1.2.3|Dir=Outbound|Subject=Your Support Case: #12345|MsgId=msgid|headerFrom=email|Sender=jane.doe@domain.com|Rcpt=john.doe@domain.com|SpamInfo=[]|Act=Acc|TlsVer=TLSv1.2|Cphr=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|SpamScore=0
Sample Parsing¶
metadata.event_type = "EMAIL_TRANSACTION"
metadata.product_event_type = "Email DELIVERY"
metadata.product_log_id = "logid"
metadata.product_name = "Mimecast MTA"
metadata.vendor_name = "Mimecast"
network.direction = "INBOUND"
network.email.from = "jane.doe@domain.com"
network.email.mail_id = "msgid"
network.email.subject = "Customs Cleared"
network.email.to = "email"
principal.asset.ip = "10.13.14.15"
principal.ip = "10.13.14.15"
principal.user.email_addresses = "john.doe@domain.com"
security_result.action = "BLOCK"
security_result.action_details = "Rej"
security_result.category_details = "Invalid Recipient Address"
security_result.description = "RejCode=550, RejType=Invalid Recipient Address, RejInfo=Invalid Recipient"
security_result.severity = "LOW"
security_result.severity_details = "SpamInfo=[], SpamLimit=0, SpamScore=0"
security_result.summary = "Failed Known address verification"
target.asset.ip = "10.17.18.19"
target.ip = "10.17.18.19"
target.user.email_addresses = "john.doe@domain.com"
Parser Alerting¶
This product currently does not have any Parser-based Alerting