Overview

Mimecast is a company specializing in cloud-based email management for Microsoft Exchange and Microsoft Office 365, including security, archiving, and continuity services to protect business mail.

Hunters parse the data and use it to protect your users and your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported Data Types

More information about each of the schemas can be found here.

There are 3 stages that each email will go through and each stage is presented as a different data type.

  • Receipt Logs: where the MTA receives a new connection for an email.

  • Process Logs: where Mimecast policies are applied to the email.

  • Delivery Logs: where the MTA delivers the email to it's intended recipient.

In addition there are more supported data types that represent malicious activity detected by Mimecast:

  • Target Threat Protection - Internal Email Protect logs: Internal Email Protect extends the capabilities of Targeted Threat Protection, by conducting additional security checks on both internal journaled and outbound email. More information about this data type can be found here.

  • Targeted Threat Protection - Impersonation Protect logs: An impersonation attack typically involves an email that seems to come from a trusted source. More information about this data type can be found here.

  • Targeted Threat Protection - URL Protect logs: protect your organization against threat posed by phishing and spear phishing attacks in inbound mail. More information about this data type can be found here.

  • Targeted Threat Protection - Attachment Protect logs: protects customers from spear phishing and other targeted attacks using email attachments. More information about this data type can be found here.

Additional data types are:

  • AV logs: protect your organization against threat of known malware.

  • Spam Event Thread logs: The aim of this data type is to reject unwanted spam and malware.

Hunters Ingestion - via API

The following information is required to configure Mimecast events collection:

  1. Access key

  2. Secret key

  3. Application ID (uuid)

  4. Application key (uuid)

  5. User name (email)

Obtaining keys and user name

In order to generate the access and secret keys, follow this guide:

  1. The email of the user used to create the keys, is the username.

  2. It is important to set the Authentication TTL setting to Never Expires, as detailed in step 4 (Create a new Authentication Profile), sub-section 5, in the aforementioned guide.

Hunters Ingestion - via storage

In order to enable Hunters' collection & ingestion of Mimecast for your account, the logs should be collected to an S3 bucket shared with Hunters. Hunters expect the data to be divided to prefix per data type, which can be achieved by using the Content-Disposition response header in the Mimecast API. More details can be found here under the “Understanding the Logs API” section.

Expected Format

There are supported formats - key-value, ndjson. The expected schema is as it returns from the API.

key-value example for Delivery logs:

datetime=2017-05-26T19:40:33+0100|aCode=9q_HeIHHPYejZTBsnipWmQ|acc=C0A0|Delivered=true|IP=123.123.123.123|AttCnt=0|Dir=Inbound|ReceiptAck=\250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery\|MsgId=messageId@mssageId|Subject=\Auto Reply\|Latency=5618|Sender=from@domain.com|Rcpt=auser@mimecast.com|AttSize=0|Attempt=1|TlsVer=TLSv1|Cphr=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|Snt=28237|UseTls=Yes|Route=\Mimecast Exchange Route
CODE

ndjson example for Delivery logs:

{"acc": "ab12", "Delivered": true, "IP": "0.0.0.0", "AttCnt": 0, "Dir": "Outbound", "Recei
CODE