Mimecast Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Mimecast is a cloud-based cyber security provider specializing in email security and offering protection against phishing, malware, spam, and data leaks. It also delivers services for archiving, continuity, and threat intelligence to help organizations secure their communications and ensure compliance.

Supported Versions

  • Mimecast API 2.0

Requirements

  • Graylog 6.2.3+ with a valid Enterprise license

Stream Configuration

This technology pack includes 1 stream:

  • Illuminate:Mimecast Messages

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • Mimecast Logs

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Mimecast utilizes the Mimecast input that ingests multiple Mimecast content types in JSON format. See the Graylog documentation for information on how to launch a new Mimecast input.

Configuration Example

Log Format Example

{"id":"eNoVzt0KgjAAQOF32e0EdWrNoIvZn6UGYZKKNzqHWaai2y4Wv","auditType":"User Logged On","user":"user@domain.com","eventTime":"2025-06-12T14:53:56+0000","eventInfo":"Successful authentication for user@domain.com <Domain User>, Date: 2025-06-12, Time: 16:53:56 SAST, IP: 192.168.100.100, Application: SMTP-MTA2, Method: Cloud","category":"authentication_logs"}

What is Provided

  • Rules to parse, normalize, and enrich Mimecast content pack messages.

  • A dashboard displaying events and statistics of interest.

  • Saved search highlighting key information using a user_email parameter.

Events Processed by This Technology Pack

The content pack supports the following log types. Generic processing will be provided for log types not listed.

  • User Logged On

  • Unauthorized API Request

  • Case Action

  • Review Set Action

  • Discovery Case Adjustments

  • Logon Authentication Failed

  • Logon Requires Challenge

  • Completed Directory Sync

  • New Policy

  • Existing Policy Changed

  • Mimecast Support Login

  • Content Definition Adjustments

  • Existing Route Changed

  • New Delivery Route

  • Profile Group (Address) Log Entry

  • Account Updated

  • API Application Created

  • User Password Changed

  • User Settings Updated

  • User Locked

GIM Categorization

GIM categorization is provided for the following messages:

Log Type GIM Category GIM Subcategory GIM Event Type Code
User Logged On authentication authentication.logon 100000
Logon Requires Challenge authentication authentication.credential validation 100502
Mimecast Support Login authentication authentication.logon 100000
Unauthorized API Request authentication authentication.access policy 101500
Logon Authentication Failed authentication authentication.logon 100000
User Password Changed iam iam.object modify 111004
User Settings Updated iam iam.object modify 111000
User Locked iam iam.object disable 111500
Profile Group (Address) Log Entry iam iam.object modify 111007
Existing Policy Changed audit audit.default 229999
Existing Route Changed audit audit.default 229999
New Delivery Route audit audit.default 229999
Completed Directory Sync audit audit.default 229999
New Policy audit audit.default 229999
Content Definition Adjustments audit audit.default 229999
Message View messaging messaging.default 139999
Message Search messaging messaging.default 139999

Message Fields Included in This Pack

Fields of Note

Field Name Example Value Field Type Description
application_name SMTP-MTA2 keyword Application extracted from 'Application' reference from .eventInfo in JSON body
destination_ip 8.8.8.8 ip Destination IP associated with the event pulled from 'Remote IP' from .eventInfo in JSON body
destination_port 25 long Destination port extracted from .eventInfo in JSON body
email_from person@domain keyword Extracted from .from in JSON body
email_subject Test Message keyword Extracted from .subject in JSON body
email_to another_person@domain.com keyword Extracted from .to in JSON body
event_action logon keyword Normalized action derived from vendor_event_action via lookup
event_created 2025-06-13T14:30:03+0000 date Timestamp extracted from .eventTime or .viewed in JSON body
event_outcome success keyword Normalized outcome (success/failure) derived from vendor_event_action via lookup
event_source JvuS6F0rQmdeSSqcrF8xSAA1BFbYC1Lqkk1A5 keyword The client_id set in the Mimecast v2 input
event_source_product mimecast_v2 keyword Created via input. This will always be the same.
event_uid JvuVUt30eqQpG3S6F0rQmdeSSqc keyword Extracted from .id in the JSON body.
source_ip 192.168.1.100 ip Source IP that generated the activity. Extracted from 'IP' from .eventInfo in JSON body
source_reference 192.168.1.100 keyword Set from source_ip for GIM enforcement; falls back to SOURCE_REFERENCE_NOT_DEFINED
source_user_name admin@domain.com keyword The user who performed the action (actor). Set for IAM events.
user_domain example.com keyword Extracted domain from user related e-mail's in JSON body
user_email person@domain.com keyword Extracted user e-mail from JSON body
user_email_display_name Random Person keyword The display name extracted from .eventInfo in JSON body
user_name person keyword Multi-value field containing all user_name references in full JSON body
user_type user keyword Account type. Set for IAM events.
vendor_event_action Successful Authentication keyword Vendor's event action reference extracted from .eventInfo in JSON body
vendor_event_category authentication_logs keyword Extracted from .category in JSON body
vendor_event_message Successful authentication for person@domain.com ... keyword Full .eventInfo from JSON body
vendor_event_method Cloud keyword Extracted from 'Method' reference from .eventInfo in JSON body
vendor_event_type User Logged On keyword Event type extracted from .auditType in JSON body
vendor_subtype audit_events keyword Created via input and associated configuration

Mimecast Spotlight Content Pack

This spotlight offers a dashboard with 2 tabs:

Overview

Saved Search