Data Source
Mimecast Secure Email Gateway (SEG/CG), Targeted Threat Protection (TTP URL, TTP Attachment, TTP Impersonation), DLP, and Audit events - ingested via Mimecast Event Push, which posts events directly to the Azure Monitor Logs Ingestion API over HTTPS using OAuth 2.0 client credentials provisioned by the connector Deploy button.
No Mimecast credentials are stored in Microsoft Sentinel. The Deploy button provisions a DCE, DCR, the MimecastEvents_CL custom table, and a Microsoft Entra application. The resulting five values (Tenant ID, Client ID, Client Secret, DCE URL, DCR Immutable ID) are configured on the Mimecast side via Integrations Hub -> Event Push.
Ingestion Mechanism
- Mechanism: CCF Push (no RestApiPoller; Mimecast pushes to the DCE)
- Destination table: MimecastEvents_CL (single custom table; single dynamic stream column mimecast_body with the full payload plus promoted columns: mimecastEventType, mimecastEventId, mimecastLogtype, mimecastSubtype)
- DCR transform: Ingestion-time KQL derives the event type via a discriminator chain. Normalises heterogeneous timestamps (ISO, ISO+offset, epoch-milliseconds with a 2-day clamp). Computes per-type dedup IDs.
- Replaces: Legacy Function App-based Mimecast connectors for event data (no new Function App infrastructure required).
Parser Surface (7 KQL Functions)
Seven parser views are provided: MimecastEvents (base dedup), MimecastAudit, MimecastCG, MimecastDLP, MimecastTTPUrl, MimecastTTPAttachment, MimecastTTPImpersonation.
Each parser filters MimecastEvents_CL by mimecastEventType and uses arg_max for read-time deduplication. Parser views project the legacy Function App column vocabulary - existing queries targeting the old Mimecast tables require only a parser name change, not column rework.
Detection Surface Unlocked
- Email delivery telemetry: Full SEG/CG message flow with envelope metadata, TLS negotiation details, spam scoring, and attachment hashes enables phishing infrastructure correlation and mail-flow anomaly detection.
- TTP coverage: URL clicks, attachment scans, and impersonation attempts map to T1566, T1566.001, T1566.002.
- DLP events: Policy-triggered actions on outbound/inbound content enable insider threat and data exfiltration (T1048) hunting.
- Audit events: Administrative changes to Mimecast configuration provide privileged access activity visibility.
- No bundled Analytic Rules are included in this initial release.
Deployment Note
The README explicitly flags that the Event Push delivery envelope format has not been observed live. Verify on first live ingestion that events arrive in the expected format, eventsJsonPaths assumption is correct, and key casing matches. A synthetic end-to-end test procedure using Get-AzAccessToken and Invoke-RestMethod against the DCE is documented in the README.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/MimecastEvents_CL.json
Solutions/MimecastEvents-CCF/Data Connectors/MimecastEvents_ccf/MimecastEvents_ConnectorDefinition.json
Solutions/MimecastEvents-CCF/Data Connectors/MimecastEvents_ccf/MimecastEvents_DCR.json
Solutions/MimecastEvents-CCF/Data Connectors/MimecastEvents_ccf/MimecastEvents_DataConnector.json
Solutions/MimecastEvents-CCF/Data Connectors/MimecastEvents_ccf/MimecastEvents_Table.json
Solutions/MimecastEvents-CCF/Package/testParameters.json
Solutions/MimecastEvents-CCF/Parsers/MimecastAudit.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastCG.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastDLP.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastEvents.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastTTPAttachment.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastTTPImpersonation.yaml
Solutions/MimecastEvents-CCF/Parsers/MimecastTTPUrl.yaml
Solutions/MimecastEvents-CCF/README.md
Solutions/MimecastEvents-CCF/Sample Data/MimecastEvents_CL_audit.json
Solutions/MimecastEvents-CCF/Sample Data/MimecastEvents_CL_seg_cg.json
Solutions/MimecastEvents-CCF/Sample Data/MimecastEvents_CL_ttp_impersonation.json
Solutions/MimecastEvents-CCF/Sample Data/MimecastEvents_CL_ttp_url.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_MimecastEvents-CCF.json, createUiDefinition.json, mainTemplate.json)