Integrate Mimecast Secure Email Gateway - EventTracker v9.2 and later Publication Date: February 18, 2021 - Managed Threat ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Integrate Mimecast Secure Email Gateway EventTracker v9.2 and later Publication Date: February 18, 2021
Integrate Mimecast Secure Email Gateway
Abstract
This guide provides instructions to retrieve the Mimecast events via REST API and configure log reports,
dashboards, alerts and saved searches in EventTracker.
Scope
The configuration details in this guide are consistent with EventTracker version 9.2 or above and Mimecast.
Audience
Administrators who are assigned the task to monitor Mimecast events using EventTracker.
The information contained in this document represents the current view of Netsurion on the issues
discussed as of the date of publication. Because Netsurion must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion
cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright Zyxel firewall is the responsibility of the user. Without
limiting the rights under copyright, this paper may be freely distributed without permission from
Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is
provided.
Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.
© 2021 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
1
Integrate Mimecast Secure Email Gateway
Table of Contents
1. Overview........................................................................................................................................................ 3
2. Prerequisites .................................................................................................................................................. 3
3. Configure logging in Mimecast Secure Email Gateway ................................................................................. 3
3.1 Enable logging for your account ............................................................................................................. 3
3.2 Get authentication token ....................................................................................................................... 4
3.2.1 Creating an API Key in Mimecast .................................................................................................... 4
3.2.2 Creating User Association Keys ....................................................................................................... 6
3.2.3 Creating Python Script ..................................................................................................................... 7
3.3 Scheduling a Windows task .................................................................................................................... 7
4. EventTracker Knowledge Pack .................................................................................................................... 13
4.1 Alerts ..................................................................................................................................................... 13
4.2 Flex Reports .......................................................................................................................................... 13
5. Importing Mimecast Secure Email Gateway Knowledge Pack into EventTracker ...................................... 15
5.1 Import Alerts ......................................................................................................................................... 16
5.2 Import Knowledge Object..................................................................................................................... 17
5.3 Import Parsing Rule .............................................................................................................................. 19
5.4 Import Flex Reports .............................................................................................................................. 20
6. Verifying Mimecast Secure Email Gateway Knowledge Pack ..................................................................... 22
6.1 Verify Alerts .......................................................................................................................................... 22
6.2 Verify Knowledge Object ...................................................................................................................... 23
6.3 Verify Parsing Rule ................................................................................................................................ 23
6.4 Verify Flex Reports ................................................................................................................................ 24
7. Creating Dashboards in EventTracker ......................................................................................................... 25
7.1 Schedule Reports .................................................................................................................................. 25
7.2 Create Dashlets ..................................................................................................................................... 27
2
Integrate Mimecast Secure Email Gateway
1. Overview
Mimecast Secure Email Gateway is a cloud-based email management software. It helps stop email borne
threats from attacking the networks and keeps sophisticated attackers out. It protects organizations, and
employees from spear-phishing, and provides anti-malware protection, anti-spam protection and zero-
hour protection with multiple detection engines and intelligence feeds.
Mimecast Secure Email Gateway sends events to EventTracker by using API. Mimecast sends security
events like email inbound and outbound events, malicious activities events, etc. EventTracker generates
detailed reports like virus signature detected, rejected emails, and email traffic. It shows graphical
representation of malicious file names, email ids of sender and recipients, rejected unknown sender
emails, etc. It will generate alerts on detecting malicious files and URL, virus signature, username name
impersonation, and quarantined email.
2. Prerequisites
• EventTracker should installed.
• Mimecast Secure Email Gateway latest version installed.
• Python 3.0 and above installed.
3. Configure logging in Mimecast Secure Email Gateway
3.1 Enable logging for your account
1. Log into the Mimecast Administration Console and navigate to the Administration -> Account ->
Account Settings, the Account Settings page opens.
2. Select the Enhanced Logging section.
3. Select the types of logs you want to enable.
a. Inbound - Logs for messages from external senders to internal recipients.
b. Outbound - Logs for messages from internal senders to external recipients.
c. Internal - Logs for messages between internal domains.
4. Select Save to apply the changes.
The Mimecast MTA starts logging data and logs and are available for download up to 30 minutes.
3
Integrate Mimecast Secure Email Gateway
3.2 Get authentication token
3.2.1 Creating an API Key in Mimecast
1. Go to Administration > Services API > Applications.
Figure 1
2. Create a new API application.
Figure 2
3. Provide the following information:
a. Application name
b. Category
c. Enable service application
d. Description
4
Integrate Mimecast Secure Email Gateway
Figure 3
4. Provide developer name and email address.
Note: It is advised to provide any service account.
Figure 4
5. Click Next. Review the Summary page to ensure all details are correct.
6. Click Add. The application details display in slide panel.
Note: A confirmation displays with the Application Name, the Application ID, and Application Key. These
keys identify the application added.
5
Integrate Mimecast Secure Email Gateway
Figure 5
7. Save the Application ID and Application Key for later use.
Note: Wait for 30 minutes before creating an API access and secret key.
3.2.2 Creating User Association Keys
After creating the application, create its user associated keys.
1. Click on the API Application from the application list.
2. Click on the Create Keys button. A Create Keys wizard opens with the Account tab selected.
Field / Option Description
Email Address Displays the service account email specified in the Account tab.
Type Select the service account's password type (e.g. domain or cloud).
Password Enter the service account's password.
Figure 6
6
Integrate Mimecast Secure Email Gateway
3. Click Next. The Verification tab displays, and a verification code is sent by SMS.
4. Click Next. The Keys tab displays with the generated keys hidden by default.
a. Click on the icon to display a key.
b. Click on the icon to copy the key to the clipboard.
5. Copy and save the accessKey and secretKey values for later use.
3.2.3 Creating Python Script
1. Download the python script from Mimecast and save it with a .py extension.
2. Open the python script in a python editor such as IDLE.
3. Edit the #Set up variables section.
Note: Ensure the user running this script has permission to write to the folder.
The highlighted fields are required with adequate credentials as shown below:
o APP_ID = "YOUR DEVELOPER APPLICATION ID"
o APP_KEY = "YOUR DEVELOPER APPLICATION KEY"
o EMAIL_ADDRESS = 'EMAIL ADDRESS OF YOUR ADMINISTRATOR'
o ACCESS_KEY = 'ACCESS KEY FOR YOUR ADMINISTRATOR'
o SECRET_KEY = 'SECRET KEY FOR YOUR ADMINISTRATOR'
o LOG_FILE_PATH = "FULLY QUALIFIED PATH TO FOLDER TO WRITE LOGS"
o CHK_POINT_DIR = 'FULLY QUALIFIED PATH TO FOLDER TO WRITE PAGE TOKEN'
o Syslog_Server = ‘EventTracker Manager IP Address’
o Syslog_port = 514
4. Save and run the file.
The script is ready to connect to Mimecast API.
3.3 Scheduling a Windows task
1. Use the Search option to search for Schedule and choose Task Scheduler.
7
Integrate Mimecast Secure Email Gateway
Figure 7
2. Click the Create Task link, to open the wizard bearing the same name.
Figure 8
3. In the Create Task wizard General tab provides,
a. Name to the task such as, Mimecast API.
b. Description of the task.
c. Click on the Change User or Group button, to change the user account to SYSTEM.
d. Select Run with highest privileges checkbox.
8Integrate Mimecast Secure Email Gateway
Figure 9
4. Click the Trigger tab and click New.
Figure 10
9Integrate Mimecast Secure Email Gateway
5. Configure settings based on the following image and click OK.
Figure 11
6. Click the Actions tab and click New.
Figure 12
10Integrate Mimecast Secure Email Gateway
7. In the Program/Script field, browse the Python Executable File.
e.g. C:\Users\akash.g\AppData\Local\Programs\Python\Python38-32\python.exe.
In the Add arguments (optional) box, add the python file name.
e.g. Mimecast.py
In the Start in (optional) box, add the python file location.
e.g. D:\NetS_Projects\Products\Mimecast\Integration\Integrator.
Figure 13
Alternatively, create a batch script and place it in the Program/script:
a. Open a notepad and type the configurations as below:
Path where your Python exe is stored\python.exe" "Path where your Python script is stored\script name.py
e.g.
b. Save file as MimecastPython.bat.
c. In the Action tab in task scheduler, provide the batch file path.
11Integrate Mimecast Secure Email Gateway
e.g. D:\NetS_Projects\Products\Mimecast\Integration\Integrator\MimecastPython.bat.
8. Click OK.
Figure 14
9. Click the Settings tab ensure configuration matches the below image.
Figure 15
10. Click OK.
12Integrate Mimecast Secure Email Gateway
4. EventTracker Knowledge Pack
After receiving the logs into EventTracker, Categories and reports are configured into EventTracker.
The following Knowledge Packs are available in EventTracker to support Windows.
4.1 Alerts
• Mimecast: Virus signature detection: This alert is generated when a virus signature email is detected by the
Mimecast Email Gateway.
• Mimecast: Malicious file detected – This alert is triggered when an email containing malicious attachment is detected
by Mimecast.
• Mimecast: Malicious URL detected – This alert is generated when an email containing malicious URL is detected by
Mimecast.
• Mimecast: Message has been quarantined – This alert is generated when email held for review and it is quarantined
by Mimecast.
• Mimecast: Username has been impersonated – This alert is generated when an email received contains the spoofed
internal user is detected by Mimecast.
4.2 Flex Reports
• Mimecast: Inbound and outbound accepted emails - This report provides details about all the inbound and
outbound emails monitored by the Mimecast Secure Email Gateway.
Figure 16
Logs Considered:
Figure 17
13Integrate Mimecast Secure Email Gateway
• Mimecast-Rejected emails - This report provides details about all the emails rejected by the Mimecast
Secure Email Gateway.
Figure 18
Logs Considered:
Figure 19
• Mimecast-Spam emails -This report provides details about all the spam emails detected by the Mimecast
Secure Email Gateway.
Figure 20
Logs Considered:
Figure 21
• Mimecast-Virus signature detection - This report provides details about all the emails containing virus
signature or suspicious phishing.
14Integrate Mimecast Secure Email Gateway
Figure 22
Logs Considered:
Figure 23
5. Importing Mimecast Secure Email Gateway
Knowledge Pack into EventTracker
NOTE: Import knowledge pack items in the following sequence:
1. Knowledge Objects
2. Categories
3. Alerts
4. Parsing Rules
5. Flex Reports
1. Launch EventTracker Control Panel.
2. Double click Export Import Utility, and click the Import tab.
15Integrate Mimecast Secure Email Gateway
Figure 24
5.1 Import Alerts
1. Click Alert option and click the browse button.
Figure 25
16Integrate Mimecast Secure Email Gateway
2. Locate Mimecast alerts.isalt file and click the Open button.
3. To import alerts, click the Import button.
4. EventTracker displays success message.
Figure 26
5. Click OK and click Close.
5.2 Import Knowledge Object
1. Click the Admin menu and click Knowledge Objects.
2. Click on Import option.
Figure 27
3. In the IMPORT pane, click Browse.
17Integrate Mimecast Secure Email Gateway
Figure 28
4. Locate Mimecast knowledge objects.etko file and click the UPLOAD button.
Figure 29
5. Select the check box and click OVERWRITE.
EventTracker displays success message.
18Integrate Mimecast Secure Email Gateway
Figure 30
6. Click OK.
5.3 Import Parsing Rule
1. Select Token Value option and click Browse .
2. Locate the Mimecast Tokens.istoken file and click Open.
Figure 31
3. Click Import to import the tokens. EventTracker displays success message.
19Integrate Mimecast Secure Email Gateway
Figure 33
5.4 Import Flex Reports
1. Select Reports option and click Browse .
2. Locate applicable Mimecast reports.etcrx file and click Open.
Figure 33
3. To import scheduled reports, click Import.
20Integrate Mimecast Secure Email Gateway
Figure 34
4. EventTracker displays success message.
Figure 35
5. Click OK and click Close.
21Integrate Mimecast Secure Email Gateway
6. Verifying Mimecast Secure Email Gateway
Knowledge Pack
6.1 Verify Alerts
1. Logon to EventTracker.
2. Click the Admin menu and click Alerts.
3. In the Search box, type Mimecast, and click Go.
Alert Management page display all the imported alerts.
Figure 36
4. To activate the imported alerts, select the respective checkbox in the Active column.
EventTracker displays message box.
Figure 37
5. Click OK and click the Activate Now button.
22Integrate Mimecast Secure Email Gateway
NOTE: Specify appropriate systems in alert configuration for better performance.
6.2 Verify Knowledge Object
1. Click the Admin menu and click Knowledge Objects.
2. Scroll down and select Mimecast in Objects pane.
Imported Fortinet object details are shown.
Figure 38
6.3 Verify Parsing Rule
1. Logon to EventTracker web interface.
2. Click the Admin menu and click Parsing Rules.
3. Select Mimecast group option.
23Integrate Mimecast Secure Email Gateway
Figure 39
6.4 Verify Flex Reports
1. Logon to EventTracker.
2. Click the Reports menu and Configuration.
3. Select Defined in report type.
4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Mimecast group
folder.
Scheduled Reports display in the Reports Configuration pane.
24Integrate Mimecast Secure Email Gateway
Figure 40
NOTE: Specify appropriate systems in report wizard for better performance.
7. Creating Dashboards in EventTracker
7.1 Schedule Reports
1. Open EventTracker in browser and logon.
Figure 41
2. Navigate to Reports>Configuration.
25Integrate Mimecast Secure Email Gateway
Figure 42
3. Select Mimecast in report groups. Check defined dialog box.
4. Click on schedule to plan a report for later execution.
Figure 43
26Integrate Mimecast Secure Email Gateway
5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer
box.
Figure 44
6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention
period.
7. Click the Schedule button.
8. Wait for scheduled time or generate report manually.
7.2 Create Dashlets
1. EventTracker 8 is required to configure flex dashboard.
2. Open EventTracker in browser and logon.
27Integrate Mimecast Secure Email Gateway
Figure 45
3. Navigate to Dashboard>Flex.
Flex Dashboard pane is shown.
Figure 46
4. Click to add a new dashboard.
Flex Dashboard configuration pane is shown.
Figure 47
28Integrate Mimecast Secure Email Gateway
5. Enter a title and description and click Save.
6. Click to configure a new flex dashlet.
Widget configuration window displays.
Figure 48
7. Locate earlier scheduled report in Data Source dropdown.
8. Select Chart Type from dropdown.
9. Select extent of data to be displayed in Duration dropdown.
10. Select computation type in Value Field Setting dropdown.
11. Select evaluation duration in As Of dropdown.
29Integrate Mimecast Secure Email Gateway
12. Select comparable values in X Axis with suitable label.
13. Select numeric values in Y Axis with suitable label.
14. Select comparable sequence in Legend.
15. Click Test to evaluate.
Evaluated chart displays.
Figure 49
16. Click Configure.
Figure 50
30Integrate Mimecast Secure Email Gateway
17. Click customize to locate and choose created dashlet.
18. Click to add dashlet to earlier created dashboard.
Sample Dashboards
• REPORT: Mimecast-Inbound and outbound accepted emails
WIDGET TITLE: Mimecast-Inbound and outbound accepted emails
CHART TYPE: Pie
AXIS LABELS [X-AXIS]: Sender Address
LEGEND [SERIES]: Direction
Figure 51
• REPORT: Mimecast-Rejected emails
WIDGET TITLE: Mimecast-Rejected emails
CHART TYPE: Stacked Column
AXIS LABELS [X-AXIS]: Sender Address
LEGEND [SERIES]: Reject information
31Integrate Mimecast Secure Email Gateway
Figure 52
• REPORT: Mimecast-Spam emails
WIDGET TITLE: Mimecast-Spam emails
CHART TYPE: Donut
AXIS LABELS [X-AXIS]: Spam Info
LEGEND [SERIES]: Sender Address
Figure 53
32Integrate Mimecast Secure Email Gateway
• REPORT: Mimecast-Virus signature detection
WIDGET TITLE: Mimecast-Virus signature detection
CHART TYPE: Pie
AXIS LABELS [X-AXIS]: Virus Details
LEGEND [SERIES]: Sender Address
Figure 54
33You can also read
