BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • 1. Set up the Mimecast application
  • Get your authentication token
  • Get an Authentication token using Windows
  • Getting an Authentication token using Mac OSX or *nix systems
  1. 12_Deployment / Log Forwarding
  2. Cloud Log Forwarding

Configuring Mimecast for Log Collection via API

PreviousCollecting Cloudtrail LogsNextCisco Umbrella

Last updated 6 months ago

Configuring Mimecast for Log Collection via API

You must complete the following to successfully configure and verify your Mimecast log collector:

  1. Set up the Mimecast application

  2. Configure collection

  3. Verify successful configuration

1. Set up the Mimecast application

You must identify your regional base URL, enable enhanced logging, add a custom API application, create a new user profile and application setting, and generate API access and secret Keys in the Mimecast administrator portal.

Identify your base domain URL

Copy and paste the for your host region in a safe place for later.

Enable enhanced logging for your account

You must enable the log API endpoint in the Mimecast console.

  1. Log into the Administration Console.

  2. Go to Administration > Account > Account Settings menu.

  3. Click the Enhanced Logging section.

  4. Enable the log type(s) you would like to get by using the BluSapphire Mimecast collector.

For more information on enabling the log endpoint, see . For a description of Mimecast SIEM logs, see .

Add a custom API application for integration with BluSapphire

  1. Log into the Administration Console.

  2. Navigate to the Administration | Services | API and Platform Integrations menu.

  3. Click the Your Application Integrations tab.

  4. Click Add API Application.

  5. In the details section, provide the following information:

    • Application Name— Name of your BluSapphire Integration. Example: "BluSapphire Log Collector"

    • Category— SIEM Integration

    • Select the Enable Extended Session option so that the access keys generated for the application do not expire based on the Authentication Profile's Authentication TTL value. This option prevents interruptions to the BluSapphire Mimecast collector.

    • Description— Provide an additional description of the integration. For example, "Our cybersecurity Managed Detection and Response (MDR) provider"

  6. Click Next.

  7. In the settings section, provide the following information:

    • Developer: BluSapphire

    • Email: info@blusapphire.com

  8. Click Next.

  9. Verify the information in the Summary page.

  10. Click Add.

  11. Copy and paste the Application ID and Application Key in a safe place for later.

Create a user profile for the BluSapphire integration

To create a new user:

  1. Log into the Administration Console.

  2. Navigate to the Administration | Directories | Internal Directories menu.

  3. Click the internal domain you want for your new user, which is used to get API keys later.

  4. Click New Address and complete the form to create a new user.

  5. Copy and paste the user name and password in a safe place for later.

To add the user to the administrative role:

  1. Navigate to the Administration | Account | Roles menu.

  2. Right-click the Basic Administrator role and click Add users to role.

  3. Select the new user that you created.

  4. Click Add Selected Users.

To create a new group to add your users:

  1. Navigate to the Administration | Directories | Profile Groups menu.

  2. Click the + icon on a parent directory to create a new child group directory named "New Folder." If you aren't sure which parent directory to add the group under, use Root. To edit the name, click the group and change the name in the text box. Example: "BluSapphire Logs Admin"

  3. Click the Build tab, and then click Add Email Addresses.

  4. Enter the email address of the new user that you created. Click Save and Exit.

To create a new authentication profile:

  1. Navigate to the Administration | Services | Applications menu.

  2. Click the Authentication Profiles tab.

  3. Click New Authentication Profile.

  4. In the Description field, enter a name for your new profile. Example: "API Authentication Profile for the BluSapphire Log collector."

  5. On the Authentication TTL dropdown menu, click Never Expires.

  6. Leave the other settings as default.

  7. Click Save and Exit.

To create a new application setting:

You must create a new application setting to bind the user group, authentication profile, and custom API application to each other.

  1. Navigate to the Administration | Services | Applications menu.

  2. Click the New Application Settings tab.

  3. Click New Authentication Profile.

  4. In the Description field, enter a name for your new setting. Example: "API Application Setting for the BluSapphire Log collector."

  5. In the Group field, paste the group you created.

  6. In the Authentication Profile field, select the authentication profile you created.

  7. Click Save and Exit.

Troubleshooting: If you receive an error during this step, you must reach out to Mimecast customer service to perform a workaround that only Super Administrator users and Mimecast employees can perform.

Get your authentication token

Now that you have a dedicated user who will receive an Authentication Token that will never expire, the final preparation task is to get the Authentication Token for the user.

Get an Authentication token using Windows

NOTE: This process has been tested in Powershell version 4 and 5.

  1. Copy paste the following script into a Powershell window:

$appId = Read-Host -Prompt 'Input your registered application id'

$creds = Get-Credential

$discoverPostBody = @{"data" = ,@{"emailAddress" = $creds.UserName}}

$discoverPostBodyJson = ConvertTo-Json $discoverPostBody

$discoverRequestId = [GUID]::NewGuid().guid

$discoverRequestHeaders = @{"x-mc-app-id" = $appId; "x-mc-req-id" = $discoverRequestId; "Content-Type" = "application/json"}

$baseUrl = $discoveryData.data.region.api

$keys = @{}

$uri = $baseUrl + "/api/login/login"

$requestId = [GUID]::NewGuid()

$netCred = $creds.GetNetworkCredential()

$PlainPassword = $netCred.Password

$credsBytes = [System.Text.Encoding]::ASCII.GetBytes($creds.UserName + ":" + $PlainPassword)

$creds64 = [System.Convert]::ToBase64String($credsBytes)

$headers = @{"Authorization" = "Basic-Cloud " + $creds64; "x-mc-app-id" = $appId; "x-mc-req-id" = $requestId; "Content-Type" = "application/json"}

$postBody = @{"data" = ,@{"username" = $creds.UserName}}

$postBodyJson = ConvertTo-Json $postBody

$data = Invoke-RestMethod -Method Post -Headers $headers -Body $postBodyJson -Uri $uri

"Meta: " + $data.meta

"Access key: " + $data.data.accessKey

"Secret key: " + $data.data.secretKey

"Fail: " + $data.fail.errorss

  1. When prompted, enter the Application ID value received when you registered your application.

  2. Enter the email address and password of the user created in Step 1: Create a new user into the Windows credentials box that will launch after you have pasted the script into the Powershell window.

  3. Copy and paste the accessKey and secretKey values printed at the bottom of the Powershell window to use in your application.

    IMPORTANT: be sure to copy and paste these values to a text editor and remove any line breaks caused by your Powershell window size before using the values.

Getting an Authentication token using Mac OSX or *nix systems

  1. Open a terminal application and type the following command to generate a base64 encoded string of your administrators email address and password:

echo -n 'email_address:password' | openssl base64

Where email_address is the email address of the user created in Step 1 and password is the password created for the user in Step 1. Be sure to include the ":" between the email_address and password as authentication will fail without it.

  1. Type the following command to use cURL to login to the Mimecast API and get your Authentication Token.

curl -i -H 'Authorization: Basic-Cloud base64_encoded_username_password' -H 'x-mc-app-id: app_id' -H 'Content-Type:application/json' https://xx-api.mimecast.com/api/login/login --data-binary '{"data":[{"username": "email_address"}]}'

Where:

base64_encoded_username_password is the value generated in step 1. app_id is your Application ID value received when you registered your application. xx-api is the base url for the region where your Mimecast account is hosted as documented in the System Requirements section. email_address is the email address of the user created in Step 1: Create a new user.

  1. An example response to this command is:

HTTP/1.1 200 OK

Content-Type: application/json

Cache-control: no-store

Pragma: no-cache

Content-Length: 375

Content-MD5: 124911b164dbd3b9e823610a2eb4996a

Date: Mon, 25 Jul 2016 16:19:37 +0100

Connection: Keep-Alive

{"meta":{"status":200},"data":[{"accessKey":"LOWgx__TRUNCATED__Ect2nN","secretKey":"jD9DVicE2__TRUNCATED__EJdC4e/Q\u003d\u003d","duration":3153600000000,"bindingType":"one_step","extendOnValidate":false}],"fail":[]}

  1. Copy and paste the accessKey and secretKey values from the response to use in your application.

  2. IMPORTANT: make sure to replace the \u003d\u003d at the end of the secret key with == (\u003d is the uri encoding for the = symbol and is printed to the terminal, however the actual string should contain the = symbol when used)

You must in the Mimecast console. This procedure creates an Application ID and Application Key that you target when you configure the Mimecast collector later in the BluSapphire later.

You must create a user profile with the correct permissions to generate API keys for Mimecast collector .

$discoveryData = Invoke-RestMethod -Method Post -Headers $discoverRequestHeaders -Body $discoverPostBodyJson -Uri ""

base URL
SIEM log API endpoint
Understanding SIEM Logs
add an API application
authentication
https://api.mimecast.com/api/login/discover-authentication