Mimecast For Splunk - Release Notes

Updated

The article provides the release notes for Mimecast for Splunk for each of the following versions:

v4.1.1

Bug Fixes

  • Missing Mimecast icons and logo have been re-added

v4.1.0

Enhancements

  • Updated app to be compatible with Addon Builder 4.1.0

  • XML versions added to dashboards to address jQuery vulnerability
    Bug Fixes

  • Minor bug fixes for dashboard widgets

v4.0.9

Bug Fixes

  • Dashboards
    • Email Activity
      • Query for the 'Messages Rejected' dashboard panel has been updated

v4.0.8

Enhancements

  • Dashboards
    • Mimecast TTP URL
      • 'URL' column has been reverted back to 'Category'
  • Inputs
    • Mimecast TTP Attachment Protect
      • Parsing for 'fileHash' field

Bug Fixes

  • props.conf
    • [mimecastsiemst] section
      • TIME_FORMAT value has been updated with %Y-%m-%dT%H:%M:%S%z

v4.0.4

Enhancements

  • Configuration page
    • Account tab has been added to manage Mimecast API credentials
  • Mimecast API Credentials
    • API keys (application key, access key, secret keys) have been removed from individual inputs
    • API keys are now managed from the Account tab
  • Inputs
    • Credentials drop down option has been added to enable a Account to be selected. 
      • Inputs must be updated to use an account, before data will be collected.
    • Mimecast Email, Mimecast Directory and Mimecast Journal inputs have been replaced by a single input.
    • Mimecast Service Health replaces Mimecast Email, Mimecast Directory and Mimecast Journal inputs
    • Mimecast Threat Intelligence Feed
      • Dedicated input for targeted Threat Intelligence
      • Dedicated input for regional Threat Intelligence
    • Mimecast TTP Attachment
      • Parse new messageId log field
    • Mimecast TTP URL
      • Parse new messageId log field
      • 'Category' column reflects the 'category' from the logged event
    • Mimecast Data Leak Protection
      • Renamed to Mimecast Data Leak Prevention
  • Dashboards
    • Mimecast Data Leak Protection 
      • Renamed to Mimecast Data Leak Prevention
      • Dashboard panels added
    • Mimecast Threat Intelligence Feed
      • Dashboards for targeted and regional threat data
    • Mimecast TTP URL
      • 'Category' column displays the category from the logged event

v4.0.2

Enhancements

  • There is added support to DLP Input to fetch DLP Logs.
  • There are updates to SIEM Input: SIEM AV log, SIEM Impersonation log.
  • Added support to CIM field mappings for DLP log fields.
  • Added support to CIM field mappings for SIEM AV log fields.
  • Added support for parsing of new 'subject' field from SIEM process, SIEM TTP URL, SIEM TTP AP logs.
  • Added support for parsing of new 'MsgId' field from SIEM process, SIEM TTP URL, SIEM TTP AP, TTP Impersonation logs.
  • Added support for parsing of new `SpamProcessingDetail` field from SIEM receipt logs.

v4.0.1

Enhancements

  • Added support for Splunk v8.0 and later.
  • The code base has been migrated to Python v3, removing support for Python v2.
  • Targeted Threat Protection – URL Protect Dashboard has been changed to:
    • Support to display ‘Category’ and ‘URL’ sparkline charts separately.
    • Add an option to filter logs by the ‘Scan Result’ (All, Malicious and Clean).
    • Support ‘Scan Result’ entries to be displayed in a table with distinct counts.
    • Add support for the URL link table to display three distinct sparklines and related counts, broken down by ‘Scan Result’.
  • SIEM inputs has been changed to fetch and ingest Journal logs. To search for journal logs, the "mcType=email_journal" query is applicable.
  • TTP Impersonation inputs have been changed to support a:
    • ‘impersonationResults’ field on the logs.
    • "Logs to fetch" filtering dropdown list with the following options:
      • All.
      • Tagged Malicious.
      • Not Tagged Malicious.
  • TTP URL Protect inputs have been changed to support a "Logs to fetch" filtering dropdown list with the following options:
    • All.
    • Malicious.
    • Clean.
  • TTP Attachment Protect inputs have been changed to support a "Logs to fetch" filtering dropdown list with the following options:
    • All.
    • Safe.
    • Malicious.
    • Timeout.
    • Error.
    • Unsafe.
  • CIM mappings: SIEM inputs have been changed to support a Hld field from the SIEM process log mapped to the signature field from email CIM.

v3.1.5

Enhancements

  • Improved support has been added for heavy forwarders, by providing two configurable event cache settings in the Configuration page's Caching tab. Only one event cache setting should be enabled at any given time, as enabling both results in the "Enable full event cache" option being the effective setting.().

Bug Fixes

  • Fixed an issue where the position of the "datetime" field in the event data, could potentially cause performance issues with indexing and search.
  • Targeted Threat Protection - Impersonation Protect: Only tagged events are retrieved.

v3.1.4

Enhancements

  • Targeted Threat Protection - Impersonation Protect: Support has been added to retrieve all events, not just those tagged as malicious.

Bug Fixes

  • Indexing workflow: Events are now indexed after a certain number of events has been retrieved.   

v3.1.3

Enhancements

  • Targeted Threat Protection - Attachment Protect: Support has been added to retrieve all events, not just those tagged as malicious.
  • Targeted Threat Protection - Impersonation Protect: Support has been added for the input type to collect malicious data.

Bug Fixes

  • An issue with dashboards not displaying data have been fixed.
  • Targeted Threat Protection - Attachment Protect: Fixed an issue where the input type was collecting duplicate data.
  • Targeted Threat Protection - Impersonation Protect: Fixed an issue where the input type was collecting duplicate data.
  • Presentation issues for attachment file names have been addressed.
  • Escape () and quote characters ("") are now removed before ingesting logs into Splunk.

v3.1.2

Bug Fixes

  • Fixed the handling of paged results for the audit data input.

v3.1.1

Enhancements

  • Added support for a new SIEM log format.
  • Added support for Targeted Threat Protection - Impersonation Protect logs.
  • Added support for Targeted Threat Protection - Attachment Protect logs.
  • Added support for adding multiple Mimecast tenants by making an application key and an application ID per input.
  • Added support for better filtering of data by Mimecast tenant by creating a new field called "splunkAccountCode". This is added to all logs prior to being ingested into Splunk.

v3.0.5

Enhancements

  • Added support for the following input sources:
    • Siem.
    • Email.
    • Directory.
    • Journal.
    • Audit.
    • Targeted Threat Protection - URL Protect.
  • Added support to changing the source and expanding Targeted Threat Protection URL data.
  • Added support to set up and adjust the existing dashboards to align to the new architecture.
  • Added support to optimize and enhance performance of query generation and log download.
  • Upgraded the app to comply to Common Information Model (CIM) v4.10.
  • Added support to map the data model to CIM properties.

Bug Fixes

  • Fixed issues from the Splunk AppInspect report.
  • Fixed issues around storage of API credentials.
  • Removed redundant login.py script from the bin folder.

See Also...

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.