Email is the top initial attack vector, with phishing campaigns responsible for many damaging cyber attacks, including ransomware. Being able to search Mimecast email security logs in CrowdStrike Falcon® LogScale (formerly known as Humio), alongside other log sources such as endpoint, network and authentication data helps cybersecurity teams detect and respond to cyber attacks and mitigate cyber risks.

This integration enables joint customers to detect and respond to email attacks more quickly, mitigating the risk of widespread damage. The integration drives more value for customers by enabling correlation across email and other log sources, and delivers more complete investigations that facilitate fast and targeted remediation.

What is the LogScale and Mimecast integration?

The integration enables joint customers to ingest their Mimecast email security logs into LogScale. Once ingested, customers can view summary dashboards to see trends and high-level information, as well as drill down with flexible searches of the Mimecast data. Complex correlation searches across Mimecast data and other log sources can also be created with LogScale’s query language. Customers can create live searches which trigger alerts when potential malicious activity is observed.

How does the integration work?

Mimecast has developed a LogScale connector which is available for free. The connector pulls logs from the Mimecast service and ingests them into LogScale. The connector works with LogScale SaaS or hybrid deployments.

By installing the accompanying package from the marketplace within the LogScale interface, customers get instant access to a comprehensive set of eight multi-panel dashboards correlating to the different log source types from Mimecast.

How customers benefit

With LogScale’s unlimited price plans and modern architecture that compresses data by up to 80x, many customers can afford to log everything and aren’t forced to make compromises that introduce blindspots and risk.

By ingesting Mimecast logs alongside other log sources, customers can obtain complete visibility across the environment. LogScale customers can get more value from their Mimecast service by taking Mimecast detections of suspicious URLs or attachments and searching for them across the rest of their estate.

Full fidelity cyber investigations enable rapid containment and targeted remediation

LogScale customers can afford to retain their data for longer. This is particularly important with email security logs, as cyber investigations often go back months. Being able to work back to the initial email attack allows you to perform complete, full-fidelity investigations and confidently uncover the full extent of the attack.

Without this access to the logs, many investigations are inconclusive, forcing customers to either adopt a broad remediation plan that is expensive and can impact productivity, or go with a narrower remediation plan that risks leaving the attacker with a presence in their systems.

Extend threat hunting to include email security logs

LogScale’s fast search capabilities and comprehensive query language enable threat hunters to quickly execute queries, including complex correlation searches across multiple data sources. Threat hunters can now include Mimecast email security logs in their analysis and get insight from endpoint and network logs, and correlate these with Mimecast email security logs to get the full picture.

Using the integration

There are numerous ways to get value from your Mimecast email security logs through LogScale. Say, for example, a security investigation is triggered from an endpoint detection that has seen suspicious process activity on a user machine. We’ll assume the endpoint tool can tell us the URL from which the malware was downloaded. If this isn’t the case, it may be necessary to search for network data to link the malicious file seen at the endpoint with a download URL.

By searching the Mimecast logs for that URL, customers can discover if that URL was contained as a link in a phishing email.

To search Mimecast for a certain URL, here’s the LogScale query for an example URL of http[:]//t.mitt.dn.se/r/?id=hda9764d9,6476bff9,6476c038

In this query, we’re limiting the search to the relevant log source (“ttp-url-logs“) for miniscule efficiency gains, but you could also just search for the URL and leave out the first line.

#source = "ttp-url-logs" 
| url = "http://t.mitt.dn.se/r/?id=hda9764d9,6476bff9,6476c038"

From the results, we can pick out key fields such as the @timestamp, subject, from UserEmailAddress, userEmailAddress, sendingIP and messageID too.

A next step may be to investigate whether that IP address has sent other emails that may be from different addresses and with different subject lines, but also contain URLs … and to list those URLs in a table with the below query:

sendingIp= 130.117.8.227 
| top(url)

As shown above, there are six other URLs that may be of concern and it’s probably wise to search for any evidence of connectivity to these URLs across other log sources in LogScale, including endpoint and network data.

Now that you have all the relevant emails, go to the Mimecast console and use the messageID field to find the relevant emails in Mimecast and delete them from the user’s inbox and archive.

Next steps

To get started, visit the marketplace from within the LogScale interface, install the Mimecast package and configure the connector per the instructions.

We’re always looking for feedback. If you have ideas and feedback for enhancements to the Mimecast package in the LogScale marketplace, let us know at humio_packages@crowdstrike.com. Learn more about LogScale at https://www.crowdstrike.com/products/observability/falcon-logscale/