The Mimecast for QRadar extension allows QRadar administrators to process Mimecast MTA and audit event logs using IBM QRadar. Depending on the services subscribed to, the Mimecast security data available to customers includes:
- MTA logs
- Audit events
- Targeted Threat Protection - Attachment Protect
- Targeted Threat Protection - Impersonation Protect
- Targeted Threat Protection - URL Protect
- IBM QRadar v7.3.0 patch 7 (recommended)
- IBM QRadar v7.2.8 patch 13 (minimum version)
Configuring Your Network
Data collection uses the Mimecast API. Outbound HTTPS access (TCP port 443) to the following hosts from IBM QRadar is required depending on your Mimecast region:
|Europe (Excluding Germany)||https://api.mimecast.com AND https://eu-api.mimecast.com|
|United States||https://api.mimecast.com AND https://us-api.mimecast.com|
|South Africa||https://api.mimecast.com AND https://za-api.mimecast.com|
|Australia||https://api.mimecast.com AND https://au-api.mimecast.com|
|Offshore||https://api.mimecast.com AND https://je-api.mimecast.com|
Configuring Mimecast Mimecast Permissions
See the table below for the endpoints used for data collection, and the associated Mimecast administrative permissions required. For convenience, all permissions are included in the Basic Administrator role.
|/api/ttp/impersonation/get-logs||Monitoring | Impersonation Protection | Read|
|/api/audit/get-audit-events||Logs | Read|
|/api/audit/get-siem-logs||Tracking | Read|
Configuring the Mimecast Administration Console
Data collection requires a Mimecast administrator authentication token. By default an authentication token expires after three days, meaning your log data stops collecting data from Mimecast after this time. For the best experience, create a user and authentication profile defining an authentication token with an extended TTL. This is better suited for automated tasks, and the steps for doing this are described below.
To configure the preparation steps required in the Mimecast Administration Console:
- Enable logging:
- Click on the Administration toolbar menu item.
- Select the Account | Account Settings menu item.
- Expand the Enhanced Logging section.
- Select the types of logs you want to enable:
- Inbound: These are logs for messages from external senders to internal recipients.
- Outbound: These are logs for messages from internal senders to external recipients.
- Internal: These are logs for messages between your internal domains.
- Click on the Save button.Once these settings are saved, the Mimecast MTA starts logging data for your account. Logs should be available for download 30 minutes later.
- Create a User. See the "Creating a User" section of the Creating / Editing Mimecast Users page for further details. Keep a note of the password set, as you'll use this to get your authentication token.
- Add the user created above to a Basic Administrator Role. See the "Adding Users to a Role" section of the Managing Administrator Roles page for further details.
- Create a Profile Group. See the "Creating a Group" section of the Managing Groups page for further details.
- Add the User to the Profile Group. See the "Adding Email Addresses / Domains to a Group" section of the Managing Groups page for further details.
- Select the Add Email Addresses setting.
- Add the User created above in step 2.
- Create an Authentication Profile using the option listed below. See the Configuring an Authentication Profile page for further details.
- Set the Authentication TTL option to "Never Expires" to ensure the Authentication Token won't expire.
- Leave all other settings as the default values.
- Create an Application Setting using the option listed below. See the Configuring Application Settings page for full details.
- Select the Profile group created in step 4 in the Group option.
- Select the Authentication Profile created in step 6 by clicking on the Lookup button.
- Leave all other settings as the default values.
You are now ready to install and configure the Mimecast for QRadar log source extension.
Installing Mimecast for QRadar
The Mimecast for QRadar extension is available from IBM X-Force Exchange. Once you have logged on, you should be able to download the extension:
- Log on to theIBM QRadar Admin Console.
- Click on the Admin tab.
- Click on Extension Management.
- Click on the Add button.
- Click on the Browse button.
- Navigate to the location where the Mimecast for QRadar extension has been stored.
- Follow the instructions on screen to proceed with the installation.
Configuring Mimecast for QRadar
Mimecast for QRadar collects data every 15 minutes from the Mimecast API. In order for data collection to begin, access and secret keys are required for the user created in step 2 of the "Configuring the Mimecast Administration Console" section above.
To configure Mimecast for QRadar:
- Log on to the IBM QRadar Admin Console.
- Click on the Mimecast API Configuration plug-in located in the Admin tab under the Plug-Ins section. The Mimecast API Connection Configuration Panel is displayed.
- Generate the Access and Secret Keys.
- Refer to step 6 "Get your authentication token" in the Mimecast's Authentication Guide.
- Use the following GUID when prompted when using Windows, Mac OSX, or *nix systems:
Replace app_id in the cURL command line options with 4941cc2e-85e5-4988-af50-688b03a29f96.
- Enter the Access and Secret keys into the respective fields in the Mimecast API Connection Configuration Panel window.
- Enter the Mimecast Base URL for the geographic region your Mimecast account is hosted in. See the "Configuring Your Network" section above. Use the second host listed for your region (e.g. "https://xx-api.mimecast.com").
- Click on the Save Connection button.
Mimecast security log data will start to be collected. The data is viewable from the Log Activity tab in the QRadar Admin Console. Quick searches are created when the extension is installed. These can be viewed from the Log Activity tab under the Quick Searches drop down menu.
To add additional accounts (e.g. for AAA mail processing accounts or geographically dispersed accounts) click on the + button. This allows additional access and secret keys to be added, with either the same or a different Mimecast base URL.
The Mimecast for QRadar extension generates log files for troubleshooting purposes. These logs are stored in the docker container where the app has been installed. Once logged into the docker container, logs are located in the /store/log directory. The logs generated should be used to diagnose issues where data is not being pulled into QRadar.
Mimecast support requires these logs to investigate any issues. As the logs will not provide any insight into IBM QRadar, consult IBM QRadar Documentation and / or support for issues relating to docker and the IBM QRadar system.