[SOAR-18655] Mimecast V2 (#3063)

* Initial plugin

* Initial plugin

plugins/mimecast_v2/.CHECKSUM

@@ -0,0 +1,15 @@
+{
+	"spec": "4f06521e5c8a2a4506cf3cda093ee4ad",
+	"manifest": "e0e42959bee1c96589545b1afb0b1f61",
+	"setup": "ea867af34e3163ba06ef9660ec9023fc",
+	"schemas": [
+		{
+			"identifier": "connection/schema.py",
+			"hash": "8918ffcfac8cbf4e1b5696cb9dd9ddaf"
+		},
+		{
+			"identifier": "monitor_siem_logs/schema.py",
+			"hash": "0a566c7d94e6689de4d0528d24470b94"
+		}
+	]
+}

plugins/mimecast_v2/.dockerignore

@@ -0,0 +1,9 @@
+unit_test/**/*
+unit_test
+examples/**/*
+examples
+tests
+tests/**/*
+**/*.json
+**/*.tar
+**/*.gz

plugins/mimecast_v2/Dockerfile

@@ -0,0 +1,20 @@
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.3
+
+LABEL organization=rapid7
+LABEL sdk=python
+
+WORKDIR /python/src
+
+ADD ./plugin.spec.yaml /plugin.spec.yaml
+ADD ./requirements.txt /python/src/requirements.txt
+
+RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+ADD . /python/src
+
+RUN pip install .
+
+# User to run plugin code. The two supported users are: root, nobody
+USER nobody
+
+ENTRYPOINT ["/usr/local/bin/icon_mimecast_v2"]

plugins/mimecast_v2/Makefile

@@ -0,0 +1,53 @@
+# Include other Makefiles for improved functionality
+INCLUDE_DIR = ../../tools/Makefiles
+MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk)
+# We can't guarantee customers will have the include files
+# - prefix to ignore Makefiles when not present
+# https://www.gnu.org/software/make/manual/html_node/Include.html
+-include $(MAKEFILES)
+
+ifneq ($(MAKEFILES),)
+  $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets)
+  $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES))
+  $(info --)
+else
+  $(warning Makefile includes directory not present: $(INCLUDE_DIR))
+endif
+
+VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //')
+NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //')
+VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //')
+CWD?=$(shell basename $(PWD))
+_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }')
+PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz
+
+# Set default target explicitly. Make's default behavior is the first target in the Makefile.
+# We don't want that behavior due to includes which are read first
+.DEFAULT_GOAL := default # Make >= v3.80 (make -version)
+
+
+default: image tarball
+
+tarball:
+	$(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball)
+	rm -rf build
+	rm -rf $(PKG)
+	tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh *
+
+image:
+	$(info [$(YELLOW)*$(NORMAL)] Building plugin image)
+	docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) .
+	docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest
+
+regenerate:
+	$(info [$(YELLOW)*$(NORMAL)] Refreshing schema from plugin.spec.yaml)
+	insight-plugin refresh
+
+export: image
+	$(info [$(YELLOW)*$(NORMAL)] Exporting docker image)
+	@printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n"
+	@docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar
+
+# Make will not run a target if a file of the same name exists unless setting phony targets
+# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
+.PHONY: default tarball image regenerate

plugins/mimecast_v2/bin/icon_mimecast_v2

@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+import os
+import json
+from sys import argv
+
+Name = "Mimecast V2"
+Vendor = "rapid7"
+Version = "1.0.0"
+Description = "[Mimecast](https://www.mimecast.com) is a set of cloud services designed to provide next generation protection against advanced email-borne threats such as malicious URLs, malware, impersonation attacks, as well as internally generated threats, with a focus on email security. This plugin utilizes the [Mimecast API](https://www.mimecast.com/developer/documentation)"
+
+
+def main():
+    if 'http' in argv:
+        if os.environ.get("GUNICORN_CONFIG_FILE"):
+            with open(os.environ.get("GUNICORN_CONFIG_FILE")) as gf:
+                gunicorn_cfg = json.load(gf)
+                if gunicorn_cfg.get("worker_class", "sync") == "gevent":
+                    from gevent import monkey
+                    monkey.patch_all()
+        elif 'gevent' in argv:
+            from gevent import monkey
+            monkey.patch_all()
+
+    import insightconnect_plugin_runtime
+    from icon_mimecast_v2 import connection, actions, triggers, tasks
+
+    class ICONMimecastV2(insightconnect_plugin_runtime.Plugin):
+        def __init__(self):
+            super(self.__class__, self).__init__(
+                name=Name,
+                vendor=Vendor,
+                version=Version,
+                description=Description,
+                connection=connection.Connection()
+            )
+            self.add_task(tasks.MonitorSiemLogs())
+
+
+    """Run plugin"""
+    cli = insightconnect_plugin_runtime.CLI(ICONMimecastV2())
+    cli.run()
+
+
+if __name__ == "__main__":
+    main()

plugins/mimecast_v2/help.md

@@ -0,0 +1,114 @@
+# Description
+
+[Mimecast](https://www.mimecast.com) is a set of cloud services designed to provide next generation protection against advanced email-borne threats such as malicious URLs, malware, impersonation attacks, as well as internally generated threats, with a focus on email security. This plugin utilizes the [Mimecast API](https://www.mimecast.com/developer/documentation)
+
+# Key Features
+
+* Email security
+* Malicious URL and attachment detection
+
+# Requirements
+
+* Mimecast 2.0 Application Client ID
+* Mimecast 2.0 Application Client Secret
+
+# Supported Product Versions
+
+* Mimecast 2.0 API 2025-01-23
+
+# Documentation
+
+## Setup
+
+The connection configuration accepts the following parameters:  
+
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|client_id|credential_secret_key|None|True|The Mimecast 2.0 Application Client ID|None|ZA7vkbu7NqcfBcGrXyWW8Rzk2sv2un2DCY7GGCX4BFWgJBZM|None|None|
+|client_secret|credential_secret_key|None|True|The Mimecast 2.0 Application Client Secret|None|ohknqKJpCd99XTkHjeVuc2TgYaKWrWn4tEEHCLkXFZhFgDRdcpNGVx3EipX2CvmE|None|None|
+
+Example input:
+
+```
+{
+  "client_id": "ZA7vkbu7NqcfBcGrXyWW8Rzk2sv2un2DCY7GGCX4BFWgJBZM",
+  "client_secret": "ohknqKJpCd99XTkHjeVuc2TgYaKWrWn4tEEHCLkXFZhFgDRdcpNGVx3EipX2CvmE"
+}
+```
+
+## Technical Details
+
+### Actions
+
+*This plugin does not contain any actions.*
+### Triggers
+
+*This plugin does not contain any triggers.*
+### Tasks
+
+
+#### Monitor SIEM Logs
+
+This task is used to monitor and retrieve the latest logs
+
+##### Input
+
+*This task does not contain any inputs.*
+
+##### Output
+
+|Name|Type|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- |
+|data|[]object|True|List of logs|[{"processingId": "processingId", "aggregateId": "aggregateId", "spamProcessingDetail": "Spam Processing Detail", "numberAttachments": "1", "subject": "siem_recipient - email subject line", "tlsVersion": "TLSv1.2", "senderEnvelope": "[email protected]", "messageId": "messageId", "senderHeader": "[email protected]", "rejectionType": "rejectionType", "eventType": "receipt", "accountId": "C0A0", "recipients": "[email protected]", "tlsCipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "action": "Allow", "subType": "Allow", "spamInfo": None, "senderIp": "123.123.123.123", "timestamp": 1689685338597, "direction": "Inbound", "spamScore": "0", "spamDetectionLevel": "0"}]|
+
+Example output:
+
+```
+{
+  "data": [
+    {
+      "accountId": "C0A0",
+      "action": "Allow",
+      "aggregateId": "aggregateId",
+      "direction": "Inbound",
+      "eventType": "receipt",
+      "messageId": "messageId",
+      "numberAttachments": "1",
+      "processingId": "processingId",
+      "recipients": "[email protected]",
+      "rejectionType": "rejectionType",
+      "senderEnvelope": "[email protected]",
+      "senderHeader": "[email protected]",
+      "senderIp": "123.123.123.123",
+      "spamDetectionLevel": "0",
+      "spamInfo": null,
+      "spamProcessingDetail": "Spam Processing Detail",
+      "spamScore": "0",
+      "subType": "Allow",
+      "subject": "siem_recipient - email subject line",
+      "timestamp": 1689685338597,
+      "tlsCipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "tlsVersion": "TLSv1.2"
+    }
+  ]
+}
+```
+
+### Custom Types
+
+*This plugin does not contain any custom output types.*
+
+## Troubleshooting
+
+
+# Version History
+
+* 1.0.0 - Initial plugin
+
+# Links
+
+* [Mimecast](http://mimecast.com)
+
+## References
+
+* [Mimecast API](https://www.mimecast.com/developer/documentation)

plugins/mimecast_v2/icon_mimecast_v2/__init__.py

@@ -0,0 +1 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT

plugins/mimecast_v2/icon_mimecast_v2/actions/__init__.py

@@ -0,0 +1,2 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+

plugins/mimecast_v2/icon_mimecast_v2/connection/__init__.py

@@ -0,0 +1,2 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+from .connection import Connection

plugins/mimecast_v2/icon_mimecast_v2/connection/connection.py

@@ -0,0 +1,20 @@
+import insightconnect_plugin_runtime
+from .schema import ConnectionSchema, Input
+# Custom imports below
+
+
+class Connection(insightconnect_plugin_runtime.Connection):
+
+    def __init__(self):
+        super(self.__class__, self).__init__(input=ConnectionSchema())
+
+    def connect(self, params):
+        self.logger.info("Connect: Connecting...")
+        # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
+        self.cleint_secret = params.get(Input.CLEINT_SECRET)
+        self.client_id = params.get(Input.CLIENT_ID)
+        # END INPUT BINDING - DO NOT REMOVE
+
+    def test(self):
+        # TODO: Implement connection test
+        pass

plugins/mimecast_v2/icon_mimecast_v2/connection/schema.py

@@ -0,0 +1,58 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+import insightconnect_plugin_runtime
+import json
+
+
+class Input:
+    CLIENT_ID = "client_id"
+    CLIENT_SECRET = "client_secret"
+
+
+class ConnectionSchema(insightconnect_plugin_runtime.Input):
+    schema = json.loads(r"""
+   {
+  "type": "object",
+  "title": "Variables",
+  "properties": {
+    "client_id": {
+      "$ref": "#/definitions/credential_secret_key",
+      "title": "Client ID",
+      "description": "The Mimecast 2.0 Application Client ID",
+      "order": 1
+    },
+    "client_secret": {
+      "$ref": "#/definitions/credential_secret_key",
+      "title": "Client Secret",
+      "description": "The Mimecast 2.0 Application Client Secret",
+      "order": 2
+    }
+  },
+  "required": [
+    "client_id",
+    "client_secret"
+  ],
+  "definitions": {
+    "credential_secret_key": {
+      "id": "credential_secret_key",
+      "type": "object",
+      "title": "Credential: Secret Key",
+      "description": "A shared secret key",
+      "required": [
+        "secretKey"
+      ],
+      "properties": {
+        "secretKey": {
+          "type": "string",
+          "title": "Secret Key",
+          "description": "The shared secret key",
+          "format": "password",
+          "displayType": "password"
+        }
+      }
+    }
+  }
+}
+    """)
+
+    def __init__(self):
+        super(self.__class__, self).__init__(self.schema)

plugins/mimecast_v2/icon_mimecast_v2/tasks/__init__.py

@@ -0,0 +1,4 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+
+from .monitor_siem_logs.task import MonitorSiemLogs
+

plugins/mimecast_v2/icon_mimecast_v2/tasks/monitor_siem_logs/__init__.py

@@ -0,0 +1,2 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+from .task import MonitorSiemLogs