Initialize the Mimecast SIEM Beat

This guide outlines the procedure to initialize the Mimecast SIEM Beat configuration using the Open Collector.

Prerequisites

Direction

Port

Protocol

Source

Outbound

443

HTTPS

Mimecast SIEM Beat

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. Execute the following command to begin configuring the Mimecast SIEM Beat:

    ./lrctl mimecastsiembeat start
    
  2. Use the Up and Down Arrow keys to select New mimecastsiembeat instance from the list, and then press Enter.

  3. Enter the unique identifier for this mimecastsiembeat instance, and then press Enter.

  4. Enter the Base URL for Mimecast configuration, and then press Enter.
    The default URL is displayed; modify it if necessary.

  5. Input the Client ID for Mimecast configuration, and then press Enter.

  6. Enter the Client Secret for Mimecast configuration, and then press Enter.

  7. Enter comma separated LogType names.
    All the different types of logs are displayed by default.
    To fetch all types, simply press Enter, or remove specific types from the list to target particular data.

  8. Enter the pagesize to retrieve logs in a single request.
    The default value is 100, with a minimum of 1 and a maximum of 100.

  9. Indicate the number of back days of logs to retrieve.
    The default setting is 7 days, with a minimum of 1 day and a maximum of 7 days.

  10. Enter the period after which the Beat will attempt to retrieve data.
    The default setting is 60 seconds.

  11. Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
    The mimecastsiembeat service started message appears.

  2. Check the status of the service to confirm that it’s running:

    ./lrctl mimecastsiembeat status
    
  3. (Optional) Edit the mimecastsiembeat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:

    ./lrctl mimecastsiembeat config edit