Keeping your service provider honest!
We all expect our service providers to do the right thing, abide by contractural terms, provide support when they are meant to and be available when in need.
However, sometimes that doesn't always happen and so how do you keep your provider on the hook if things do go awry?
In this example I'll look at Mimecast and explore what options are available.
Mimecast
If you are not already collecting your logs from Mimecast and feeding them to your SIEM then you should start now. Mimecast has a variety of different logs that provide insights into not just the emails processed into and out of your organisation but configuration changes by your team and Mimecast support too.
In the this example I'll walk you through the steps of how to collect Mimecast support audit logs. To do this you have to query the Mimecast API which I'll go into shortly.
The "Mimecast access log file" captures events every time a Mimecast support person accesses your portal. Depending on the terms of your contract they should ask for permission every time they want to perform any actions on your portal but the default position is that they don't have to do this.
By observing events written to the "Mimecast access log" you can tell from the events in this log file every time:
- Authentication attempt from Mimecast support occur
- What actions are performed
- When they were performed
- Who performed the action
The Mimecast API
I am going to assume you have read the overview of the Mimecast API and understand how to do the basics in terms of authenticating to your Mimecast portal. The reference section at the end of this blog will provide the articles and steps you will need to take to get started. The following section assumes you have already done this.
To access Mimecast audit events you will need to use the endpoint "get-audit-events". To access this endpoint you will need to send a POST request to this URI /api/audit/get-audit-events.
The following request header must be included in the request.
Authorisation, x-mc-req-id, x-mc-app-id, x-my-date
The request body requires as a minimum:
- Start date and time
- End date and time
- Category
For a list of categories you can use the endpoint "get-category" to return a list of categories. To save you time these are the categories available:
- awareness_training_logs
- mimecast_access_logs
- reporting_logs
- account_logs
- policy_logs
- secure_messaging_logs
- journaling_logs
- integrations_and_apis
- archive_service_logs
- case_review_logs
- safe_cloud_threat_protection_logs
- continuity_services_logs
- branding_logs
- authentication_logs
The categories refer to the relevant log you want to query. To identify events from Mimecast support you will need to query the "mimecast_access_logs".
import base64
import hashlib
import hmac
import uuid
import datetime
import requests
# Setup required variables
base_url = "https://au-api.mimecast.com" * DEPENDING ON YOUR REGION YOUR URL MAY BE DIFFERENT
uri = "/api/audit/get-audit-events"
url = base_url + uri
access_key = '< ENTER YOUR ACCESS KEY HERE>'
secret_key = '<ENTER YOUR SECRET KEY HERE>'
app_id = "<ENTER YOUR APP ID>"
app_key = "<ENTER YOUR APP KEY>"
# Generate request header values
request_id = str(uuid.uuid4())
hdr_date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S") + " UTC"
# DataToSign is used in hmac_sha1
dataToSign = ':'.join([hdr_date, request_id, uri, app_key])
# Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
hmac_sha1 = hmac.new(base64.b64decode(secret_key), dataToSign.encode(), digestmod=hashlib.sha1).digest()
# Use the HMAC SHA1 value to sign the hdrDate + ":" requestId + ":" + URI + ":" + appkey
sig = base64.b64encode(hmac_sha1).rstrip()
# Create request headers
headers = {
'Authorization': 'MC ' + access_key + ':' + sig.decode(),
'x-mc-app-id': app_id,
'x-mc-date': hdr_date,
'x-mc-req-id': request_id,
'Content-Type': 'application/json'
}
payload = {
'data': [
{
'startDateTime': 'ENTER START DATE TIME',
'endDateTime': 'ENTER END DATE TIME',
#'query': '', * This is commented out but you can query for specific entries in log being queried
'categories': [
'mimecast_access_logs' * Enter the log you wish to query here
]
}
]
}
r = requests.post(url=url, headers=headers, data=str(payload))
print(r.text)
What you should see in the response
Once queried you should see a JSON response if any events are present in the log similar to the below. If nothing is returned then there are no events for the particular date period you are querying.
"auditType":"Mimecast Support Login","user":"[email protected]","eventTime":"2023-03-08T22:37:36+0000","eventInfo":"Action Performed - [email protected] logged into this account. by [email protected]\xxxx [email protected]\xxxx Date: 2023-03-09 Time: 09:37:36 +1100 IP: 66.159.210.211 Application: Administration Console","category":"mimecast_access_logs"}],
You will need to write a script or small code snippet to access the API. In this example I have used Python but you could have equally achieved the same result using PowerShell, C#, Java or http. I've included a link below to some sample code but you will need to update it and provide the correct authorization headers for your environment.
Steps to get the logs into your SIEM
The following steps show you how to get the logs you have retrieved using the call to get-audit-events into Elastic SIEM.
1. Setup a schedule to activate your script to pull events from the Mimecast audit logs. I would recommend doing this daily. Write any events captured to a temporary file. Note that your code will have to be adapted to parse the start and end dates to your script as well as updating this every time it is called.
2. Configure Beats or the new Elastic Agent to read the temporary file created in step 1 above. Once read delete this file.
3. Lastly send these log events to Elastic.
That's it!
For more information on the Mimecast API please refer to the below links.