Mimecast

  • Updated on Mar 4, 2025
  • Published on May 28, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Mail Transfer Agent (MTA) - Receipt Logs

mimecast_receipt_logs

NDJSON

API/S3

Mail Transfer Agent (MTA) - Process Logs

mimecast_process_logs

NDJSON

API/S3

Mail Transfer Agent (MTA) - Delivery Logs

mimecast_delivery_logs

NDJSON

API/S3

Target Threat Protection - Internal Email Protect logs

mimecast_internal_email_protect_logs

NDJSON

API/S3

Targeted Threat Protection - Impersonation Protect logs

mimecast_impersonation_protect_logs

NDJSON

API/S3

Targeted Threat Protection - URL Protect logs

mimecast_url_protect_logs

NDJSON

API/S3

Targeted Threat Protection - Attachment Protect logs

mimecast_attachment_protect_logs

NDJSON

API/S3

Mimecast Attachment TTP logs

mimecast_ttp_attachment_logs

NDJSON

API/S3

Mimecast URL TTP logs

mimecast_ttp_url_logs

NDJSON

API/S3

Mimecast AntiVirus logs

mimecast_av_logs

NDJSON

API/S3

Spam Event Thread logs

mimecast_spam_event_thread_logs

NDJSON

API/S3

Message Release Logs

mimecast_message_release_logs

NDJSON

API/S3

Overview

imageMimecast is a cybersecurity company specializing in email security, archiving, and compliance solutions. It provides protection against phishing, malware, ransomware, and email spoofing through advanced threat detection and AI-driven filtering. Mimecast also offers email continuity and disaster recovery services, ensuring businesses can access their emails even during outages. With data loss prevention (DLP) and encryption, it helps organizations safeguard sensitive communications and meet compliance requirements.

Supported data types

Mail Transfer Agent (MTA)

There are 3 stages that each email will go through and each stage is presented as a different data type.

Data type

Description

Table name

Receipt Logs

where the MTA receives a new connection for an email.

mimecast_receipt_logs

Process Logs

where Mimecast policies are applied to the email.

mimecast_process_logs

Delivery Logs

where the MTA delivers the email to it's intended recipient.

mimecast_delivery_logs

More information about each of the schemas can be found here.

Target Threat Protection

In addition, there are more supported data types that represent malicious activity detected by Mimecast:

Data type

Description

Table name

Target Threat Protection - Internal Email Protect logs

Internal Email Protect extends the capabilities of Targeted Threat Protection, by conducting additional security checks on both internal journaled and outbound email. More information about this data type can be found here.

mimecast_internal_email_protect_logs

Targeted Threat Protection - Impersonation Protect logs

An impersonation attack typically involves an email that seems to come from a trusted source. More information about this data type can be found here.

mimecast_impersonation_protect_logs

Targeted Threat Protection - URL Protect logs

protect your organization against threat posed by phishing and spear phishing attacks in inbound mail.

mimecast_url_protect_logs

Targeted Threat Protection - Attachment Protect logs

protects customers from spear phishing and other targeted attacks using email attachments.

mimecast_attachment_protect_logs

Mimecast Attachment TTP logs

Mimecast's Targeted Threat Protection (TTP) for attachments is a security feature designed to protect organizations from malicious email attachments. The "Attachment TTP" part specifically refers to the scanning and analysis of email attachments to detect potential threats such as viruses, malware, or other harmful content before they reach the end user's inbox.

mimecast_ttp_attachment_logs

Mimecast URL TTP logs

The URL TTP service scans, rewrites, and checks the safety of URLs contained within email messages to prevent phishing attacks, malware downloads, and other security threats.

mimecast_ttp_url_logs

Mimecast AntiVirus

Table name: mimecast_av_logs

A record of all emails that are scanned for malware by Mimecast's anti-virus (AV) engine. The logs contain information about the email, such as the sender, recipient, subject, and body, as well as the AV scan results.

Spam Event Thread logs

Table name: mimecast_spam_event_thread_logs

A record of all spam emails that are processed by Mimecast's spam filtering engine. The logs contain information about the email, such as the sender, recipient, subject, body, and spam score, as well as the actions that Mimecast took on the email.

Message Release Logs

Table name: mimecast_message_release_logs

A record of all emails that are released from Mimecast's held queue. The logs contain information about the email, such as the sender, recipient, subject, body, and the reason for release.

Send data to Hunters

You can collect logs using 2 methods:

  • API - connect your Mimecast instance to Hunters using API by performing a few simple steps.

  • S3 storage - route logs to an S3 bucket and provide Hunters with the details.

Using API

To connect Mimecast logs:

  1. Follow this guide to generate Mimecast access and secret keys.

    📘Note

    1. The email of the user used to create the keys, is the username.

    2. It is important to set the Authentication TTL setting to Never Expires, as detailed in step 4 (Create a new Authentication Profile), sub-section 5, in the above-metioned guide.

    3. The host should be your Mimecast url based on your region, as can be seen here.

  2. Complete the process on the Hunters platform, following this guide.

Using S3 storage

Hunters supports the ingestion of Mimecast logs via an intermediary AWS S3 bucket.

To connect Mimecast logs:

  1. Export your logs from Mimecast to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Hunters expects the data to be divided to prefix per data type, which can be achieved by using the Content-Disposition response header in the Mimecast API. More details can be found here, under the “Understanding the Logs API” section.

Expected format

The supported formats are key-value, ndjson. The expected schema is as it returns from the API.

Delivery logs - key-value example

datetime=2017-05-26T19:40:33+0100|aCode=9q_HeIHHPYejZTBsnipWmQ|acc=C0A0|Delivered=true|IP=123.123.123.123|AttCnt=0|Dir=Inbound|ReceiptAck=\250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery\|MsgId=messageId@mssageId|Subject=\Auto Reply\|Latency=5618|Sender=from@domain.com|Rcpt=auser@mimecast.com|AttSize=0|Attempt=1|TlsVer=TLSv1|Cphr=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|Snt=28237|UseTls=Yes|Route=\Mimecast Exchange Route

Delivery logs - ndjson example

{"acc": "ab12", "Delivered": true, "IP": "0.0.0.0", "AttCnt": 0, "Dir": "Outbound"}

Message Release Logs - ndjson example

{"heldReleaseLogs": [{"id": "Sample_id_1", "status": "released", "heldReason": "Aggressive Spam Detection", "messageInfo": "Digest used as Source", "released": "2023-09-12T15:48:48+0000", "operator": {"emailAddress": "<>"}, "fromEnv": {"emailAddress": "test_env@example.com"}, "fromHdr": {"emailAddress": "test_hdr@example.com"}, "to": [{"emailAddress": "test_to@example.com"}], "subject": "Message 1", "attachments": false, "route": "inbound", "size": 112233, "policy": "Aggressive Spam Detection", "spamScore": 10, "detectionLevel": "aggressive", "spamProcessingDetail": {"rbl": {"allow": true, "info": ""}, "greyEmail": false, "spf": {"allow": true, "info": "allow"}, "dkim": {"allow": true, "info": "allow"}, "dmarc": {"allow": false, "info": "softfail"}, "permittedSender": {"allow": true, "info": "none"}, "managedSender": {"allow": true, "info": "unknown"}}}]}

Mimecast Attachment TTP logs

{
    "attachmentLogs": [
        {
            "actionTriggered": "none, none",
            "date": "2024-04-02T07:19:57+0000",
            "definition": "Attachment Protection - Preemptive Sandbox",
            "details": "Safe                                              \r\nTime taken: 0 hrs, 0 min, 2 sec",
            "fileHash": "42a7416a467bd68b97cb9674b5f127250c1853cd6a35284ea9ac93718c148bc2",
            "fileName": "asd.PDF",
            "fileType": "application/pdf",
            "messageId": "<asd@koko.test.il>",
            "recipientAddress": "koko.shoko@test.com",
            "result": "safe",
            "route": "inbound",
            "senderAddress": "soko@koko.co.il",
            "subject": "asd.PDF"
        }
    ]
}

Mimecast URL TTP logs

{
    "clickLogs": [
        {
            "action": "allow",
            "actions": "Allow",
            "adminOverride": "Allow",
            "category": "Customer managed url allow list",
            "creationMethod": "User Click",
            "date": "2024-04-02T13:45:11+0000",
            "emailPartsDescription": [
                "Body"
            ],
            "fromUserEmailAddress": "test@test.com",
            "messageId": "<SJ0PR02MB883204B8D75B5FC6A5E0CC1089239@SJ0PR02MB8832.test.com>",
            "route": "inbound",
            "scanResult": "clean",
            "sendingIp": "1.2.3.4",
            "subject": "Very imporatant email",
            "tagMap": {
                "CustomerManagedUrls": {
                    "Allowlisted": [
                        "ORIGINAL:https://www.google.com/asdaswdasd"
                    ],
                    "ManagedUrlEntry": [
                        "https://www.google.com"
                    ]
                }
            }
        ]
    }