Mimecast Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Mimecast input enables the collection of email security logs using Mimecast APIs, providing seamless integration with Graylog for enhanced email threat analysis and monitoring. This input pulls logs from version 1.0 of the Mimecast API.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • An existing Mimecast account is required to use this input.

  • This input requires credentials from a Mimecast API application. Please refer to the official Mimecast documentation for setting up an API application.

  • API user must be defined with the following permissions for the supported log types:

    Log Type Permissions
    Archive Message View Logs Archive, View Logs, Read
    Archive Search Logs Archive, Search Logs, Read
    Audit Events Account, Logs, Read
    DLP Logs Monitoring, Data Leak Prevention, Read
    Message Release Logs Monitoring, Held, Read
    Rejection Logs Monitoring, Rejections, Read
    Search Logs Archive, Search Logs, Read
    TTP Attachment Protection Logs Monitoring, Attachment Protection, Read
    TTP Impersonation Protect Logs Monitoring, Impersonation Protection, Read
    TTP URL Logs Monitoring, URL Protection, Read

Graylog Input Configuration

When launching this input from the Graylog Inputs tab, configure the following field values:

  • Input Name: A user-defined name for the input.

  • Mimecast Base Url: The base API URL for your Mimecast instance.

  • Application ID: The ID of the Mimecast API application.

  • Application Key: The application key used for authentication.

  • Access Key: The access key for the authorized API user account.

  • Secret Key: The secret key for the authorized API user account.

  • Log Types to Collect: The log types to collect. By default, all the log types are selected. At least one log type must be selected.

  • Polling Interval: Determines how often (in minutes) Graylog checks for new data in Mimecast APIs. The shortest allowable interval is 5 minutes.

  • Enable Throttling: If enabled, no new messages are read from this input until Graylog catches up with its message load.