Understanding SIEM Logs

Mimecast offers an Enhanced Logging feature allowing you to programatically download log file data from your Mimecast service.

The following data types are available:

Email logs

  • Inbound - logs for messages from external senders to internal recipients
  • Outbound - logs for messages from internal senders to external recipients
  • Internal - logs for messages between internal domains

These logs are enabled in the Enhanced Logging section of the Administration | Account | Account Settings menu in the Administration Console. Once enabled the logs are then available using the /api/audit/get-siem-logs function.

The source application of these log files is the Mimecast MTA. The following list describes some of the characteristics of the MTA that impact logging:

  • The MTA runs on many servers in our infrastructure, consequently log files are written on each server that processes an email for your account.
  • As the first point of entry and last point of exit for your organization's email traffic there are 3 stages that each email will go through:
    • Receipt - where the MTA receives a new connection for an email, either from your organization's email infrastructure or the outside world.
    • Process - where Mimecast policies are applied to the email.
    • Delivery - where the MTA delivers the email to it's intended recipient, either to your organization's email infrastructure for inbound messages, or to another mail server for outbound messages.
  • As a result of this, for each email there can be up to 3 or more log lines, 1 for each stage. The MTA holds different pieces of information at each stage, the tables below describe the available information or fields you can expect for each line.
    • For messages where the first delivery attempt fails you can additionally expect another line for each future delivery attempt.
  • These log lines are split by Mimecast when we make log files available for download. Each file you download will contain either receipt, delivery, or process lines.
  • For customers subscribing to our Targeted Threat Protection URL Protect and / or Attachment Protect features, additional log lines are available for malicious activity detected by Mimecast.
    • For URL Protect, a log line is written each time a user clicks a link that has been rewritten by Mimecast in an email and has been found to be malicious.
    • For Attachment Protect, a log line is written for each file processed by the sandbox and found to be malicious.
    • The fields available for each event are documented in the tables below.
  • For each email that passes through the MTA, we maintain a unique ID (aCode) to help correlate log events through each stage of the email's journey.
  • Log data is rolled up and made available for download every 30 minutes throughout the day. As logs are written to all Mimecast MTA servers it is worthwhile checking for new data more frequently, for example every 10 minutes.
  • Log data is stored by Mimecast for 7 days only, however once downloaded you can keep the data for as long as you require. This, combined with our token based system allows for up to 7 days of downtime in your SIEM or data analytics platform.
  • Results are available in Pipe Delimited (default) or JSON format.  

Log Field Descriptions

Receipt logs

Field Name Description
acc The Mimecast account code for your account.
aCode The unique ID used to track the email through the different log types.
Act The action taken at the receipt stage.
Cphr The TLS Cipher used if the email was received using TLS.
datetime The date and time that the email was received by the Mimecast MTA.
Dir The direction of the email based on the sending and receiving domains.
Error Information about any errors that occurred during receipt.
IP The source IP of the sending mail server.
MsgId The internet message id of the email.
Rcpt The recipient of the email.
headerFrom The sender address found in the from header of the email.
RejCode The rejection code issued if the email was rejected at the receipt stage.
RejInfo The rejection information if the email was rejected at the receipt stage.
RejType The rejection type if the email was rejected at the receipt stage.
Sender The sender of the email.
SpamInfo Information from Mimecast Spam scanners for messages found to be Spam.
SpamLimit The Spam limit defined for the given sender and recipient.
SpamProcessingDetail The Spam processing details for DKIM, SPF, DMARC
SpamScore The Spam score the email was given.
Subject The subject of the email, limited to 150 characters.
TlsVer The TLS version used if the email was received using TLS.
Virus The name of the virus found on the email, if applicable.
Sample log lines:

Message received successfully:

datetime=2017-05-26T16:47:41+0100|aCode=7O7I7MvGP1mj8plHRDuHEA|acc=C0A0|SpamLimit=0|IP=123.123.123.123|Dir=Internal|MsgId=<messageId@messageId>|Subject=\message subject\|headerFrom=from@mimecast.com|Sender=from@mimecast.com|Rcpt=auser@mimecast.com|SpamInfo=[]|Act=Acc|TlsVer=TLSv1|Cphr=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|SpamProcessingDetail={"spf":{"info":"SPF_FAIL","allow":true},"dkim":{"info":"DKIM_UNKNOWN","allow":true}}|SpamScore=1

Message rejected

datetime=2017-05-26T17:01:36+0100|aCode=cx9u0J0pOJGscX_KPpilkg|acc=C0A0|IP=123.123.123.123|RejType=\Invalid Recipient Address\|Error=\Failed Known address verification\|RejCode=550|Dir=Inbound|headerFrom=|Sender=from@domain.com|Rcpt=auser@mimecast.com|Act=Rej|RejInfo=\Invalid Recipient\|TlsVer=TLSv1|Cphr=TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Process logs

Field Name Description
acc The Mimecast account code for your account.
aCode The unique ID used to track the email through the different log types.
Act The action taken at the process stage.
AttCnt The number of attachments on the email.
AttSize The total size of all attachments on the email.
AttNames The filenames of all attachments on the email
datetime The date and time that processing of the email occurred.
Hld The reason the email was held for review (quarantined), if applicable.
IPInternalName For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name.
IPNewDomain For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain.
IPReplyMismatch For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address.
IPSimilarDomain For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain.
IPThreadDict For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary.
MsgId The internet message id of the email.
MsgSize The total size of the email.
Sender The sender of the email.
Subject The subject of the email, limited to 150 characters.
Sample Log Lines:

Message processed successfully with attachments:

datetime=2017-05-26T19:36:48+0100|aCode=BY81J52RPjSmp7MrubnlZg|acc=C0A0|AttSize=1267|Act=Acc|AttCnt=2|AttNames=\"filename.docx", "filename2.xlsx"\|MsgSize=2116|MsgId=messageId@mssageId

Message processed successfully without attachments

datetime=2017-05-26T19:36:48+0100|aCode=BY81J52RPjSmp7MrubnlZg|acc=C0A0|AttSize=0|Act=Acc|AttCnt=0|AttNames=|MsgSize=2116|MsgId=messageId@mssageId

Message held for review

datetime=2017-05-26T19:24:18+0100|aCode=015vTYvNN-Wn30v7M5MzNw|acc=C0A0|Hld=Spm|AttSize=0|Act=Hld|IPNewDomain=false|IPReplyMismatch=false|AttCnt=0|IPInternalName=false|AttNames=|MsgSize=56442|MsgId=messageId@mssageId|IPThreadDict=false|IPSimilarDomain=false

Delivery logs

Field Name Description
acc The Mimecast account code for your account.
aCode The unique ID used to track the email through the different log types.
AttCnt The number of attachments delivered.
Attempt The count of attempts that the Mimecast MTA has made to deliver the email.
AttSize The total size of attachments delivered.
Cphr The TLS Cipher used on delivery, if the email was sent using TLS.
datetime The date and time delivery was attempted.
Delivered If the email was delivered successfully or not.
Dir The direction of the email based on the sending and receiving domains.
Err Information about any errors that occurred on the delivery attempt.
IP The destination IP address for the delivery attempt.
Latency The time in milliseconds that the delivery attempt took.
MsgId The internet message id of the email.
Rcpt The recipient of the email.
ReceiptAck The receipt acknowledgment message received by Mimecast from the receiving mail server.
RejCode The rejection code, for messages rejected by the receiving mail server.
RejInfo The rejection information, for messages rejected by the receiving mail server.
RejType The rejection type, for messages rejected by the receiving mail server.
Route The Mimecast delivery route used.
Sender The sender of the email.
Subject The subject of the email, limited to 150 characters.
Snt The amount of data in bytes that were delivered.
TlsVer The TLS version used if the email was delivered using TLS.
UseTls If the message was delivered using TLS or not.
Sample Log Lines:

Message delivered successfully

datetime=2017-05-26T19:40:33+0100|aCode=9q_HeIHHPYejZTBsnipWmQ|acc=C0A0|Delivered=true|IP=123.123.123.123|AttCnt=0|Dir=Inbound|ReceiptAck=\250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery\|MsgId=messageId@mssageId|Subject=\Auto Reply\|Latency=5618|Sender=from@domain.com|Rcpt=auser@mimecast.com|AttSize=0|Attempt=1|TlsVer=TLSv1|Cphr=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|Snt=28237|UseTls=Yes|Route=\Mimecast Exchange Route

Message delivery failed

datetime=2017-05-26T19:40:06+0100|aCode=ClBDLlnTPH6-T-3KJayNew|acc=C0A0|Delivered=false|Err=\Connection timed out\|RejType=\Recipient server unavailable or busy\|AttCnt=0|Dir=Outbound|ReceiptAck=null|MsgId=messageId@mssageId|Subject=\message subject\|Latency=34848442|Sender=<>|Rcpt=auser@mimecast.com|AttSize=0|Attempt=14|Snt=0|UseTls=No

AV logs

Field Name Description
acc The Mimecast account code that the event has been logged for.
CustomerIP The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account.
datetime The date and time of event.
fileExt The file extention.
fileMime The file Mime type.
IP The source IP of the original message.
md5 MD5 Hash.
MimecastIP The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal
MsgId The internet message id of the email.
Recipient The recipient of the original message.
Route The route of the message.
Sender The sender of the message.
SenderDomain The sender domain.
SenderDomainInternal The sender domain is a registered internal domain.
sha1 SHA1 hash.
sha256 SHA256 hash.
Size Size.
Subject The message subject.
Virus Virus signature.
Sample Log Line:
datetime=2021-03-05T16:25:17+0000|acc=C0A0|MimecastIP=false|fileName=Invoice Attached for payment|sha256=efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12|Size=1648832|IP=0.0.0.0|Recipient=recipient@recipientdomain.tld|SenderDomain=senderdomain.tld|fileExt=xlsm|Subject=Invoice Attached for payment|MsgId=<85485.121030516250700527@mta.uk.somewhere.tld>|Sender=8jy0xzfjymioyjfjrajc@senderdomain.tld|Virus=Anomali:Phishing|sha1=816b013c8be6e5708690645964b5d442c085041e|SenderDomainInternal=false|fileMime=application/vnd.ms-excel.sheet.macroEnabled.12|CustomerIP=true|Route=Inbound|md5=4dbe9dbfb53438d9ce410535355cd973

Spam Event Thread logs

Field Name Description
acc The Mimecast account code that the event has been logged for.
aCode The unique ID used to track the email through the different log types.
datetime The date and time of event.
headerFrom The sender address found in the from header of the email.
MsgId The internet message id of the email.
Recipient The recipient of the original message.
Route The route of the message.
Sender The sender of the message.
SenderDomain The sender domain.
SourceIP The source IP of the original message.
Subject The message subject.
Sample Log Line:
datetime=2021-03-05T18:18:39+0000|aCode=azYwczFKNga_v1sYBuJOvA|acc=C0A0|Sender=sender@domain.tld|SourceIP=0.0.0.0|Recipient=recipient@adomain.tld|SenderDomain=bdomain.tld|Subject=Opportunity to become VP|MsgId=<ABCDEF@domain-GHIK>|Route=Inbound|headerFrom=sender@adomain

Target Threat Protection - Internal Email Protect logs

Field Name Description
acc The Mimecast account code that the event has been detected for.
aCode The unique ID used to track the email through the different log types.
datetime The date and time the click was detected.
MsgId The internet message id of the email.
ScanResultInfo The reason that the click was blocked.
Recipient The recipient of the original message that the link was clicked from.
Route The route of the original message that the link was clicked from.
Sender The sender of the original message that the link was clicked from.
Subject The subject of the email, limited to 150 characters.
URL The URL clicked.
UrlCategory The category of the URL that was clicked.
Sample Log Line:
datetime=2021-03-04T21:31:08+0000|aCode=vit87EEXMPaEyl22Lrb92A|acc=C46A75|Sender=sender@domain.tld|UrlCategory=Phishing & Fraud|ScanResultInfo=Blocked URL Category|Recipient=recipient@domain.tld|MsgId=<CWXP123MB37349110AF6F6A2BC94F702EC4979@CWXP123MB3734.GBRP123.PROD.domain.tld>|Subject=Coffee Briefing|URL=https://domain.com/login/|Route=Internal

Targeted Threat Protection - Impersonation Protect logs

Field Name Description
acc The Mimecast account code that the event has been detected for.
aCode The unique ID used to track the email through the different log types.
Action The action taken for this message.
CustomName The message has matched a custom name.
CustomThreatDictionary The content of the email was detected to contain words in a custom threat dictionary.
datetime The date and time the click was detected.
Definition The definition
Hits Number of items flagged for the message.
InternalName The email was detected to be from an internal user name.
IP The source IP of the original message.
MsgId The internet message id of the email.
NewDomain The email was detected to be from a new domain
Recipient The recipient of the original message.
ReplyMismatch The reply address does not correspond to the senders address.
Route The route of the original message.
Sender The sender of the original message.
SimilarCustomExternalDomain The senders domain is similar to a custom external domain list.
SimilarInternalDomain The senders domain is similar to a registered internal domain.
SimilarMimecastExternalDomain The senders domain is similar to a Mimecast managed list of domains.
Subject The subject of the email, limited to 150 characters.
TaggedExternal The message has been tagged as originating from a external source.
TaggedMalicious The message has been tagged as malicious.
ThreatDictionary The content of the email was detected to contain words in the Mimecast threat dictionary.
Sample Log Line:

An internal user name has been impersonated

datetime=2020-07-27T00:39:59+0100|aCode=q4qBpkoTOt-iStR7G44w3g|acc=C0A0|Sender=sender@domain|Receipient=recipient@domain|IP=0.0.0.0|Subject=Opportunity to become VP|Definition=Default Impersonation Definition|Hits=1|Action=Hold|TaggedExternal=false|TaggedMalicious=true|MsgId=<ABCDEF@domain.tld>|InternalName=true|CustomName=false|NewDomain=false|SimilarInternalDomain=false|SimilarCustomExternalDomain=false|SimilarMimecastExternalDomain=false|ReplyMismatch=false|ThreatDictionary=false|CustomThreatDictionary=false|Route=Inbound

Targeted Threat Protection - URL Protect logs

Field Name Description
acc The Mimecast account code that the event has been detected for.
datetime The date and time the click was detected.
MsgId The internet message id of the email.
reason The reason that the click was blocked.
recipient The recipient of the original message that the link was clicked from.
route The route of the original message that the link was clicked from.
sender The sender of the original message that the link was clicked from.
senderDomain The sender domain of the original message that the link was clicked from.
sourceIp The source IP of the original message that the link was clicked from.
subject The subject of the email, limited to 150 characters.
url The URL clicked.
urlCategory The category of the URL that was clicked.
Sample Log Line:

A user has clicked on link that is potentially malicious

datetime=2017-05-26T19:22:37+0100|acc=C0A0|reason=malicious|url=http://bgmtechnology.com.au|route=inbound|sourceIp=123.123.123.123|sender=from@domain.com|recipient=auser@mimecast.com|urlCategory=Blocked|senderDomain=domain.com

Targeted Threat Protection - Attachment Protect logs

Field Name Description
acc The Mimecast account code that the event has been detected for.
datetime The date and time that the file was detected as malicious.
fileExt The file extension of the malicious file.
fileMime The detected MIME type of the malicious file.
fileName The file name of the malicious file.
IP The source IP of the original message that contained the malicious file.
md5 The md5 hash of the malicious file.
MsgId The internet message id of the email.
Recipient The recipient of the original message that contained the malicious file.
Route The route of the original message that contained the malicious file.
Sender The sender of the original message that contained the malicious file.
SenderDomain The sender domain of the original message that contained the malicious file.
sha1 The sha1 hash of the malicious file.
sha256 The sha256 hash of the malicious file.
Size The size (in bytes) of the malicious file.
subject The subject of the email, limited to 150 characters.
Sample Log Line:

The Mimecast sandbox has detected a potentially malicious file:

datetime=2017-05-23T21:45:21+0100|acc=C1A1|fileName=1XCOLUMN.PVC|sha256=8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83|Size=378368|IP=123.123.123.123|Recipient=auser@mimecast.com|SenderDomain=domain.com|fileExt=doc|sha1=a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2|Sender=from@domain.com|fileMime=application/vnd.ms-office|Route=Inbound|md5=7b52770644da336a9a59141c80807f37

Understanding the Logs API

The API endpoint used to download logs is /api/audit/get-siem-logs. This function is designed to ensure that you can:

  • Easily download log data by type.

    • Logs are returned in application/octet-stream which many http clients understand and can easily convert back to text for human or machine consumption.
    • The type and date of the log downloaded is indicated in the Content-Disposition response header.
  • Only download new data each time you make a request.

    • Each time you make a request to the API, a page token is provided in the "mc-siem-token" response header.
    • This value of this field should be used in "token" request body parameter the next time you send a request to this endpoint to ensure that you only get logs written after the last file you downloaded.
  • Easily know when there are no more logs of the given type to download.

JSON Response Example

{ 
    "acc":  "C0A0",
    "Hld":  "Spm",
    "datetime":  "2017-05-26T19:24:18+0100",
    "AttSize":  0,
    "Act":  "Hld",
    "aCode":  "015vTYvNN-Wn30v7M5MzNw",
    "AttCnt":  0,
    "AttNames":  null,
    "MsgSize":  5544,
    "MsgId": "messageId@mssageId"
}
Back to Top