Mimecast API Documentation:
List of endpoints used
POST {mimecast-baseurl}/api/audit/get-audit-events
POST {mimecast-baseurl}/api/ttp/threat-intel/get-feed
GET {mimecast-baseurl}/siem/v1/batch/events/cg?type=av&dateRangeStartsAt=YYYY-MM-DD
Configuration Page
The Mimecast Advanced BlueApp can be configured with either API 1.0 or API 2.0. Please note that Mimecast has announced they will be deprecating API 1.0 in 2025.
To configure the Mimecast Events Collector, we need to select the API Auth Type from the dropdown list as shown in below snapshot. We will use API 2.0.
To configure the Mimecast Events Collector with API 2.0 Auth Type, we need to add the following details:
API 2.0 Host Name (default and cannot be edited)
Client ID
Client Secret
Once these details are entered, click on the Save button to save the credentials. Once the status is green, the app is configured successfully.
If the credentials are entered incorrectly, you will get an error as follows:
ACTIONS TAB
The Actions Tab shows the links for the Mimecast Events Collection API Reference Guide and other available actions.
These links will redirect to the Mimecast Events Collection API Reference Guide.
SCHEDULER TAB
The following schedulers have been created and can be enabled, disabled, or edited on the Scheduler tab. The jobs are configured on a 15-minute schedule by default.
Threat Intel Feed Grid STIX Collection
- This Scheduler is available for both API 1.0 and API 2.0
Threat Intel Feed Grid CSV Collection
- This Scheduler is available for both API 1.0 and API 2.0
Threat Intel Feed Customer CSV Collection
- This Scheduler is available for both API 1.0 and API 2.0
Threat Intel Feed Customer STIX Collection
- This Scheduler is available for both API 1.0 and API 2.0
Audit Log Collection
- This Scheduler is available only for API 1.0 and was deprecated for API 2.0
β
Users can toggle the enable option and edit the scheduler time to alter the scheduler iterations if desired.
MTA events logs collection
This scheduler was added to fetch the Collection of the SIEM MTA events by Batch process at a customer level for MTA Events every day at 12:05 AM.
NOTE:
According to the official Mimecast API documentation, we cannot use a single API call to fetch all 10 event types. Additionally, the response fields for each event type vary slightly from one another.
The following 10 event types are fetched as part of the MTA Events Logs Collection: av, delivery, internal email protect, impersonation protect, journal, process, receipt, attachment protect, spam, URL protect.
On the first execution, the SIEM MTA Events Scheduler fetches events starting from 7 days prior to the current date. This ensures historical data is captured during the initial run.
The MTA Events Scheduler may experience increased execution time when making consecutive API calls for all 10 event types. This is expected behavior given the volume and processing required per event type.
As we require the scheduler for MTA events to run only once every 24 hours to fetch unique events.
One data source is configured in the plugin, supporting 10 event types.
Users cannot toggle the enable option and edit the scheduler time to alter the scheduler iterations for this job as we require the scheduler for MTA events to run only once every 24 hours to fetch unique events.
This Scheduler is available for API 2.0
HISTORY PAGE
For every successful run of the scheduler, a success message along with the number of events fetched will be displayed in the schedulers page and if the scheduler fails to fetch the logs, an error message will be displayed.
Plugin Details
Newly added plugins details are as follows
Data source name: Mimecast Audit Log Events Collection
Highlighted fields:
auditType (event_type)user (source_username)eventTime (timestamp_occured)eventInfo (event_description)category (event_category)
Mimecast Audit Log Events Collection JSON response:
{
"id": "eNoVzsEKgjAAgOF32TUhnW6l0GFMjIpKtBZJl9K1JrXV3AKL3r26__D9b9Dx2hkuG5CA_YCs20U-PcG6KsoQD7SM8cxZ0d1ZdceH4YuoGbXBQ-wQUiuVptu5YTJmbbGTdAWJWEYvu0d2m-us7GkobhVhi_OY4_iShbDfPEJ8HkUSx8sJ8MDRNdJetfjjCGGEo2jke6B2ndU3bmrd8N8VRZAEPvr1T246qRVIgs8XdR06Cw",
"auditType": "Threat Intel Feed Download",
"user": "alienvaultuic@unioninsurance.ae",
"eventTime": "2024-05-17T06:15:05+0000",
"eventInfo": "Threat intel feed download - malware_grid_csv_20240517020553818.csv, Date: 2024-05-17, Time: 01:15:05+0000, IP: 94.56.72.212, Application: USM_Alienvault",
"category": "reporting_logs"
}
Data source name: Mimecast Threat Intel Feed Customer STIX Event
Highlighted fields:
type (event_type)id (device_external_id)
spec_version (rep_device_version)
Mimecast Events Collection Customer STIX Collector Stix response:
{
"type": "bundle",
"id": "bundle--7d09518f-b5f9-4153-ad14-02eb1ae92bbf",
"spec_version": "2.0",
"objects": [
{
"type": "malware",
"id": "malware--ab33a467-2bf2-47f2-bcbd-bef86d12fc41",
"created": "2024-05-23T07:20:22.438Z",
"modified": "2024-05-23T07:20:22.438Z",
"name": "",
"labels": [
"virus"
]
}
]
}
Data source name: Mimecast Threat Intel Greed Stix Event
Highlighted fields:
type (event_type)id (device_external_id)
spec_version (rep_device_version)
Mimecast Threat Intel Greed Stix Collector Stix response:
{
"type": "bundle",
"id": "bundle--bf8be578-3953-4b80-ae84-312d149b91e8",
"spec_version": "2.0",
"objects": [
{
"type": "malware",
"id": "malware--94b21aa9-a512-4a09-ae8a-83a24f77567f",
"created": "2015-07-02T09:14:59.163Z",
"modified": "2015-07-02T09:14:59.163Z",
"name": "fileName.ext",
"labels": [
"virus"
]
},
{
"type": "indicator",
"id": "indicator--69f4511a-75c8-440f-890d-ff91ba5f300a",
"created": "2015-07-02T09:14:59.163Z",
"modified": "2015-07-02T09:14:59.163Z",
"labels": [
"malicious-activity"
],
"pattern": "[file:hashes.'SHA-256' = '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f']",
"valid_from": "2015-07-02T09:14:59.163Z"
},
{
"type": "relationship",
"id": "relationship--4bca1b52-de50-4d91-982b-50c7256c2680",
"created": "2015-07-02T09:14:59.163Z",
"modified": "2015-07-02T09:14:59.163Z",
"relationship_type": "indicates",
"source_ref": "indicator--69f4511a-75c8-440f-890d-ff91ba5f300a",
"target_ref": "malware--94b21aa9-a512-4a09-ae8a-83a24f77567f"
},
]
}
Data source name: Mimecast Threat Intel Feed Customer CSV
Highlighted fields:
key (customfield_0)fileName (file_name)
recipientAddress (email_recipient)
senderAddress (email_sender)
senderDomain
(source_dns_domain)
Mimecast Threat Intel Greed Customer CSV Collector CSV response:
key|FileMimeType|FileName|FileSize|MD5|Observations|RecipientAddress|Route|SHA1|SHA256|SenderAddress|SenderDomain|SendingIP|Timestamp
0|text/plain|fileName.ext|68|44d88612fea8a8f36de82e1278abb02f|1|recipient@domain1.tld|In|3395856ce81f2b7382dee72602f798b642f14140|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f|sender@domain2.tld|domain2.tld|1.2.3.4|2015-02-04T17:20:35.485
Data source name: Mimecast Threat Intel Feed Grid CSV
Highlighted fields:
key (customfield_0)fileName (file_name)
sendingIP (source_address)
Mimecast Threat Intel Greed CSV Collector CSV response:
key|FileMimeType|FileName|FileSize|MD5|Observations|Route|SHA1|SHA256|SendingIP|Timestamp
0|text/plain|fileName.ext|68|44d88612fea8a8f36de82e1278abb02f|1|In|3395856ce81f2b7382dee72602f798b642f14140|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f|1.2.3.4|2015-02-04T17:20:35.485
Data source name: Mimecast MTA
Highlighted fields:
processingId (device_external_id)
subtype (event_subcategory)
recipients (email_recipient)
subject (email_subject)
accountId (external_id)
sha256 (file_hash_sha256)
filename (file_name)
sha1 (file_hash_sha1)
md5 (file_hash_md5)
senderDomain (source_dns_domain)
