Initialize the Mimecast SIEM Beat | LogRhythm Documentation

This guide outlines the procedure to initialize the Mimecast SIEM Beat configuration using the Open Collector.

Prerequisites

Acquire a Client ID and Client Secret by creating an API key, as outlined in Create a Mimecast API Application and Enable SIEM Logs.
Ensure that System Monitor System Monitor version 7.21 or higher is installed, with JSON parsing enabled. For more information on enabling JSON parsing, refer to Configure Beats for JSON Parsing.
The following port must be open:

Direction	Port	Protocol	Source
Outbound	443	HTTPS	Mimecast SIEM Beat

Initialize the Beat via the Web Console (Recommended)

Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

Execute the following command to begin configuring the Mimecast SIEM Beat:
```
./lrctl mimecastsiembeat start
```
From the options presented, select New mimecastsiembeat instance and press Enter.
Provide a unique identifier for this Beat instance.
Enter the Base URL for Mimecast configuration.
The default URL is displayed; modify it if necessary.
Input the Client ID for Mimecast configuration.
The Client ID was obtained during the steps outlined in Create a Mimecast API Application and Enable SIEM Logs.
Enter the Client Secret for Mimecast configuration.
The Client Secret was obtained during the steps outlined in Create a Mimecast API Application and Enable SIEM Logs.
Specify the Log Type.
All 10 types of logs are displayed by default. To fetch all types, simply press Enter, or remove specific types from the list to target particular data.
Enter the page size to retrieve logs in a single request.
The default value is 100, with a minimum of 1 and a maximum of 100.
Indicate the number of days of logs to retrieve.
The default setting is 7 days, with a minimum of 1 day and a maximum of 7 days.
Enter the time interval after which the Beat will attempt to retrieve data.
The default setting is 60 seconds.
Enter the hostname or IP address of the machine where version Sysmon JSON Parser version 7.21 or greater is installed.
Enter the port for data transmission.
The default is pre-populated as 5044.
Press Enter.
The configuration has been saved, and the service has started successfully.
To check the status of the service, run the following command:
```
./lrctl mimecastsiembeat status
```