Initialize the Mimecast SIEM Beat

This guide outlines the procedure to initialize the Mimecast SIEM Beat configuration using the Open Collector.

Prerequisites

• Acquire a Client ID and Client Secret by creating an API key, as outlined in Create a Mimecast API Application and Enable SIEM Logs.

• Ensure that System Monitor System Monitor version 7.21 or higher is installed, with JSON parsing enabled. For more information on enabling JSON parsing, refer to Configure Beats for JSON Parsing.

• The following port must be open:

Initialize the Beat

1. Execute the following command to begin configuring the Mimecast SIEM Beat:

   CODE

   ./lrctl mimecastsiembeat start

2. From the options presented, select New mimecastsiembeat instance and press Enter.

3. Provide a unique identifier for this Beat instance.

   

4. Enter the Base URL for Mimecast configuration.
   The default URL is displayed; modify it if necessary.

   

5. Input the Client ID for Mimecast configuration.
   The Client ID was obtained during the steps outlined in Create a Mimecast API Application and Enable SIEM Logs.

   

6. Enter the Client Secret for Mimecast configuration.
   The Client Secret was obtained during the steps outlined in Create a Mimecast API Application and Enable SIEM Logs.

   

7. Specify the Log Type.
   All 10 types of logs are displayed by default. To fetch all types, simply press Enter, or remove specific types from the list to target particular data.

   

8. Enter the page size to retrieve logs in a single request.
   The default value is 100, with a minimum of 1 and a maximum of 100.

   

9. Indicate the number of days of logs to retrieve.
   The default setting is 7 days, with a minimum of 1 day and a maximum of 7 days.

   

10. Enter the time interval after which the Beat will attempt to retrieve data.
    The default setting is 60 seconds.

    

11. Enter the hostname or IP address of the machine where version Sysmon JSON Parser version 7.21 or greater is installed.

    

12. Enter the port for data transmission.
    The default is pre-populated as 5044.

    

13. Press Enter.
    The configuration has been saved, and the service has started successfully.

14. To check the status of the service, run the following command:

    CODE

    ./lrctl mimecastsiembeat status