Mimecast_Elastic integration

packages/mimecast/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@1.12

packages/mimecast/_dev/build/docs/README.md

@@ -0,0 +1,69 @@
+# Mimecast Integration
+
+The Mimecast integration collects events from the Mimecast API.
+
+## Logs
+
+### AUDIT EVENTS
+
+This is the `mimecast.audit_events` dataset.
+
+{{event "audit_events"}}
+
+{{fields "audit_events"}}
+
+### DLP LOGS
+
+This is the `mimecast.dlp_logs` dataset.
+
+{{event "dlp_logs"}}
+
+{{fields "dlp_logs"}}
+
+### SIEM LOGS
+
+This is the `mimecast.siem_logs` dataset.
+
+{{event "siem_logs"}}
+
+{{fields "siem_logs"}}
+
+### TTP IMPERSONATION LOGS
+
+This is the `mimecast.ttp_ip_logs` dataset.
+
+{{event "ttp_ip_logs"}}
+
+{{fields "ttp_ip_logs"}}
+
+### TTP ATTACHMENT LOGS
+
+This is the `mimecast.ttp_ap_logs` dataset.
+
+{{event "ttp_ap_logs"}}
+
+{{fields "ttp_ap_logs"}}
+
+### TTP URL LOGS
+
+This is the `mimecast.ttp_url_logs` dataset.
+
+{{event "ttp_url_logs"}}
+
+{{fields "ttp_url_logs"}}
+
+### THREAT INTEL FEED MALWARE CUSTOMER
+
+This is the `mimecast.threat_intel_malware_customer` dataset.
+
+{{event "threat_intel_malware_customer"}}
+
+{{fields "threat_intel_malware_customer"}}
+
+### THREAT INTEL FEED MALWARE GRID
+
+This is the `mimecast.threat_intel_malware_grid` dataset.
+
+{{event "threat_intel_malware_grid"}}
+
+{{fields "threat_intel_malware_grid"}}

packages/mimecast/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+ mimecast:
+ image: docker.elastic.co/observability/stream:v0.6.1
+ ports:
+ - 8080
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: 8080
+ command:
+ - http-server
+ - --addr=:8080
+ - --config=/files/config.yml

packages/mimecast/changelog.yml

@@ -0,0 +1,7 @@
+# newer versions go on top
+
+- version: "0.0.1"
+ changes:
+ - description: Initial draft of the package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2157

packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log

@@ -0,0 +1,25 @@
+{"auditType":"Threat Intel Feed Download","category":"reporting_logs","eventInfo":"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 8.8.8.8, Application: Integrations","eventTime":"2021-10-18T08:45:02+0000","id":"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48","user":"johndoe@example.com"}
+{"id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70","auditType": "Threat Intel Feed Download","user": "johndoe@example","eventTime": "2021-10-10T22:51:57+0000","eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 8.8.8.8, Application: Azure Sentinel","category": "reporting_logs"}
+{"id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A","auditType": "User Logged On","user": "johndoe@example.com","eventTime": "2021-10-11T17:17:30+0000","eventInfo": "Successful authentication for johndoe@example.com <John Doe>, Date: 2021-10-11, Time: 18:17:30 BST, IP: 8.8.8.8, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP","category": "authentication_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60","auditType":"Logon Requires Challenge","user":"johndoe@example.com","eventTime":"2021-10-11T17:17:26+0000","eventInfo":"Intermediate authentication for johndoe@example.com <John Doe>, Date: 2021-10-11, Time: 18:17:26 BST, IP: 8.8.8.8, Application: Administration Console, Method: Office 365, 2FA: TOTP","category":"authentication_logs"}
+{ "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "auditType": "User Logged On", "user": "johndoe@example.com", "eventTime": "2021-10-11T16:03:38+0000", "eventInfo": "Successful authentication for johndoe@example.com <John Doe>, Date: 2021-10-11, Time: 17:03:38 BST, IP: 8.8.8.8, Application: Administration Console, Method: Cloud", "category": "authentication_logs"}
+{ "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", "auditType": "Mimecast Support Login", "user": "johdoe@example.local", "eventTime": "2021-10-11T15:39:17+0000", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local<johdoe@example.local> Date: 2021-10-11 Time: 16:39:17 +0100 IP: 8.8.8.8 Application: Administration Console", "category": "mimecast_access_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK","auditType":"Mimecast Support Login","user":"johndoe@example.local","eventTime":"2021-10-19T11:46:40+0000","eventInfo":"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local<johdoe@example.local> Date: 2021-10-19 Time: 12:46:40 +0100 IP: 8.8.8.8 Application: Administration Console","category":"mimecast_access_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8","auditType":"Message Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:36:01+0000","eventInfo":"Viewed Message - Source: Search, From: <John Done> johndoe@example.com, To: <johndoe@example.com> johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw","auditType":"Search Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:35:53+0000","eventInfo":"Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-11T14:46:10+0000","eventInfo":"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 8.8.8.8 application : LFS","category":"authentication_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys","auditType":"Completed Directory Sync","user":"","eventTime":"2021-10-11T13:21:06+0000","eventInfo":"No changes found.","category":"account_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo","auditType":"Case Action","user":"johndoe@example.com","eventTime":"2021-10-12T09:19:53+0000","eventInfo":"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com <John Doe>, Date: 2021-10-12, Time: 09:47:55 BST, IP: 8.8.8.8, Application: mimecast-moa, Method: Office 365, Reason: Wrong password","category":"authentication_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w","auditType":"Existing Archive Task Changed","user":"johdoe@example.com","eventTime":"2021-10-12T08:47:54+0000","eventInfo":"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"}
+{"id":"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM","auditType":"Connectors Management","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:53+0000","eventInfo":"Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 8.8.8.8, Application: Administration Console","category":"integrations_and_apis"}
+{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :8.8.8.8,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 8.8.8.8, Application: mimecast-matfe","category":"account_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF","auditType":"Custom Report Definition Created","user":"johndoe@example.local","eventTime":"2021-10-11T19:53:41+0000","eventInfo":"Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local<johndoe@example.local> Date: 2021-10-11 Time: 20:53:41 +0100 IP: 8.8.8.8 Application: Administration Console","category":"reporting_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh","auditType":"Folder Log Entry","user":"johndoe@example.com","eventTime":"2021-10-11T18:23:10+0000","eventInfo":"Action Performed - Deleted New Folder by johndoe@example.com<John Doe> Date: 2021-10-11 Time: 19:23:10 +0100 IP: 8.8.8.8 Application: Administration Console","category":"profile_group_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR","auditType":"User Password Changed","user":"johndoe@example.com","eventTime":"2021-10-12T19:56:55+0000","eventInfo":"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null","category":"user_account_and_role_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T19:49:30+0000","eventInfo":"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 8.8.8.8, Application: Administration Console","category":"account_logs"}
+{"id":"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw","auditType":"Archive Mailbox Restore","user":"johndoe@example.com","eventTime":"2021-10-12T19:20:01+0000","eventInfo":"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84","auditType":"Archive Mailbox Restore","user":"johndoejr@example.com","eventTime":"2021-10-12T18:19:33+0000","eventInfo":"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0","auditType":"Archive Mailbox Export Download","user":"johndoe@example.com","eventTime":"2021-10-12T17:55:14+0000","eventInfo":"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"}
+{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 8.8.8.8, Application: Administration Console","category":"account_logs"}