What this integration is
Mimecast telemetry provides email security signals (policy actions, suspicious messages, detections) that are useful for SOC alerting and investigation.Data path (how it flows)
Typical flow:- Mimecast → External Service integration (API collector)
- Events → SIEM storage (Wazuh Indexer / OpenSearch-backed)
- Optional: events → Graylog alert definitions
- Alerts →
gl-events*→ CoPilot Incident Management → Alerts - Operator workflow → Cases
What data you get (high level)
- Email security events
- Policy actions / detections (depends on API endpoints enabled)
Setup (wireframe)
- Configure Mimecast under External Services / 3rd Party Integrations.
- Confirm events are tenant-aware.
Success criteria
- You can locate at least one recent Mimecast event
- Events map to the correct customer
Dashboards
- After provisioning, confirm dashboards populate for this customer
Alerts (starter set)
- Spike in blocked/quarantined messages
- Repeated phishing detections for a user
- High-risk sender domains or attachment types (if available)
Troubleshooting
- Verify external service is connected/verified
- Confirm API credentials/permissions
- Confirm routing/tenant association