Supports the following Mimecast endpoints:
- get-siem-logs
- get-audit-events
get-siem-logs provides logging data about messages sent, received and processed. Because of the number of messages, it is recommended that the following be set in mimecast/Config.py:
self.api_options = {
'COMPRESSED': True
}
get-audit-events provides logging data about admninistrative actions within Mimecast
https://www.mimecast.com/tech-connect/documentation/endpoint-reference/
- Edit
Config.py
to change Mimecast API details and select approriate requirements. The auth creds are required (you will need to generate a API user via the console) - https://www.mimecast.com/tech-connect/documentation - The script will automatically create the directories defined in 'Config.py` for hashing / logging
- Run
run.py
to start ingesting - program is threaded so each source configured inConfig.py
will run simultaneously.
Auth and SIEM events written locally, sent to AWS S3, and then removed from local storage.
You can use a SIEM product to ingest these events easily (since it's JSON). Examples include, SIEM Monster, Splunk, ManageEngine, ELK, QRadar, etc.
Connectivity / SSL issues when connecting to the Mimecast API: https://stackoverflow.com/questions/56858075/pulling-mimecast-logs-with-python
If you are experiencing high CPU usage - increase the interval time in Config.py
until a point where the issue no longer occurs.
Forked from https://github.com/JoshuaSmeda/mimecast_log_collector