Identify Incidents & Inform Response
Email continues to be the most widely used attack vector. Data sourced from email activity and attacks is high value for the security operations team, enhancing the benefits of your Splunk Enterprise investment.
Correlate security events detected by Mimecast Targeted Threat Protection and the Secure Email Gateway with other security systems connected to Splunk Enterprise – helping security analysts detect incidents and attacks quickly and accurately.
How it Works
Mimecast logs event activity in real time. This includes email receipt, processing and delivery, and employees clicking on links within an email.
The events are then made available for integration into 3rd party systems via a REST API using industry standard JSON or pipe delimited, key-value pair formats.
Log collection is achieved using modular inputs. For the greatest flexibility, each log type is separated into its own input, allowing you to choose what data you want to ingest.
The app is available for download from Splunkbase.
With modular inputs successfully configured, data is immediately ingested and indexed by Splunk Enterprise. Once indexed, data is searchable and displayed in the app's built in dashboards.
Analyze logs from your Mimecast tenant in isolation using Splunk Enterprise's powerful search capability
Correlate logs from your Mimecast tenant with data from other security systems to provide more context and actionable information
Stay informed with out-of-the-box dashboards or by creating custom reports and alerts tailored to your organization's needs
Track user activty and system changes in Mimecast and correlate this with data from other systems
Leverage data to demonstrate regulatory compliance
Current version: 3.1.1
- Support for new SIEM log format
- Support for TTP Impersonation Protect logs
- Support for TTP Attachment Protect logs
- Support for adding multiple Mimecast tenants, by making Application key and Application ID per input
- Support for better filtering of data by Mimecast tenant has been added. A new field called 'splunkAccountCode' will be added to all logs prior to being ingested into Splunk
Previous version: 3.0.1
- Supporting of multiple input sources (siem, email, directory, journal, audit and TTP URL)
- Changing source and expanding TTP URL data
- Setting up and adjusting the existing dashboards to align to the new architecture
- Optimizing and enhancing performance of query generation and log download
- Upgrading the app to comply to Common Information Model (CIM) v4.10
- Mapping the data model to CIM properties
Previous version: 2.0.1
- Added support and dashboards for new Targeted Threat Protection URL Protect and Attachment Protect data types
- Refreshed version 1 dashboards to be more efficient and moved these to the Sample Dashboards menu
- Added support for proxy settings in the modular input script
- Added support for Advanced Account Administration customers to access log data from all their accounts using a single installation of the app
- Changed logging strategy of the modular input script from logging to file to logging to the splunkd log
- Added a new Troubleshooting dashboard to get easy access and display logs
- Simplified app configuration and programatic extraction of the access key and secret key values required to authorize API requests
- Added support for rate limiting applied by the Mimecast API
- Removed requirement on version 1 of the Mimecast API
- Improved error handling
Previous version: 1.0.4
- Adds support for secure storage for Mimecast Access and Secret Keys
- Addresses an issue where check point files were not being closed properly
Mimecast | Splunk Enterprise Integration
Dashboards and Use Cases
The Mimecast for Splunk app includes modular inputs to collect Mimecast log and event data as well as a number of pre-built dashboards to help you get up and running quickly and easily.