Mimecast Integration Guide
The following instructions are for configuring Mimecast to facilitate log ingestion into Secureworks® Taegis™ XDR.
Mimecast Requirements ⫘
An active Mimecast account with privileges to create service credentials is required to integrate with XDR.
Data Provided from Integration ⫘
The following Mimecast Logs and Statistics API Endpoints are supported by XDR.
- Get SIEM Logs
- Get TTP Attachment Protection Logs
- Get TTP Impersonation Protect Logs
- Get TTP URL Logs
| Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mimecast | V | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Mimecast Platform Configuration ⫘
Follow the instructions in the Mimecast documentation, API & Integrations - Managing API 1.0 for Cloud Gateway, to add an API application for the XDR integration.
Create a Mimecast User Account ⫘
Follow the instructions in the Mimecast documentation, Creating a service account user, to create an account that has the required Mimecast administrator permissions for integration.
Note
MFA must be disabled for the service account used for the Mimecast integration.
Grant Permissions to the User Account Created for This Integration ⫘
Follow the instructions in the Mimecast documentation, Granting API Service Account User Permissions, to grant the required permissions required for each API endpoint.
- Get SIEM Logs
- Get TTP Attachment Protection Logs
- Get TTP Impersonation Protect Logs
- Get TTP URL Logs
Generate Mimecast API Credentials ⫘
- In the Mimecast Administration Console, navigate to Services → API and Platform Integrations. Click on the Generate Keys button in the Secureworks tile.
Mimecast Integration
- Follow the instructions in the Mimecast documentation, Adding an API Application.
Important
Note the Application ID, Application Key, Region, Access Key, and Secret Key for the next steps.
Add Integration in XDR ⫘
- From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Choose Set up Mimecast.
Creating a new Mimecast integration
-
Enter the following values:
- Application ID
- Application Key
- Region
- Access Key
- Secret Key
- Name — This serves as a unique name for your integration; it can include any valid values up to 100 characters.
-
Select Done. The Cloud API Integrations page is displayed with the successfully added Mimecast integration.
Once the above steps are completed, Mimecast integration details are available on the Cloud APIs page. From the XDR left-hand side navigation, select Integrations → Cloud APIs.
Note
Multiple Mimecast integrations may be added to the same tenant, provided that separate API credentials are used for each integration.
Advanced Search using the Query Language ⫘
Mimecast Advanced Search
Example Query Language Searches ⫘
To search for Mimecast email events from the last 24 hours:
FROM email WHERE sensor_type = 'Mimecast' and EARLIEST=-24h
To search for Mimecast email events classified as "Delivered":
FROM email WHERE sensor_type = 'Mimecast' AND status = 'delivered'
To search for Mimecast email events that were NOT blocked:
FROM email WHERE sensor_type = 'Mimecast' AND original_data CONTAINS 'virus'
Event Details ⫘
Mimecast Event Details
Data Normalized by XDR ⫘
Mimecast Normalized Data
Alert Details ⫘
Mimecast Alert Details
Related Topics ⫘