Mimecast

Integration version: 4.0

Use Cases

Perform ingestion of the messages
Perform triaging action (Reject/Release/Report message)

Configure Mimecast integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
API Root	String	https:/<<api root>>	Yes	API root of the Mimecast instance.
Application ID	String	N/A	Yes	Application ID of the Mimecast instance.
Application Key	Password	N/A	Yes	Application Key of the Mimecast instance.
Access Key	Password	N/A	Yes	Access Key of the Mimecast instance.
Secret Key	Password	N/A	Yes	Secret Key of the Mimecast instance.
Verify SSL	Checkbox	Checked	Yes	If enabled, verify the SSL certificate for the connection to the Mimecast server is valid.

Integration Configuration Nuances

Google Security Operations SOAR server needs to be synced with the Mimecast server.
Information about all of the needed parameters for the configuration are available in the following links: https://community.mimecast.com/s/article/Managing-API-Applications-505230018 and https://community.mimecast.com/s/article/Mimecast-Data-Centers-and-URLs-61190061

Actions

Ping

Description

Test connectivity to Mimecast with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful: "Successfully connected to the Mimecast server with the provided connection parameters!" The action should fail and stop a playbook execution: if not successful: "Failed to connect to the Mimecast server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Mimecast server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Mimecast server! Error is {0}".format(exception.stacktrace)

General

Simple Archive Search

Description

Search archive emails using defined parameters in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Fields To Return	CSV	attachmentcount,status,subject, size,receiveddate,displayfrom, displayfromaddress,id,displayto, displaytoaddresslist,smash	Yes	Specify a comma-separated list of fields that needs to be returned.
Mailboxes	CSV	N/A	No	Specify a comma-separated list of mailboxes that need to be searched.
From	CSV	N/A	No	Specify a comma-separated list of email addresses from which the emails were sent.
To	CSV	N/A	No	Specify a comma-separated list of email addresses to which the emails were sent.
Subject	String	N/A	No	Specify a subject that needs to be searched.
Time Frame	DDL	Last Hour Possible Values: Last Hour Last 6 Hours Last 24 Hours Last Week Last Month Custom	Yes	Specify a time frame for the search. If "Custom" is selected, you also need to provide "Start Time".
Start Time	String	N/A	No	Specify the start time for the search. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601
End Time	String	N/A	No	Specify the end time for the search. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter will use current time.
Max Emails To Return	Integration	50	No	Specify how many emails to return. Default: 50.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast". If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast" The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Simple Archive Search". Reason: {0}''.format(error.Stacktrace) If Start Time is empty, when "Time Frame" is "Custom": "Error executing action "Simple Archive Search". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter." If fail/errors has values: Error executing action "Simple Archive Search". Reason: fail/errors/message".	General
Case Wall Table	Name: Results Columns: All keys from the response	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast".

If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast"

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Simple Archive Search". Reason: {0}''.format(error.Stacktrace)

If Start Time is empty, when "Time Frame" is "Custom": "Error executing action "Simple Archive Search". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter."

If fail/errors has values: Error executing action "Simple Archive Search". Reason: fail/errors/message".

General

Case Wall Table

Name: Results

Columns:

All keys from the response

General

Advanced Archive Search

Description

Search archive emails using a custom XML query in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
XML Query	XML	N/A	Yes	Specify an XML query that should be used when searching for archive emails. Please visit documentation for more details.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast". If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Advanced Archive Search". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Advanced Archive Search". Reason: fail/errors/message".	General
Case Wall Table	Name: Results Columns: All keys from the response	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully found archive emails for the provided criteria in Mimecast".

If data is not available (is_success=true): "No archive emails were found for the provided criteria in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Advanced Archive Search". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Advanced Archive Search". Reason: fail/errors/message".

General

Case Wall Table

Name: Results

Columns:

All keys from the response

General

Reject Message

Description

Reject message in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Message ID	String	N/A	Yes	Specify the ID of the message that needs to be rejected.
Note	String	N/A	No	Specify an additional note containing an explanation regarding why the message was rejected.
Reason	DLL	Select One Possible Values: Select One Inappropriate Communication Confidential Information Against Email Policy Restricted Content	No	Specify the reason for rejection.
Notify Sender	Checkbox	Unchecked	No	If enabled, action will notify the sender about rejection.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If no "errors" in the response (is_success = true): "Successfully rejected message with ID "{ID}" in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Reject Message". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Reject Message". Reason: fail/errors/message".	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully rejected message with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Reject Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Reject Message". Reason: fail/errors/message".

General

Release Message

Description

Release message in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Message ID	String	N/A	Yes	Specify the ID of the message that needs to be released.
Release to Sandbox	Checkbox	N/A	No	If enabled, action will release the message to the sandbox.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: If no "errors" in the response (is_success = true): "Successfully released message with ID "{ID}" in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Release Message". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Release Message". Reason: fail/errors/message".	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully released message with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Release Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Release Message". Reason: fail/errors/message".

General

Report Message

Description

Report message in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Message IDs	String	N/A	Yes	Specify the ID of the message that needs to be reported.
Report as	DDL	Spam Possible Values: Spam Malware Phishing	No	Specify the report type for the message.
Comment	String	N/A	No	Specify the comment for the report.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Message IDs

String

N/A

Yes

Specify the ID of the message that needs to be reported.

Report as

DDL

Spam

Possible Values:

Spam

Malware

Phishing

Specify the report type for the message.

Comment

String

N/A

Specify the comment for the report.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if data is available(is_success = true): "Successfully reported the following messages with ID "{ID}" in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Report Message". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Report Message". Reason: fail/errors/message".	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully reported the following messages with ID "{ID}" in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Report Message". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Report Message". Reason: fail/errors/message".

General

Block Sender

Description

Block sender in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Sender	String	N/A	Yes	Specify the email address of the sender to block.
Recipient	String	N/A	Yes	Specify the email address of the recipient to block.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If no "errors" in the response (is_success = true): "Successfully blocked sender {sender} for recipient {recipient} in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Block Sender". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Block Sender". Reason: fail/errors/message".	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully blocked sender {sender} for recipient {recipient} in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Block Sender". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Block Sender". Reason: fail/errors/message".

General

Permit Sender

Description

Permit sender in Mimecast.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Sender	String	N/A	Yes	Specify the email address of the sender to permit.
Recipient	String	N/A	Yes	Specify the email address of the recipient to permit.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If no "errors" in the response (is_success = true): "Successfully permitted sender {sender} for recipient {recipient} in Mimecast". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Permit Sender". Reason: {0}''.format(error.Stacktrace) If fail/errors has values: Error executing action "Permit Sender". Reason: fail/errors/message".	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:
If no "errors" in the response (is_success = true): "Successfully permitted sender {sender} for recipient {recipient} in Mimecast".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Permit Sender". Reason: {0}''.format(error.Stacktrace)

If fail/errors has values: Error executing action "Permit Sender". Reason: fail/errors/message".

General

Connector

Mimecast - Message Tracking Connector

Description

Pull information about messages from the "Message Tracking" tab in Mimecast.

Configure Mimecast - Message Tracking Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	event_type	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Int	180	Yes	Timeout limit for the python process running the current script.
API Root	String	https:/<<api root>>	Yes	API root of the Mimecast instance.
Application ID	String	N/A	Yes	Application ID of the Mimecast instance.
Application Key	Password	N/A	Yes	Application Key of the Mimecast instance.
Access Key	Password	N/A	Yes	Access Key of the Mimecast instance.
Secret Key	Password	N/A	Yes	Secret Key of the Mimecast instance.
Domains	CSV	N/A	Yes	A comma-separated list of domains for which to query messages.
Lowest Risk To Fetch	String	N/A	No	Lowest risk that will be used to fetch messages. Possible values: Negligible, Low, Medium, High. If nothing is provided, the connector will ingest all messages.
Status Filter	CSV	held		A comma-separated list of status filters for the messages. Possible values: delivery, held, accepted, bounced, deferred, rejected, archived. If nothing is provided, the connector will ingest all messages.
Route Filter	CSV	N/A		A comma-separated route filters for the messages. Possible values: internal, outbound, inbound. If nothing is provided, the connector will ingest all messages.
Ingest Messages Without Risk	Checkbox			If enabled, the connector will ingest messages even if there is no info about risk. Google Security Operations SOAR Alerts generated from those messages will have priority set to Informational.
Max Hours Backwards	Integer	1	No	Amount of hours from where to fetch messages. Default: 1 hour. Max: 30 days.
Max Messages To Return	Integer	100	No	How many messages to process per one connector iteration. Default: 100.
Use whitelist as a blacklist	Checkbox	Checked	Yes	If enabled, whitelist will be used as a blacklist.
Verify SSL	Checkbox	Checked	Yes	If enabled, verify the SSL certificate for the connection to the Mimecast server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.