Mimecast Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Mimecast input enables the collection of email security logs using Mimecast APIs, providing seamless integration with Graylog for enhanced email threat analysis and monitoring. This input pulls logs from version 2.0 of the Mimecast API.

Warning: The following article refers to the Mimecast input (v2.0 API). The Mimecast input (v1.0 API) has been deprecated as of the Graylog 6.2.3 release.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • A Mimecast account is required to use this input.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

    • This input requires credentials from a Mimecast API application. Please refer to the official Mimecast documentation for setting up an API application.

    • API user must be defined as a Mimecast Administrator with the following permissions for the supported log types:

    Log Type API Permissions
    Archive Message View Logs Archive, View Logs, Read
    Archive Search Logs Archive, Search Logs, Read
    Audit Events Account, Logs, Read
    DLP Logs Monitoring, Data Leak Prevention, Read
    Message Release Logs Monitoring, Held, Read
    Rejection Logs Monitoring, Rejections, Read
    Search Logs Archive, Search Logs, Read
    TTP Attachment Protection Logs Monitoring, Attachment Protection, Read
    TTP Impersonation Protect Logs Monitoring, Impersonation Protection, Read
    TTP URL Logs Monitoring, URL Protection, Read

    • Required Configuration Values

    In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

    • Client ID

    • Client Secret

    Input Type

    This input is a pull input type. See Inputs to learn about input types.

    Associated Illuminate Content Pack

    This log source has associated Illuminate content:

    Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

    Input Configuration

    Follow the input setup instructions. During setup of this input, you can configure the following options:

    Configuration Option Description

    Input Name

    Provide a unique name for your new input.

    Client ID

    The Client ID for the Mimecast API application.

    Client Secret

    The Client Secret for the Mimecast API application.
    Polling Interval

    Determines how often (in minutes) the input will check for new log data. Defaults to 5 minutes. We recommend leaving this at the default. Value should not be less than 1 (minute).
    Enable Throttling

    Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
    Store Full Message

    Permits Graylog to store the raw log data in the full_message field for each log message. Selection can result in a significant increase in the amount of data stored.

    Next Steps

    After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

    Further Reading

    Explore the following additional resources and recommended readings to expand your knowledge on related topics: