Mimecast

Mimecast

Mimecast delivers a comprehensive, integrated solution that protects the premier cybersecurity attack vector. Learn more at Mimecast.

The Mimecast email security product is a SaaS based service that includes multi-layered protection and targeted threat protection. Capabilities include anti-virus, anti-spam, attachment and URL security, DLP, impersonation protection and threat intelligence.

Mimecast and Humio provide an integrated solution to improve detection, stop threats and provide security insights gathered across the organization. With Humio customers can ingest Mimecast logs along with other log sources to get complete visibility across their environments. Email security logs are a valuable source of data for cyber defence teams. Humio customers can correlate Mimecast insights with logs from network, endpoint and other systems to search for IOCs and other signs of potentially malicious activity in order to reduce detection times and increase the speed and completeness of cyber investigations.

By integrating Mimecast and Humio customers can gain the following benefits:

  • Add context to your Mimecast logs by correlating with other log sources including infrastructure, network and software logs.

  • Get more value from Mimecast IOC detections by searching for these across other log sources.

  • Empower threat hunters with blazing fast search across logs from the primary attack vector, email.

  • Enable investigations to uncover the full kill-chain right back to the initial compromise - which is often an email based attack vector

  • Contain attacks earlier with rapid detections and response to phishing and business email compromise tactics.

Configure Mimecast and Humio integration

Mimecast have developed a middle-ware component that pulls the required logs from Mimecast and sends them into Humio. Mimecast have also developed a free package in the Humio marketplace which includes the required parser and eight different dashboards — one for each of the following types of Mimecast logs — Audit, Data Leak, Threat Intel Regional, Impersonation Protect, URL Protect, Attachment Protect, Email Activity Summary, and Threat Intel Targeted. If you wish to you can exclude certain log types in the configuration of the middle-ware component.

Enabling the integration involves installing the Mimecast package in Humio, installing and configuring the Mimecast middle-ware that handles the log ingestion.

Create a new repository in Humio for the Mimecast data. From the target repository select Settings and Packages and install the Mimecast Package from the Humio marketplace.

Figure 1

The package will install the required mimecast-json parser as well as some overview dashboards which you can edit later if required.

From the Mimecast repository select Settings and under Ingest choose API Tokens and create a new token and assign it the mimecast-json parser. Copy the token.

Figure 2

Now install and configure the Mimecast middle-ware component by following the detailed instructions here The middle-ware component requires the following Humio details:

HUMIO_BASE_URL — The URL to your Humio service (e.g. Humio Cloud EU for the European Humio Cloud and Humio Cloud US for the US based Humio cloud) HUMIO_API_TOKEN. The API token you copied earlier from the Humio interface. HUMIO_REPO. The Humio repository name you created in step (1) within your Humio account.

You should now see Mimecast logs appearing in your Humio repository and the dashboards start to populate with data. You can verify this by checking in the main Humio menu that you can see the 8 dashboards configured and the volume of ingested logs (in the example below 3.6G bytes)

Figure 3