{ "name": "mimecast", "title": "Mimecast", "version": "3.4.1", "release": "ga", "description": "Collect logs from Mimecast with Elastic Agent.", "type": "integration", "download": "/epr/mimecast/mimecast-3.4.1.zip", "path": "/package/mimecast/3.4.1", "icons": [ { "src": "/img/mimecast.svg", "path": "/package/mimecast/3.4.1/img/mimecast.svg", "title": "Sample logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" } }, "owner": { "type": "partner", "github": "elastic/security-service-integrations" }, "categories": [ "security", "email_security" ], "signature_path": "/epr/mimecast/mimecast-3.4.1.zip.sig", "format_version": "3.3.2", "readme": "/package/mimecast/3.4.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/mimecast.png", "path": "/package/mimecast/3.4.1/img/mimecast.png", "title": "Sample screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/mimecast/3.4.1/LICENSE.txt", "/package/mimecast/3.4.1/changelog.yml", "/package/mimecast/3.4.1/manifest.yml", "/package/mimecast/3.4.1/validation.yml", "/package/mimecast/3.4.1/docs/README.md", "/package/mimecast/3.4.1/img/mimecast.png", "/package/mimecast/3.4.1/img/mimecast.svg", "/package/mimecast/3.4.1/img/sample-logo.svg", "/package/mimecast/3.4.1/img/sample-screenshot.png", "/package/mimecast/3.4.1/kibana/tags.yml", "/package/mimecast/3.4.1/data_stream/archive_search_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/archive_search_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/audit_events/manifest.yml", "/package/mimecast/3.4.1/data_stream/audit_events/sample_event.json", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/dlp_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/dlp_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/message_release_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/message_release_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/siem_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/manifest.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/sample_event.json", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/manifest.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/sample_event.json", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/sample_event.json", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/manifest.yml", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/sample_event.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-042d5620-5411-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-0ebd21e0-5422-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-6c61f080-541f-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-7790e470-541a-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-87fba310-5413-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-b4585cb0-541c-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-bca36430-540f-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-f22e62f0-5417-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/dashboard/mimecast-f8933590-541b-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/search/mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253.json", "/package/mimecast/3.4.1/kibana/search/mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5.json", "/package/mimecast/3.4.1/kibana/search/mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642.json", "/package/mimecast/3.4.1/kibana/search/mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0.json", "/package/mimecast/3.4.1/kibana/search/mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0.json", "/package/mimecast/3.4.1/kibana/search/mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655.json", "/package/mimecast/3.4.1/kibana/search/mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253.json", "/package/mimecast/3.4.1/data_stream/archive_search_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/archive_search_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/archive_search_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/audit_events/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/audit_events/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/audit_events/fields/field.yml", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/dlp_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/dlp_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/message_release_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/message_release_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/message_release_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/fields/ecs.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/fields/field.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/fields/ecs.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/fields/field.yml", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/fields/agent.yml", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/fields/base-fields.yml", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/fields/field.yml", "/package/mimecast/3.4.1/data_stream/archive_search_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/archive_search_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/archive_search_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/audit_events/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/audit_events/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/cloud_integrated_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/dlp_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/message_release_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/message_release_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/siem_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml", "/package/mimecast/3.4.1/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/agent/stream/cel.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/agent/stream/httpjson.yml.hbs", "/package/mimecast/3.4.1/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "mimecast", "title": "Mimecast", "description": "Collect logs from the Mimecast API with Elastic Agent.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "api_url", "type": "text", "title": "API URL", "description": "API URL.", "multi": false, "required": true, "show_user": false, "default": "https://eu-api.mimecast.com" }, { "name": "app_key", "type": "password", "title": "Application Key for v1 API Endpoints", "description": "Specifies application key for user.", "multi": false, "required": true, "show_user": true }, { "name": "app_id", "type": "password", "title": "Application ID for v1 API Endpoints", "description": "Set the Application Id.", "multi": false, "required": true, "show_user": true }, { "name": "access_key", "type": "password", "title": "Access Key for v1 API Endpoints", "description": "Set Access Key.", "multi": false, "required": true, "show_user": true }, { "name": "secret_key", "type": "password", "title": "Secret Key for v1 API Endpoints", "description": "Set Secret Key.", "multi": false, "required": true, "show_user": true } ], "title": "Mimecast v1 API", "description": "Collect logs from Mimecast API v1 Endpoints" }, { "type": "cel", "vars": [ { "name": "api_url", "type": "text", "title": "API URL", "description": "API URL.", "multi": false, "required": true, "show_user": false, "default": "https://api.services.mimecast.com" }, { "name": "client_id", "type": "text", "title": "Client ID for v2 API Endpoints", "description": "Set Client ID.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret for v2 API Endpoints", "description": "Set Client Secret.", "multi": false, "required": true, "show_user": true } ], "title": "Mimecast v2 API", "description": "Collect logs from Mimecast API v2 Endpoints" } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "mimecast.archive_search_logs", "title": "Archive Search Mimecast Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-archive-search-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Archive Search Logs", "description": "Collect archive search logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-archive-search-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Archive Search Logs", "description": "Collect archive search logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "archive_search_logs" }, { "type": "logs", "dataset": "mimecast.audit_events", "title": "Audit Events Mimecast Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-audit-events" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Audit Events", "description": "Collect audit events logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-audit-events" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Audit Events", "description": "Collect audit events logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "audit_events" }, { "type": "logs", "dataset": "mimecast.cloud_integrated_logs", "title": "Cloud Integrated Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "types", "type": "text", "title": "Log Types", "description": "Log types to collect.", "multi": true, "required": true, "show_user": true, "default": [ "entities", "mailflow", "urlclick" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-cloud-integrated-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve mimecast SIEM logs fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Cloud Integrated logs", "description": "Collect Cloud Integrated Logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "cloud_integrated_logs" }, { "type": "logs", "dataset": "mimecast.dlp_logs", "title": "DLP Mimecast Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "alerting", "type": "text", "title": "Alert Actions", "multi": true, "required": true, "show_user": true, "default": [ "block" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-dlp-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "DLP Logs", "description": "Collect DLP logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "alerting", "type": "text", "title": "Alert Actions", "description": "The set of DLP actions that should be classified as an alert. Possible values are delete, hold, bouce, smart_folder, disable_smart_folder, content_expire, meta_expire, stationery, disable_stationery, gcc, secure_delivery, delivery_route, document_policy, disable_document_policy, secure_messaging, disable_secure_messaging_policy, attach_set_policy, remove_email, tag, link, block, none, and notification.", "multi": true, "required": true, "show_user": true, "default": [ "block" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-dlp-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "DLP Logs", "description": "Collect DLP logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "dlp_logs" }, { "type": "logs", "dataset": "mimecast.message_release_logs", "title": "Mimecast Message Release", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-message-release-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Message Release Logs", "description": "Collect Message Release Logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "message_release_logs" }, { "type": "logs", "dataset": "mimecast.siem_logs", "title": "SIEM Mimecast Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-siem-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "SIEM logs", "description": "Collect SIEM Logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "types", "type": "text", "title": "Log Types", "description": "Log types to collect.", "multi": true, "required": true, "show_user": true, "default": [ "av", "delivery", "internal email protect", "impersonation protect", "journal", "process", "receipt", "attachment protect", "spam", "url protect" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-siem-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve mimecast SIEM logs fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "SIEM logs", "description": "Collect SIEM Logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "siem_logs" }, { "type": "logs", "dataset": "mimecast.threat_intel_malware_customer", "title": "Threat Intel Feed - Malware Customer", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-threat-intel-feed-malware-customer" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Threat Intel Feed - Malware Customer Logs", "description": "Collect threat intel feed - malware customer logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-threat-intel-feed-malware-customer" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Threat Intel Feed - Malware Customer Logs", "description": "Collect threat intel feed - malware customer logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "threat_intel_malware_customer" }, { "type": "logs", "dataset": "mimecast.threat_intel_malware_grid", "title": "Threat Intel Feed - Malware Grid", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-threat-intel-feed-malware-grid" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Threat Intel Feed - Malware Grid Logs", "description": "Collect threat intel feed - malware grid logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-threat-intel-feed-malware-grid" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Threat Intel Feed - Malware Grid Logs", "description": "Collect threat intel feed - malware grid logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "threat_intel_malware_grid" }, { "type": "logs", "dataset": "mimecast.ttp_ap_logs", "title": "TTP Attachment Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-ap" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "TTP Attachment Logs", "description": "Collect TTP attachment logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-ap" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "TTP Attachment Logs", "description": "Collect TTP attachment logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "ttp_ap_logs" }, { "type": "logs", "dataset": "mimecast.ttp_ip_logs", "title": "TTP Impersonation Mimecast Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-ip" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "TTP Impersonation events", "description": "Collect TTP impersonation logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-ip" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "TTP Impersonation events", "description": "Collect TTP impersonation logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "ttp_ip_logs" }, { "type": "logs", "dataset": "mimecast.ttp_url_logs", "title": "TTP URL Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-url" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "TTP URL Logs", "description": "Collect TTP URL logs", "enabled": true, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Mimecast API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "mimecast-ttp-url" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "TTP URL Logs", "description": "Collect TTP URL logs", "enabled": false, "ingestion_method": "API" } ], "package": "mimecast", "path": "ttp_url_logs" } ] }