MENU
      Contents x
      Mimecast
      • 12 Jun 2025
      • 3 Minutes to read
      • Print
      • Dark
      Contents

      Mimecast

      • Updated on 12 Jun 2025
      • 3 Minutes to read
      • Print
      • Dark
      Article summary

      Overview

      This Adapter allows you to connect to the Mimecast API to stream audit events as they happen.

      Deployment Configurations

      All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

      • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
      • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
      • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
      • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

      Adapter-specific Options

      Adapter Type: mimecast

      • client_id: your Mimecast client ID

      • client_secret: your Mimecast client secret

      CLI Deployment

      Adapter downloads can be found here.

      chmod +x /path/to/lc_adapter

/path/to/lc_adapter mimecast client_options.identity.installation_key=$INSTALLATION_KEY \
client_options.identity.oid=$OID \
client_options.platform=json \
client_options.sensor_seed_key=$SENSOR_NAME \
client_options.hostname=$SENSOR_NAME \
client_options.mappings.event_type_path=category \
client_id=$CLIENT_ID client_secret=$CLIENT_SECRET
      Bash

      Infrastructure as Code Deployment

      # Mimecast Specific Docs: https://docs.limacharlie.io/docs/adapter-types-mimecast

sensor_type: "mimecast"
mimecast:
  # These are credentials for a Mimecast API application.
  client_id: "YOUR_MIMECAST_APPLICATION_ID" # (required) Your Mimecast Application ID.
  client_secret: "YOUR_MIMECAST_APPLICATION_KEY" # (required) Your Mimecast Application Key (this is often referred to as client secret in OAuth terms). Store securely.
  # Note: The LimaCharlie Mimecast adapter also requires 'app_key', 'access_key', and 'secret_key' which are different from client_id/client_secret and are obtained from Mimecast for API access.
  # Your YAML structure only has client_id and client_secret. The LC docs imply a more complex auth setup.
  # Assuming client_id and client_secret are part of a new OAuth flow, or you might need to add other Mimecast-specific auth fields like 'app_key', 'access_key', 'secret_key' if using their older API auth.
  # For the purpose of this example, I will assume client_id and client_secret are the primary needs based on your YAML structure,
  # but you should verify the exact authentication fields required by the LimaCharlie Mimecast adapter version you are using.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_MIMECAST" # (required) Installation key associated with the OID.
    hostname: "mimecast-logs-adapter-prod-01.example.com" # (required if not using sensor_hostname_path)
    platform: "saas_api_mimecast" # (required) Indicates the source is the Mimecast API.
    architecture: null # (optional) Not typically applicable for SaaS API.
    mapping:
      # Mimecast API returns JSON (e.g., for TTP URL logs, MTA logs). parsing_re is usually null.
      parsing_re: null
      # (optional) Path to uniquely ID the original Mimecast log entry. This varies by Mimecast log type (e.g., 'id' for some, 'dir' for TTP).
      sensor_key_path: "id" # Or "dir" for TTP URL logs, "messageId" for email logs.
      sensor_hostname_path: null # (optional)
      # (optional) Example: "MIMECAST_TTP_URL_CLICK", "MIMECAST_EMAIL_DELIVERY_REJECTED". Based on Mimecast log fields.
      event_type_path: "MIMECAST_{{ .type | token | upper | default \"LOG\" }}_{{ .action | token | upper | default \"INFO\" }}" # Assuming 'type' and 'action' fields in Mimecast data.
      # (optional) JSON path to the event's occurrence time. Mimecast uses various timestamp fields like 'eventTime', 'received', 'processedTime'.
      event_time_path: "eventTime" # Or 'datetimeProcessed' etc.
      investigation_id_path: "messageId" # (optional) Example: using a message ID for correlation.
      transform:
        "+email_security_vendor": "Mimecast"
        "+sender_address": "{{ .sender }}"
        "+recipient_address": "{{ .recipient }}"
        "+mimecast_policy_action": "{{ .policy.action }}"
        "-internal_mimecast_tracking_id": null
      drop_fields:
      - "route.details_verbose"
      - "header.x_mimecast_internal_flags"
      sid_replication_path: null # (optional)
    # mappings: null
    indexing:
      enabled: true
      default_index: "mimecast-logs-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional)
    sensor_seed_key: "SEED_KEY_MIMECAST_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      API Doc

      See the official documentation.

      Was this article helpful?
      Related articles
      What's Next