Create a Mimecast API Application and Enable SIEM Logs

This guide outlines the procedures required to create a Mimecast API application and enable SIEM logs in preparation for collecting Mimecast logs via the Open Collector.

You must have administrator privileges in the Mimecast console in order to complete the steps in this guide.

Create a Mimecast Application Role

To create a Mimecast application role:

  1. Log into the Mimecast administrator console.

  2. Click Account, and then Roles.

  3. Click the New Role button to initiate the creation of a new role.

  4. Provide a Role Name and Description to clearly articulate the purpose of the role.

  5. Deselect all application permissions, then enable the following permissions based on the endpoint from which you wish to collect:

Endpoint Name

Product

Required Permissions

Archive Search Logs

Audit Events

Archive > Search Logs > Read

Archive Message View Logs

Audit Events

Archive > View Logs > Read

TTP URL Logs

Security Events

Monitoring > URL Protection > Read

TTP Impersonation Protect Logs

Security Events

Monitoring > Impersonation Protection > Read

Attachment Protection Logs

Security Events

Monitoring > Attachment Protection > Read

Audit Events

Audit Events

Account > Logs > Read

SIEM Logs (MTA)

Threats, Security Events and Data for CG

Security Events and Data Retrieval > Threat and Security Events (SIEM) > Read

  1. Click Save and Exit to finalize the role creation process.

Create a Mimecast API Application to Obtain Application Keys

To access vital Mimecast Email Security account information, including region, application ID, application key, access key, and secret key information:

  1. Log into the Mimecast administrator console.

  2. Click Integrations, and then API and Platform Integrations.

  3. Click Generate Keys on the Mimecast API 2.0 tile.

  4. In the Details section, make the following selections:

    1. Category: SIEM Integration

    2. Product Overview:

      1. Threats, Security Events, and Data for CG

      2. Security Events

      3. Audit Events

    3. Application Role: Select the role created in the previous section.

  5. Enter the required Application Name and Description, then click the Next button.

  6. In the Notification section, provide the necessary Technical Point of Contact and Email, then click the Next button.

  7. Review the provided information and click Add and Generate Keys to complete the process.

  8. Copy the generated keys and store them securely.

The displayed keys cannot be retrieved once you leave this screen, so ensure they are copied to a secure location to be used in the next page of this guide.

Enable the SIEM Logs (MTA) Endpoint

To enable the SIEM Logs (MTA) endpoint:

  1. Confirm that you hold a Mimecast administrator role that has Gateway, Tracking, and Read permissions.

  2. Log into the Mimecast administrator console.

  3. Click Administrator, and then Account.

  4. Click Account Settings, and then Enhanced Logging.

  5. Select the log types you wish to utilize for the endpoint.

  6. Click Save to apply the changes.