Mimecast V2 - September 2025

  • Published on Sep 17, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Mail Transfer Agent (MTA) - Receipt Logs

mimecast_receipt_logs_v2

NDJSON

API/S3

Mail Transfer Agent (MTA) - Process Logs

mimecast_process_logs_v2

NDJSON

API/S3

Mail Transfer Agent (MTA) - Delivery Logs

mimecast_delivery_logs_v2

NDJSON

API/S3

Target Threat Protection - Internal Email Protect logs

mimecast_internal_email_protect_logs_v2

NDJSON

API/S3

Targeted Threat Protection - Impersonation Protect logs

mimecast_impersonation_protect_logs_v2

NDJSON

API/S3

Mimecast Attachment TTP logs

mimecast_attachment_protect_logs_v2

NDJSON

API/S3

Mimecast AntiVirus logs

mimecast_av_logs_v2

NDJSON

API/S3

Spam Event Thread logs

mimecast_spam_logs_v2

NDJSON

API/S3

Mimecast journal logs

mimecast_journal_logs_v2

NDJSON

API/S3

Mimecast url protect logs

mimecast_url_protect_logs_v2

NDJSON

API/S3

Overview

imageMimecast is a cybersecurity company specializing in email security, archiving, and compliance solutions. It provides protection against phishing, malware, ransomware, and email spoofing through advanced threat detection and AI-driven filtering. Mimecast also offers email continuity and disaster recovery services, ensuring businesses can access their emails even during outages. With data loss prevention (DLP) and encryption, it helps organizations safeguard sensitive communications and meet compliance requirements.

Supported data types

Mail Transfer Agent (MTA) - Receipt Logs

Captures email receipt and acknowledgement signals for tracking message status.

Mail Transfer Agent (MTA) - Process Logs

Records workflow and processing steps of emails as they pass through Mimecast.

Mail Transfer Agent (MTA) - Delivery Logs

Tracks email delivery and routing details to show how messages are processed. Supports troubleshooting and delivery path analysis.

Target Threat Protection - Internal Email Protect logs

Monitors internal email protection activity to detect compromised accounts or insider threats.

Targeted Threat Protection - Impersonation Protect logs

Logs impersonation detection events targeting executives or domains. Helps spot phishing and spoofing attempts.

Mimecast Attachment TTP logs

Detects and blocks malicious attachments through sandboxing or file analysis.

Mimecast AntiVirus logs

Captures anti-virus detection events when malicious files are identified. Useful for threat detection and IOC correlation.

Spam Event Thread logs

Logs spam filtering and quarantined messages to prevent junk mail and phishing.

Mimecast journal logs

Provides compliance journaling records for regulatory and retention needs.

Mimecast url protect logs

Detects malicious or suspicious URLs within emails to block phishing links.

Send data to Hunters

You can collect logs using 2 methods:

  • API - connect your Mimecast instance to Hunters using API by performing a few simple steps.

  • S3 storage - route logs to an S3 bucket and provide Hunters with the details.

Using API

To connect Mimecast logs:

  1. Follow this guide to generate Mimecast access and secret keys.

  2. Complete the process on the Hunters platform, following this guide.

Using S3 storage

Hunters supports the ingestion of Mimecast logs via an intermediary AWS S3 bucket.

To connect Mimecast logs:

  1. Export your logs from Mimecast to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Hunters expects the data to be divided to prefix per data type, which can be achieved by using the Content-Disposition response header in the Mimecast API. More details can be found here, under the “Understanding the Logs API” section.

Expected format

The supported format us , json. The expected schema is as it returns from the API.

Delivery logs 

{
  "deliveryErrors": null,
  "numberAttachments": "2",
  "tlsUsed": "true",
  "deliveryTime": "27106",
  "subject": "RE: [REDACTED SUBJECT]",
  "senderEnvelope": "redacted.sender@example.com",
  "delivered": "true",
  "rejectionType": null,
  "destinationIp": "123.123.123.123",
  "aggregateId": "redactedAggregateId",
  "processingId": "redactedProcessingId",
  "tlsCipher": "TLS_AES_256_GCM_SHA384",
  "timestamp": 1757310695432,
  "direction": "inbound",
  "emailSize": "530901",
  "tlsVersion": "TLSv1.3",
  "Hostname": "redacted.hostname.com",
  "messageId": "<redactedMessageId@example.com>",
  "eventType": "delivery",
  "deliveryAttempts": "1",
  "accountId": "redactedAccountId",
  "route": "Mimecast Direct to Exchange Online",
  "rejectionInfo": null,
  "recipients": "redacted.recipient@example.com",
  "rejectionCode": null,
  "subType": "true",
  "totalSizeAttachments": "157968"
}

AV Logs

{
  "fileName": "ANON_FILE_MT103_ANON12345.zip",
  "sha256": "ANON9c4d2a1e3b7f48b8a7e16e21d0a9f6f4f8c9e3bba726b1a2a0c6d88c4a9f1b2d",
  "subject": "ANON Swift Message MT103 Bank ad: ANON987654PQ",
  "senderEnvelope": "anon_sender@anondomain.com",
  "messageId": "<ANONc8f41b9d82aa4d2fbd95ac87ee01bc12@anondomain.com>",
  "senderDomainInternal": "false",
  "eventType": "av",
  "sha1": "ANON4b6a91a2c8d7e2f4b1d3c6f91b2e7f4d7c9a8e1b",
  "accountId": "ANON12345",
  "aggregateId": "ANONpQ8xLmN3yVzT4rQw9kRbHg",
  "virusFound": "Failed Known address verification",
  "route": "inbound",
  "processingId": "ANONtZ7qPjH59LmWkRn4sXyQdAeUfCv9oBr2jKpXvNwLhS8_1756970571",
  "recipients": "anon_user@anonmail.org",
  "fileExtension": "zip",
  "subType": null,
  "senderIp": "203.0.113.25",
  "senderDomain": "anondomain.com",
  "timestamp": 1756970583782,
  "emailSize": "ANON845219",
  "md5": "ANON8e5d2c7a19f4b3d8a6c2e9f7b1d4c6a2"
}

Attachment protect logs

{
  "fileName": "FILE_REDACTED.txt",
  "sha256": "HASH_SHA256_REDACTED",
  "subject": "Globalscape Notification: PROJECT_NAME_REDACTED - Move to Target Successful",
  "senderEnvelope": "user@domain_redacted.com",
  "messageId": "<MSG_ID_REDACTED@mail.domain_redacted.com>",
  "eventType": "attachment protect",
  "sizeAttachment": "647",
  "sha1": "HASH_SHA1_REDACTED",
  "accountId": "ACCOUNT_ID_REDACTED",
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "route": "inbound",
  "processingId": "PROCESSING_ID_REDACTED",
  "fileMime": "text/plain",
  "fileExtension": "txt",
  "recipient": "user@domain_redacted.com",
  "subType": null,
  "senderIp": "IP_REDACTED",
  "senderDomain": "domain_redacted.com",
  "timestamp": "TIMESTAMP_REDACTED",
  "md5": "HASH_MD5_REDACTED"
}

Journal logs

{
  "accountId": "ACCOUNT_ID_REDACTED",
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "processingId": "PROCESSING_ID_REDACTED",
  "recipients": "user@domain_redacted.com",
  "senderEnvelope": "system_id@domain_redacted.com",
  "subType": null,
  "eventType": "journal",
  "timestamp": "TIMESTAMP_REDACTED",
  "direction": null
}

Process logs

{
  "numberAttachments": "1",
  "attachments": "FILE_REDACTED.docx",
  "subject": "Re: PROJECT_REDACTED - Deal update",
  "senderEnvelope": "user@domain_redacted.com",
  "messageId": "<MSG_ID_REDACTED@domain_redacted.com>",
  "eventType": "process",
  "accountId": "ACCOUNT_ID_REDACTED",
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "processingId": "PROCESSING_ID_REDACTED",
  "action": "Acc",
  "holdReason": "Oth",
  "subType": "Acc",
  "totalSizeAttachments": "277290",
  "timestamp": "TIMESTAMP_REDACTED",
  "emailSize": "1976986"
}

Journal logs

{
  "accountId": "ACCOUNT_ID_REDACTED",
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "processingId": "PROCESSING_ID_REDACTED",
  "recipients": "user@domain_redacted.com",
  "senderEnvelope": "system_id@domain_redacted.com",
  "subType": null,
  "eventType": "journal",
  "timestamp": "TIMESTAMP_REDACTED",
  "direction": null
}

Receipt logs

{
  "numberAttachments": "1",
  "subject": "Confirmation of Changes to your Policy - POLICY_ID_REDACTED",
  "senderEnvelope": "user@domain_redacted.com",
  "rejectionType": null,
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "processingId": "PROCESSING_ID_REDACTED",
  "tlsCipher": "TLS_CIPHER_REDACTED",
  "action": "Acc",
  "spamInfo": "[]",
  "senderIp": "IP_REDACTED",
  "timestamp": "TIMESTAMP_REDACTED",
  "direction": "outbound",
  "spamProcessingDetail": null,
  "spamDetectionLevel": null,
  "tlsVersion": "TLS_VERSION_REDACTED",
  "messageId": "<MSG_ID_REDACTED@domain_redacted.com>",
  "senderHeader": "user@domain_redacted.com",
  "eventType": "receipt",
  "accountId": "ACCOUNT_ID_REDACTED",
  "virusFound": null,
  "rejectionInfo": null,
  "recipients": "user@domain_redacted.com",
  "rejectionCode": null,
  "spamScore": "0",
  "subType": "Acc",
  "receiptErrors": null
}

Spam logs

{
  "subject": "RE: Indication Request: COMPANY_NAME_REDACTED - PROJECT_REDACTED",
  "senderEnvelope": "user@domain_redacted.com",
  "messageId": "<MSG_ID_REDACTED@domain_redacted.com>",
  "senderHeader": "user@domain_redacted.com",
  "eventType": "spam",
  "accountId": "ACCOUNT_ID_REDACTED",
  "aggregateId": "AGGREGATE_ID_REDACTED",
  "route": "inbound",
  "processingId": "PROCESSING_ID_REDACTED",
  "recipients": "user@domain_redacted.com",
  "subType": null,
  "senderIp": "IP_REDACTED",
  "senderDomain": "domain_redacted.com",
  "timestamp": "TIMESTAMP_REDACTED"
}

Impersonation Protect logs

{
    "processingId": "processingId",
    "aggregateId": "aggregateId",
    "taggedMalicious": "false",
    "subject": "siem_impersonation - email subject line",
    "internalUserName": "false",
    "senderEnvelope": "auser@mimecast.com",
    "policyDefinition": "Default Impersonation Definition",
    "newDomain": "false",
    "customThreatDictionary": "false",
    "action": "Hold",
    "senderIp": "123.123.123.123",
    "timestamp": 1689685338545,
    "similarInternalDomain": "false",
    "messageId": "",
    "eventType": "impersonation protect",
    "itemsDetected": "1",
    "mimecastThreatDictionary": "false",
    "accountId": "C0A0",
    "customNameMatch": "false",
    "route": "Inbound",
    "similarMimecastExternalDomain": "false",
    "recipients": "auser@mimecast.com",
    "similarCustomExternalDomain": "false",
    "subType": "Hold",
    "taggedExternal": "false",
    "replyMismatch": "false"
}

Internal email protect

{
    "processingId": "processingId",
    "aggregateId": "aggregateId",
    "subject": "siem_iep - email subject line",
    "monitoredDomainSource": "Customer Internal Domains",
    "similarDomain": "false",
    "senderEnvelope": "auser@mimecast.com",
    "messageId": "messageId",
    "eventType": "internal email protect",
    "scanResults": "Blocked URL Category",
    "accountId": "C0A0",
    "route": "Inbound",
    "recipients": "auser@mimecast.com",
    "urlCategory": "Blocked",
    "timestamp": 1689685338533
}

Url Protect logs

{
  "subject": "Fwd: News: Week 8 Term 3 [REDACTED SCHOOL]",
  "senderEnvelope": "user@example.com",
  "messageId": "<REDACTED_MESSAGE_ID@mail.example.com>",
  "eventType": "url protect",
  "analysis": "null",
  "url": "https://example.com/AccessNewsItem.aspx?accessToken=REDACTED_TOKEN&userId=REDACTED_USER&schoolId=REDACTED_SCHOOL&newsItemId=REDACTED_ID",
  "accountId": "REDACTED_ACCOUNT",
  "aggregateId": "REDACTED_AGGREGATE",
  "route": "inbound",
  "processingId": "req-REDACTED_PROCESSING_ID",
  "sourceIp": "0.0.0.0",
  "recipients": "recipient@example.com",
  "action": "Block",
  "subType": "Block",
  "urlCategory": "Phishing & Fraud",
  "blockReason": "malicious",
  "senderDomain": "example.com",
  "timestamp": 0000000000000
}