Overview

Details

Cyberattacks can come from many different vectors, but they most commonly arrive via email. By using email to conduct phishing, business email compromise (BEC) attacks, brand impersonation and more, attackers leverage an organization’s weakest security link — its people — to wreak havoc. As a result, email is the No. 1 attack vector for security teams to secure.

By integrating Mimecast with Splunk, security teams can leverage advanced threat detection, enhanced investigation, and faster response to increase their overall level of protection through proactive actions that identify at-risk users and devices. Together, the platforms share high-fidelity indicators to help analysts quickly and accurately identify the root cause of an attack and remediate the threat. This helps security teams ward against initial infection and lateral spread that can lead to downtime, ransom demands, lost data, and stolen passwords.

Splunk can ingest Mimecast logs, along with other security tools, to obtain complete visibility across environments. Out-of-the-box detection templates created by Mimecast’s team of security experts based on known threats, common attack vectors and suspicious activity reduce detection times to make analysts aware of a threat the moment it occurs.

Mimecast regional threat intelligence data can power analytics to generate actionable alerts and incidents, allowing security teams to easily investigate and triage incidents based on the severity and status of detected threats. Additionally, Mimecast provides a Splunk SOAR application as well as a comprehensive Application Programming Interface (API) to make it easy for the platform to be integrated with Splunk’s leading security orchestration, automation, and response (SOAR) for efficient, automated response actions.

Installation Guide: https://community.mimecast.com/s/article/api-and-integration-mimecast-for-splunk

Overview

Email continues to be the most widely used attack vector. Data sourced from email activity and attacks is high value
Impersonation Protect Dashboard

The Impersonation Protect dashboard gives you an at-a-glance view of the types of phishing techniques targeting your organization and who is most at risk.

Attachment Protect Dashboard

Use the Attachment Protect Dashboard to view and investigate targeted malware attacks detected by Mimecast.

URL Protect Dashboard

Use the URL Protect Dashboard to gain insights into malicous or suspicious links clicked in emails.

Key Capabilities and Benefits

● Threat correlation: Identify initial attack deployment methodology, characteristics, and subsequent access attempts without the need for manual effort or multiple toolsets.
● Advanced threat detection: Improve your organization’s security posture and detect threats by augmenting email perimeter defense with user and entity behavior analytics.
● Lateral movement detection: Detect and follow attackers even as they switch IP addresses, devices, or credentials.
● Alert prioritization: Increase efficiency and effectiveness by prioritizing the most pressing threats.
● Threat intelligence: Understand how your organization has been targeted and what attacks have been blocked for better protection at the email perimeter, inside the network and beyond its perimeter.
● Threat investigation: Analyze activity events before and after an attack across the entire attack chain to enhance analyst productivity and repair vulnerabilities.

Solution Overview

Mimecast logs event activity in real time. This includes email receipt, processing and delivery, and employees clicking on links within an email.
The events are then made available for integration into 3rd party systems via a REST API using industry standard JSON or pipe delimited, key-value pair formats.
Log collection is achieved using modular inputs. For the greatest flexibility, each log type is separated into its own input, allowing you to choose what data you want to ingest.
With modular inputs successfully configured, data is immediately ingested and indexed by Splunk Enterprise. Once indexed, data is searchable and displayed in the app's built in dashboards.

Useful links

Mimecast Tech Connect
for the security operations team, enhancing the benefits of your Splunk Enterprise investment.

Correlate security events detected by Mimecast Targeted Threat Protection and the Secure Email Gateway with other security systems connected to Splunk Enterprise – helping security analysts detect incidents and attacks quickly and accurately.

High Value Data

Add high value email security data to Splunk Enterprise to help investigate and detect threats quickly and accuratley.

Installation Guide

Release Notes

Version 5.3.0

Feb. 6, 2025

· Migrated Add-On for Splunk with AOB version 4.3.0
· Updated Python SDK version to 2.1.0
· Updated data ingestion logic for the "actions" field for TTP URL data.
· Fixed auto datetime parsing issue
· Fixed extractions issue to support special characters in the data

Version 5.2.0

Sept. 18, 2024

Added compatibility with Splunk 9.3

Version 5.1.0

July 9, 2024

Added a new input "Mimecast Awareness Training"
Added new dashboard "Awareness Training"

Version 5.0.0

June 4, 2024

Migrated the endpoints to API v2
Revamp the Inputs and Accounts page
Moved 'Account Code' and 'Base URL' from Input page to Account Page.
Removed 'Application ID', 'Access Key' and 'Secret Key' fields from Account page.
Added 'Client ID' and 'Client Secret' fields for API v2 on the Account page.
Introduced a new input: "Mimecast SIEM - Cloud Integrated".
Introduced a new dashboard: "Email Activity Summary - Cloud Integrated" under Email Activity tab.
Resolved parsing issue for events with equal sign and new line characters.

Version 4.2.0

Jan. 3, 2024

Upgraded Add-on Builder framework version to v4.1.4

Version 4.1.1

May 9, 2022

Missing Mimecast icons and logo have been added back

Please see the full list of changes, enhancements and fixes via the below link.

https://community.mimecast.com/s/article/Mimecast-for-Splunk-Release-Notes

Version 4.1.0

April 20, 2022

Minor bug fixes for dashboard widgets
Updated app to be compatible with Addon Builder 4.1.0
XML versions added to dashboards to address jquery vulnerability

Please see the full list of changes, enhancements and fixes via the below link.

https://community.mimecast.com/s/article/Mimecast-for-Splunk-Release-Notes

8,926

Downloads

Share Subscribe

Version

Built by

Mimecast Services Ltd

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate

Compatibility

This version of the app (5.2.0) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

This version of the app (5.1.0) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

This version of the app (5.0.0) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

This version of the app (4.2.0) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

This version of the app (4.1.1) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

This version of the app (4.1.0) is not available for Splunk Cloud. However, version 5.3.0 of this app is available for Splunk Cloud.

Products: Splunk Enterprise, Splunk Cloud

Products: Splunk Enterprise

Splunk Versions: 9.4, 9.3, 9.2, 9.1