Edit

Share via

Mimecast Audit (using Azure Functions) connector for Microsoft Sentinel

  • Article

The data connector for Mimecast Audit provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are: Audit

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) MimecastAudit_CL
Data collection rules support Not currently supported
Supported by Mimecast

Query samples

MimecastAudit_CL

MimecastAudit_CL

| sort by TimeGenerated desc

Prerequisites

To integrate with Mimecast Audit (using Azure Functions) make sure you have:

  • Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
  • Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
  • REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Vendor installation instructions

Note

This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

Configuration:

STEP 1 - Configuration steps for the Mimecast API

Go to Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)

STEP 2 - Deploy Mimecast API Connector

IMPORTANT: Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.

Deploy the Mimecast Audit Data Connector:

Use this method for automated deployment of the Mimecast Audit Data connector.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred Subscription, Resource Group and Region.

  3. Enter the below information : Workspace ID Workspace Key Base URL (Default: https://api.services.mimecast.com) Start Date Mimecast Client ID Mimecast Client Secret Log Level (Default: INFO) Schedule (0 0 */1 * * *) App Insights Workspace Resource ID

  4. Mark the checkbox labeled I agree to the terms and conditions stated above.

  5. Click Purchase to deploy.

Next steps

For more information, go to the related solution in the Azure Marketplace.