Mimecast Plugin for Threat Exchange

Mimecast Plugin for Threat Exchange

This document explains how to configure the Mimecast plugin with the Threat Exchange module in the Netskope Cloud Exchange platform. This plugin fetches URL, SHA256, and MD5 and pushes the same to the Mimecast platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Secure Web Gateway license.
  • A Threat Protection license for malicious file hash sharing.
  • File Profile configured on your Netskope tenant.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Mimecast account with a Bring Your Own Threat Intelligence (BYOTI) package for file hash sharing.
CE Version Compatibility

This plugin is compatible with Netskope CE v4.2.0, v5.0.0.

Plugin Scope

The Mimecast plugin fetches IOCs of the type of URL, and MD5, SHA256 from the Mimecast platform. This plugin does support the sharing of indicators. You need the Base URL, Application ID, Application Key, and Access Key & Secret Key to access the plugin.

Mimecast Plugin Support

Fetched indicator types URL, MD5, SHA256
Shared indicator types URL, MD5, SHA256
Mappings
Mappings for Pull (Netskope field – Mimecast fields)
Netskope CE Field Mimecast Field
value value
type type
Comment Sent from <SenderAddress>
Mappings for Push (Hashes)
Netskope CE Field Mimecast Field
value value
type type
provider NetskopeCE
description comments (only of length of comment is less than or 20)
operation_type BLOCK/ALLOW/DELETE
Mappings for Push (URLs)
Netskope CE Field Mimecast Field
value value
action BLOCK/DELETE
Permissions
  • Threat Intel feature access
  • Administration Console access
  • Permission to Create a User
  • Permission to add created user to Basic Administrator Role
  • Subscription to Bring Your Own Threat Intelligence (BYOTI) package for file hash sharing.
API Details
List of APIs Used
API Endpoint Method Use Case
/api/account/get-account POST Validate Credentials
/api/ttp/threat-intel/get-feed POST Fetch Hashes (MD5 and SHA256)
/api/ttp/url/get-logs POST Fetch URLs
/api/ttp/url/decode-url POST Decode the URLs fetched form Mimecast
/api/byo-threat-intelligence/create-batch POST Push Hashes (MD5 and SHA256)
/api/ttp/url/create-managed-url POST Push URLs
Validate Credentials (Get Account)

API Endpoint: /api/account/get-account
Method: POST
Parameters: NA
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
Note: Signature for the request is created using the following hmac package of python:

hmac_sha1 = hmac.new(
                base64.b64decode(configuration.get("secret_key")),
                ":".join(
                    [
                        request_datetime,
                        request_id,
                        endpoint,
                        configuration.get("app_key"),
                    ]
                ).encode("utf-8"),
                digestmod=hashlib.sha1,
            ).digest()

sig = base64.b64encode(hmac_sha1).rstrip()

API Request Endpoint: https://us-api.mimecast.com/api/account/get-account

Sample API Response:

{
   "meta":{
      "status":200
   },
   "data":[
      {
         "region":"us",
         "archive":false,
         "gateway":true,
         "passphrase":"",
         "supportCode":"9209",
         "maxRetention":30,
         "maxRetentionConfirmed":true,
         "minRetentionEnabled":false,
         "automatedSegmentPurge":true,
         "type":"full",
         "policyInheritance":false,
         "databaseCode":"usterm9",
         "searchReason":false,
         "contentAdministratorDefaultView":"Metadata",
         "adminSessionTimeout":720,
         "exportApi":false,
         "exgestAllowQuery":false,
         "exgestAllowExtraction":true,
         "expressAccount":false,
         "cybergraphV2Enabled":false,
         "accountCode":"CUSA89A375",
         "accountName":"POC - API Alliance - Netskope, Inc. (1)",
         "adminEmail":"",
         "contactEmail":"gjenkins@netskope.com",
         "domain":"",
         "userCount":10,
         "umbrellaAccounts":[
            "CUSA122A110,CUSA131A2,CUSA133A2,CUSA42A10,CUSA71A138"
         ],
         "mimecastId":"01-0089-00375",
         "contactName":"Gary Jenkins",
         "telephone":"858-761-5586",
         "packages":[
            "Email Encryption and Privacy (Site) [1023]",
            "Internal Email Protect [1064]",
            "Threat Intelligence [1077]",
            "Stationery 1.0 (Site) [1042]",
            "Threat Remediation [1075]",
            "Desktop Apps - Mac (Pro) [1051]",
            "Auto Responders (Site) [1005]",
            "URL Protection (Site) [1043]",
            "Enhanced Logging [1061]",
            "Content Control and Data Leak Prevention (Pro) [1015]",
            "Attachment Protection (Site) [1056]",
            "Secure Email Gateway (Site) [1039]",
            "Mimecast Platform [1033]",
            "Mobile Apps (Pro) [1036]",
            "Content Control and Data Leak Prevention (Site) [1013]",
            "Message Recovery Service - User [1058]",
            "Branding [1003]",
            "Advanced MTA (Site) [1002]",
            "Message Recovery Service (Site) [1031]",
            "Mimecast Mobile Pro (Pro) [1055]",
            "BYO: Threat Intelligence [1089]",
            "Impersonation Protection [1060]",
            "Metadata Track and Trace (Site) [1032]",
            "Attachment Protection (Pro) [1059]",
            "Desktop Apps - Outlook (Pro) [1016]",
            "Awareness Training [1078]",
            "Configuration Backup & Restore [1106]",
            "Attachment Management (Site) [1004]"
         ]
      }
   ],
   "fail":[]
}
Fetch Hashes (MD5 and SHA256)

API Endpoint: /api/ttp/threat-intel/get-feed
Method: POST
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
JSON Parameters:

{
            "data": [
                {
                    "fileType": "csv",
                    "start": <start datetime="">,
                    "feedType": “malware_customer”/”malware_grid”,
                }
            ]
        }

API Request Endpoint: https://us-api.mimecast.com/api/ttp/threat-intel/get-feed
Sample API Response for Malware Customer:

{'key': '0', 'FileMimeType': '', 'FileName': '', 'FileSize': '', 'MD5': '', 'Observations': '1', 'RecipientAddress': 'vkaminski@concept-variety.b41.one', 'Route': 'Out', 'SHA1': '', 'SHA256': '22a65c438289353d96c707cf55e26be723e3157f0aa0**************bab0', 'SenderAddress': 'vince.kaminski@demo-int.netskope-1.mime-api.com', 'SenderDomain': 'demo-int.netskope-1.mime-api.com', 'SendingIP': '54.236.186.184', 'Timestamp': '2024-01-03T03:50:22.327Z'}

Sample API Response for Malware Grid:

{'key': '377', 'FileMimeType': '', 'FileName': '', 'FileSize': '', 'MD5': '', 'Observations': '1', 'RecipientAddress': '', 'Route': 'In', 'SHA1': '', 'SHA256': '408b7178b0549939fb5a65dbec709e651dbc4797be074e8d80c*********a', 'SenderAddress': 'null', 'SenderDomain': 'null', 'SendingIP': '61.86.246.25', 'Timestamp': '2024-01-03T04:00:00.876Z'}
{'key': '376', 'FileMimeType': '', 'FileName': '', 'FileSize': '', 'MD5': '', 'Observations': '1', 'RecipientAddress': '', 'Route': 'In', 'SHA1': '', 'SHA256': 'cbb9a74934c9eed7695a40b14699c7963e13e360c54e7ad**********988626d', 'SenderAddress': 'null', 'SenderDomain': 'null', 'SendingIP': '61.86.246.25', 'Timestamp': '2024-01-03T03:59:58.246Z'}
Fetch URLs

API Endpoint: /api/ttp/url/get-logs
Method: POST
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
JSON Parameters:

{
            "meta": {
                "pagination": {
                    "pageSize":500,
                    "pageToken":<page token="">,
                }
            },
            "data": [
                {
                    "from": <date time="">,
                    "scanResult": "malicious"
                }
            ],
        }

API Request Endpoint: https://us-api.mimecast.com/api/ttp/url/get-logs
Sample API Response:

{
   "meta":{
      "pagination":{
         "pageSize":17,
         "totalCount":117,
         "previous":"eNqNkstugzAURP_FaxaGhKiN1EVKADni0QTEwzswqIHgEGETAlX_vTfdNRFSF17YPp65Gs8XumSfpaimsirQWsVYQZeuvFZtLz7gAq1l15cKklzeOdmeyjNao3LctfnCw6FGOdMizEaygjOVLQ4N41h3ws3gB7rKRl1msdqkmjUVhi7SeFn5tak7Brm5xvK-JrdaLvyArFxjqIrEwzTZST_Ag7slfZG4fR43ksbekS32fW5bPalbeP_Xy5v1SgU5R1NhR2MenqS73UwO7B2uXvI4qlPwc_jtmFfgH-4fWHOYZ81HXe3_upvlPLt5ZPEc6z_lxebyunlPrDnLumcMM7wfqRaZNHnHmfE71wCZD2lcNCF_gVwJMN6VnQ8TqS85_D3P4khQYAn3RBZ7XWSDdgAct6ZUi3pqNz2FnlBuCejMa5LgN6Sga9mJqoVSqQrqStZ2hZBZJ-9txN8_-HTmhg"
      },
      "status":200
   },
   "data":[
      {
         "clickLogs":[
            {
               "userEmailAddress":"jennifer.thome@demo-int.netskope-1.mime-api.com",
               "fromUserEmailAddress":"sgovenar@pilot-meadow.b41.one",
               "url":"http://info.sen.ca.gov/pub/bill/sen/sb_0001-0050/sbx1_1_bill_20010503_amended_",
               "ttpDefinition":"Default Inbound URL Protect Definition",
               "subject":"SBX 1 - Windfall Profits Tax",
               "action":"allow",
               "adminOverride":"N/A",
               "userOverride":"None",
               "scanResult":"clean",
               "category":"Government",
               "sendingIp":"34.235.45.235",
               "userAwarenessAction":"N/A",
               "date":"2024-01-03T09:56:19+0000",
               "actions":"Allow",
               "route":"inbound",
               "creationMethod":"User Click",
               "emailPartsDescription":[
                  "Body"
               ],
               "messageId":"<59bf9d1e31f1f467-170155@hapi.b41.one>"
            }
         ]
      }
   ],
   "fail":[
      
   ]
}
Decode URLs

API Endpoint: /api/ttp/url/decode-url
Method: POST
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
JSON Parameters:

{
            "Data": [{'url': ' '}, {'url': 'http://www.discovery.org/'}, {'url': 'http://news.joc.com/cgi-bin7/flo?y=eDTK0BejkZ0n50RHc0Ay'}, {'url': 'http://www.theknot.com/weddingwebpage'}, {'url': 'www.energy.ca.gov/sitingcases/elsegundo'}, {'url': 'http://www-rci.rutgers.edu/~crri'}, {'url': 'http://www-rci.rutgers.edu/~crri'}]
}

API Request Endpoint: https://us-api.mimecast.com/api/ttp/url/decode-url
Sample API Response:

{
   "meta":{
      "status":200
   },
   "data":[
      {
         "url":"http://www.zdnetonebox.com",
         "success":true
      },
      {
         "url":"http://www.chilliman.com/beer_labels_frame.htm",
         "success":true
      },
      {
         "url":"http://www.theleadingedge.org/2000/index.html",
         "success":true
      },
      {
         "url":"http://www.mccutchen.com",
         "success":true
      },
      {
         "url":"http://www.mccutchen.com",
         "success":true
      },
      {
         "url":"http://www.mccutchen.com",
         "success":true
      },
      {
         "url":"http://www.mccutchen.com",
         "success":true
      },
      {
         "url":"http://4.36.215.157/cgi-bin/wc.dll?ViewPosting~_0E70YLGZ4",
         "success":true
      }
   ],
   "fail":[
      
   ]
}
Push Hashes

API Endpoint: /api/byo-threat-intelligence/create-batchl
Method: POST
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
JSON Parameters:

{
  'data': [
    {
      'operationType': 'BLOCK',
      'hashList': {
            'provider': 'netskopece',
            'description': 'Morris worm',
            'hash': uuid.uuid4().hex
        }
    }
  ]
}

API Request Endpoint: https://us-api.mimecast.com/api/ttp/url/decode-url
Sample API Response:

{
   "meta":{
      "status":200
   },
   "data":[
      {
                  "hash":"336758686847842902792184162531898821651",
                  "provider":"netskopece",
                  "description":"Morris worm"
               }
   ],
   "fail":[
      {
         "key":{
            "operationType":"BLOCK",
            "hashList":[
               {
                  "hash":"302657215409125492477752441864219742073",
                  "provider":"netskopece",
                  "description":"Morris worm"
               }
         ]
      }
   ]
}

Push URLs

API Endpoint: /api/ttp/url/decode-url
Method: POST
Headers:
Authorization: MC <Access Key>:<Decoded Signature>
x-mc-app-id: <Application ID>
x-mc-date: <Request Datetime>
x-mc-req-id: <Unique UID>
Content-Type: application/json
JSON Parameters:

{
        'data':
        [
            {
                'action': 'permit',
                'url': 'https://www.Testnetskopedemo123tanushree.com',
            }
        ]
    }

API Request Endpoint: https://us-api.mimecast.com/api/ttp/url/decode-url
Sample API Response:

{
   "meta":{
      "status":200
   },
   "data":[
      {
         "id":"wOi3MCwjYFYhZfkYlp2RMKIAOwgBXweUUcu0eTwirzBO48Dj4FQ1bYgyujdIycvnhs46b9-0vh0xDxViOhQKzLFxU9-cJYqLOV7TyQizkIJRaxOE0x9IT9PFiD1mEL4W",
         "scheme":"https",
         "domain":"www.testnetskopedemo123tanushree.com",
         "port":-1,
         "path":"",
         "queryString":"",
         "matchType":"explicit",
         "action":"permit",
         "comment":"",
         "disableUserAwareness":false,
         "disableRewrite":false,
         "disableLogClick":false
      }
   ],
   "fail":[
      
   ]
}
Performance Matrix

Here is the performance reading conducted for fetching and pushing 100K IoCs in each plugin lifecycle on a Large CE instance with these specifications.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Mimecast ~25K per minute
Indicators shared to Mimecast ~1.6K per minute
User Agent

netskope-ce-5.0.0-cte-mimecast-v1.2.0

Workflow

  1. Create a custom File Profile.
  2. Configure Mimecast credentials.
  3. Configure the Mimecast Plugin.
  4. Configure sharing for Netskope and Mimecast.
  5. Validate the Mimecast Plugin.

Click play to watch a video.

 

Get your Mimecast Credentials

  1. Log in to your Mimecast instance.
  2. Make note of the region in Mimecast Instance URL, in the form of https://login-<region>.mimecast.com/. You will need this when configuring the Mimecast Plugin in Threat Exchange.

Create a New User

  1. Go to Administration > Directories > Internal Directories to open the Internal Directories page.
  2. Select the internal directories where you want to create your new user.
  3. Select the New Address button from the menu bar.
  4. Complete the new address form by setting a new email address, user’s password and phone number (required for 2FA). Select Save and Exit to create the new user with provided details. 
  5. Make a note of the password because you will use this to get your Authentication Tokens at a later stage.

Add the New User to an Administrative Role

  1. Go to Administration > Account > Roles to open the Roles page.
  2. Right-click the Basic Administrator role and select Add Users to Role.
  3. Browse or search to find the new user created previously.
  4. Select the checkbox to the left of the user.
  5. Click Add Selected Users to add the user to this role.

Create a New Group and Add your New User

  1. Go to Administration > Directories > Profile Groups to open the Profile Groups page.
  2. Create a new group by selecting the plus icon on the parent folder where you would like to create the group. This creates a new group with the name New Folder.
  3. To rename the group, select the newly created New Folder group, and then in the Edit group text field, enter the name you want to give the folder; for example, demo-mimecast and then press the Enter key to apply the change.
  4. With the group selected, select the Build dropdown list and select Add Email Addresses.
  5. Enter the name of the new user created previously.
  6. Select Save and Exit to add the new user to the group.

Create a New Authentication Profile

  1. Go to Administration > Services > Applications to open the Application Settings page.
  2. Click Authentication Profiles.
  3. Click New Authentication Profile.
  4. Enter a Description for the new profile.
  5. Set the Authentication TTL setting to Never Expires. This ensures that your Authentication Token will not expire and impact the data collection of the app.
  6. Leave the other setting defaults.
  7. Select Save and Exit to create the profile.

Create a New Application Setting

  1. Go to Administration > Services > Applications to open the Application Settings page.
  2. Click New Application Settings.
  3. Enter a Description.
  4. Click Group Lookup to select the Group that you created previously.
  5. Click Authentication Profile Lookup to select the Authentication Profile created previously.
  6. Leave the other setting defaults.
  7. Select Save and Exit to create and apply the Application Settings to your new group and user.

Create a New API Application

  1. Go to Administration > Services > API Applications to open the API Applications page.
  2. Click Mimecast API 1.0 Generate Keys.
  3. Enter the appropriate information for your API Application. Check Enable Extended Session to ensure your API token will never expire. Select Other in Category, and then click Next.
  4. Enter a Developer Name, and enter the Email address created previously, which links the user’s application/profile settings to the API application. Click Next.
  5. Review the entered configuration parameters, edit them if required, and then click Add in the bottom right.
  6. Your API application will be created and its details will be displayed. Click the small “eye” icon beside Application Key in order to view it. Copy both Application ID and Application Key for configuring the Mimecast plugin.

Get your Access Key and Secret Key

Note that these Keys can only be generated within 30 minutes of creating a new API application.

  1. Go to Administration > Services > API and Platform Applications to open the API Application page.
  2. Select your newly created API application, and then click Create Keys from the top menu.
  3. Enter the email address of the user created previously and click Next.
  4. For Type select Cloud and enter the password of the user created previously. Click Next button.
  5. Copy both of the keys displayed by pressing the small copy icon beside each. You will need these when configuring the Mimecast Plugin. When finished, click Close.

Configure the Mimecast Plugin in Cloud Exchange

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Mimecast box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Unique name for the configuration
    • Sync Interval: Leave default
    • Aging Criteria: Expiry time of the plugin in days. ( Default: 90 )
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.

  4. Enter and select the Configuration Parameters on the second page:
    • Base URL: Mimecast API Base URL including region.
    • Application ID: Mimecast API Application ID.
    • Application Key: Mimecast API Application Key.
    • Access Key: Mimecast API Access Key.
    • Secret Key: Mimecast API Secret Key
    • Indicator Feed Type: The scope of data to fetch – ‘Malware Customer’ to pull data from the account, Malware Grid to pull the data form the region grid and Malsite to pull URLs from URL Protection.
    • Types of Malware to Pull (applicable when ‘feed_type’ is ‘Malware Customer’ or ‘Malware Grid’): The scope of data to fetch – ‘Malware Customer’ to pull data from the account, Malware Grid to pull the data form the region grid and Malsite to pull URLs from URL Protection.
    • Initial Range (in days): Number of days to pull the data for the initial run.


  5. Click Save. Click on Threat Exchange > Plugins in the Cloud Exchange left nav panel to view the installed plugins.

Configure a Threat Exchange Business Rule for Mimecast

To share indicators fetched from the Mimecast to the Netskope CE and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

  1. In Threat Exchange go to Business Rules and click Create New Rule.
  2. Add the filter according to your requirement in the rule, and then click Save.

Configure Sharing for Netskope and Mimecast

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select Mimecast.
  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. Data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
  4. Select a Target. Each plugin will have a different target or destination for the IoC. Click Save.
  5. Repeat steps 2-4, but select Netskope as the Source Configuration and Mimecast as the Destination Configuration.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, and Delete a Sharing Configuration

Each sharing configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

Validate the Mimecast Plugin

In order to validate the workflow you must have Netskope Alerts and/or Mimecast attributes/indicators. Polling Intervals are defined during plugin configuration.

Validate the Pull

Pulled data will be listed on the Threat IOCs page. You can filter the IOCs pulled from the platform using the filter: sources.source Like “<plugin name>”


To verify pulled logs on CE go to Logging and search logs from the CTE Mimecast plugin.

To verify the data available for pulling on Mimecast, follow below Steps.

Note: The location from where hashes are pulled and pushed is not certain. According to the doc(here) it must be in the Mimecast Threat Dashboard, if you don’t find this contact the Mimecast admin

Login to Mimecast Platform and Navigate to Services > URL Protection> Logs.

Note: Apply Filter as Malicious.

We pull IOCs(URLs) available on the Logs page.

Validate the Push

To validate the push in CE, go to Logging and filter shared logs for the Mimecast plugin.

You will receive a summary log like below by the end of a pull cycle:

Successfully shared 324351 indicators with configuration 'Mimecast Plugin Demo and 0 indicators are inactive. 0 indicators not shared due to rule name Share Netskope IOCs to Mimecast.'

Go to Threat IoCs and filter logs shared with the Mimecast plugin.

On the Mimecast platform, go to Services > URL Protection > Managed URL to check the shared IOCs on the platform.

Troubleshooting

Unable to pull IOCs from the Mimecast platform

After the plugin configuration if the IOCs are not pulled from the platform it might be due to one of the following.

  • No IOCs are available on the platform to pull
  • IOCs are not available for the given time range or does not match the configuration parameters.

What to do: Identity your root cause from above and follow below steps to resolve the issue.

No IOCs are available on the platform to pull

Check if the IOCs are available on the platform to pull. If available, check the resolution for the next point.

IOCs are not available for the given time range

If the IOCs are available on the platform to pull, but the plugin has not pulled the IOCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On the Mimecast platform check if you have data for the given time range.

If the data is still available for the given time range it might be possible that the IOCs for the provided filter in the plugin configuration are not available, so check the values from the plugin configuration parameter and filter the same on the Anomali platform.

Unable to push the IOCs to Mimecast

If you are not able to push the IoCs on the platform and receive an info log like;

CTE Mimecast Plugin [Demo Mimecast Plugin]: Failed to share 9 URL(s) to Mimecast. Invalid URL(s): 0, Already Existing URL(s): 4. Failed to create 5 URL(s) on Mimecast - please check with Mimecast Admin for details. Failure message list: ['Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'Managed URL create failure', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate', 'The managed URL already exists; to update it, delete and recreate'].

One of the case might be that you would have reached the limit of pushing 30K URLs to platform

Known Behavior

The location from where hashes are pulled and pushed is not certain. According to the doc (here) it must be in the Mimecast Threat Dashboard, if you don’t find this contact the Mimecast admin.

Limitation

  • The plugin pull and push for MD5 and SHA256 has been verified with the API responses only as we are not able to see the Hashes on the platform.(Although Threat Dashboard is enabled)
  • The tenant with which the plugin is tested supports only 30K URLs while pushing.
Share this Doc

Mimecast Plugin for Threat Exchange

Or copy link

In this topic ...