Mimecast Email Security Integration
Overview
Mimecast provides cloud email security with threat protection, archiving, and continuity. KYRA MDR collects Mimecast SIEM logs via the Logging API for email threat detection and DLP monitoring.
Prerequisites
- A KYRA MDR Collector installed and running
- Mimecast account with Administrator role
- API application registered in Mimecast Administration Console
- Access Key and Secret Key for API authentication
Configuration
Configure Mimecast API integration:
- Log in to the Mimecast Administration Console
- Navigate to Administration > Services > API and Platform Integrations
- Create a new API application:
| Setting | Value |
|---|---|
| Application Name | KYRA-MDR |
| Category | SIEM Integration |
- Generate Access Key and Secret Key
- Configure the KYRA MDR collector:
sources: - type: mimecast base_url: https://<region>.mimecast.com app_id: <application-id> app_key: <application-key> access_key: <access-key> secret_key: <secret-key> poll_interval: 300s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Receipt | Inbound email receipt events | Email threat detection |
| Delivery | Outbound email delivery events | Email monitoring |
| Process | Email processing and scanning events | Threat analysis |
| Rejection | Emails rejected by policy | Policy enforcement monitoring |
| URL Protect | URL click and rewrite events | Phishing click protection |
| Attachment Protect | Attachment sandbox results | Malware detection |
Troubleshooting
API authentication failed: Mimecast uses a combination of app keys and access keys. Verify all credential values.
No SIEM logs: Ensure the API application category is set to SIEM Integration.
Regional API URL: Use the correct base URL for your account region (us-api, eu-api, au-api).
Contact kyra@seekerslab.com for support.