[mimecast] add geo.ip support for siem logs, keep email.drection lowc…

[djordje-adzemovic-devtech]

…ase and use email.to.adress insread email.user for ttp-url logs

What does this PR do?

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-04-21T08:30:33.378+0000

• Duration: 20 min 39 sec

Test stats 🧪

Test	Results
Failed	0
Passed	61
Skipped	0
Total	61

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[andrewkroh]

/test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

This needs elastic-package build.

[efd6]

/test

[efd6]

Is there a reason not to keep the user name/domain in TTP as well as adding the email.to.address?

[djordje-adzemovic-devtech]

@efd6 That is request from Mimecast. They said to change that because in the ttp-ap for searching malicious logs they use email.to.address and email.from.address so they request change in order to keep searching consistent. And they also said to remove user.domain and user.name and accidentally removed user.email also so now I put that back.

[efd6]

Thanks for the explanation.