mimecast/email-security

VendorMimecast Services Ltd.
AuthorMimecast
Version0.0.2
Minimum LogScale Version1.15.0

Mimecast delivers a comprehensive, integrated solution that protects the premier cybersecurity attack vector. Learn more at Mimecast.

The Mimecast email security product is a SaaS based service that includes multi-layered protection and targeted threat protection. Capabilities include anti-virus, anti-spam, attachment and URL security, DLP, impersonation protection and threat intelligence.

Mimecast and LogScale provide an integrated solution to improve detection, stop threats and provide security insights gathered across the organization. With LogScale customers can ingest Mimecast logs along with other log sources to get complete visibility across their environments. Email security logs are a valuable source of data for cyber defence teams. LogScale customers can correlate Mimecast insights with logs from network, endpoint and other systems to search for IOCs and other signs of potentially malicious activity in order to reduce detection times and increase the speed and completeness of cyber investigations.

By integrating Mimecast and LogScale customers can gain the following benefits:

  • Add context to your Mimecast logs by correlating with other log sources including infrastructure, network and software logs.

  • Get more value from Mimecast IOC detections by searching for these across other log sources.

  • Empower threat hunters with blazing fast search across logs from the primary attack vector, email.

  • Enable investigations to uncover the full kill-chain right back to the initial compromise - which is often an email based attack vector

  • Contain attacks earlier with rapid detections and response to phishing and business email compromise tactics.

Configure Mimecast and LogScale integration

Mimecast have developed a middle-ware component that pulls the required logs from Mimecast and sends them into LogScale. Mimecast have also developed a free package in the LogScale marketplace which includes the required parser and eight different dashboards — one for each of the following types of Mimecast logs — Audit, Data Leak, Threat Intel Regional, Impersonation Protect, URL Protect, Attachment Protect, Email Activity Summary, and Threat Intel Targeted. If you wish to you can exclude certain log types in the configuration of the middle-ware component.

Enabling the integration involves installing the Mimecast package in LogScale, installing and configuring the Mimecast middle-ware that handles the log ingestion.

  1. Create a new repository in LogScale for the Mimecast data. From the target repository select Settings and Packages and install the Mimecast Package from the LogScale marketplace.

    Configure LogScale for Mimecast

    Figure 30. Configure LogScale for Mimecast


    The package will install the required mimecast-json parser as well as some overview dashboards which you can edit later if required.

  2. From the Mimecast repository select Settings and under Ingest choose API Tokens and create a new token and assign it the mimecast-json parser. Copy the token.

    Configure Ingest Tokens

    Figure 31. Configure Ingest Tokens


  3. Now install and configure the Mimecast middle-ware component by following the detailed instructions here. The middle-ware component requires the following LogScale details:

    • HUMIO_BASE_URL — The URL to your LogScale service.

    • HUMIO_API_TOKEN — The API token you copied earlier from the LogScale interface.

    • HUMIO_REPO — The LogScale repository name you created in step (1) within your LogScale account.

  4. You should now see Mimecast logs appearing in your LogScale repository and the dashboards start to populate with data. You can verify this by checking in the main LogScale menu that you can see the 8 dashboards configured and the volume of ingested logs (in the example below 3.6G bytes)

    Mimecast Data in Repository

    Figure 32. Mimecast Data in Repository