Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Jul 25, 2023
Solved

RE: Mimecast integration (log ingestion) with Microsoft Sentinel

Can somebody inform me what is best practice or method for ingesting event or log data from Mimecast to Microsoft Sentinel?

 

I am trying to understand what SIEM integration Mimecast has got.

data collection
integration
Log Data
  • BcyberS's avatar
    BcyberS
    Oct 27, 2023
    Hi all, after months of pushing the Mimecast development team we finally have updated Mimecast integration for Microsoft Sentinel:

    Find the solutions on the Azure marketplace here: https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=mimecast&page=1&filters=partner...

    Also, if you search 'Mimecast' in your Microsoft Sentinel content hub you should now see the 4 Mimecast products available to deploy in your environment,

    all the best!

7 Replies

  • BcyberS's avatar
    BcyberS
    Brass Contributor
    Oct 27, 2023
    Hi all, after months of pushing the Mimecast development team we finally have updated Mimecast integration for Microsoft Sentinel:

    Find the solutions on the Azure marketplace here: https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=mimecast&page=1&filters=partner...

    Also, if you search 'Mimecast' in your Microsoft Sentinel content hub you should now see the 4 Mimecast products available to deploy in your environment,

    all the best!
    • nicheem's avatar
      nicheem
      Copper Contributor
      Mar 14, 2024

      Hi there,

       

      Am looking to pull SPF, DMARC details from Mimecast to sentinel and couldn't see those details from Microsoft mimecast functions. Does anyone come across this scenario? Thanks in advance.

      • BcyberS's avatar
        BcyberS
        Brass Contributor
        Mar 14, 2024
        Hi,

        so assuming you are ingesting Mimecast events into your log analytics workspace already. If you see the Mimecast connector 'Mimecast Secure Email Gateway' table MimecastSIEM_CL. Run a KQL query:

        MimecastSIEM_CL
        | where logType_s has "receipt" and Dir_s has "Inbound" //looks for all mails received coming inbound only.

        open some of the records and you should see an entry in the table under the schema (column) 'SpamProcessingDetail_s': which shows the SPF, DKIM and DMARC info.

        Hope this helps!

        all the best.
  • camc's avatar
    camc
    Copper Contributor
    Jul 25, 2023
    Hi JMSHW0420, you should probably be looking at the Azure Marketplace app for Mimecast

    https://azuremarketplace.microsoft.com/en/marketplace/apps/mimecastnorthamerica1584469118674.mimecast_email_security-for_azure_sentinel?tab=overview
    • BcyberS's avatar
      BcyberS
      Brass Contributor
      Sep 19, 2023
      Tried with this for a client and worked with Mimecast support. They were asking us to use an EOL OS which we were not happy to proceed with. No updates as of yet.

      I hope Microsoft work on a connector with Mimecast and resolve this soon.
      • jgriff100's avatar
        jgriff100
        Copper Contributor
        Oct 13, 2023

        BcyberS Absolutely right, and it's ludicrous. Even then their code doesn't work well. I have published some fixes to it over time but it's really not great. https://github.com/TotalGriffLock/Mimecast-Azure-Sentinel-Fixes

         

        I can only assume the person who wrote it has left Mimecast and it is no longer maintained.

Resources