Providing Mimecast Credentials to Arctic Wolf

Configuration Guide

Overview Direct link to this section

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor security information using the Mimecast API. After you complete this configuration, Arctic Wolf can monitor logs from your Mimecast service.

As part of this configuration, you must provide the following information about your Mimecast API to Arctic Wolf using the Arctic Wolf Portal:

Note: The Access Key and Secret Key are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

Before you begin Direct link to this section

You must have a Mimecast plan with a Targeted Threat Protection (TTP) license. See Mimecast Plans for more information on which plans include the TTP license.

Creating a service account user Direct link to this section

To prevent any permissions overrides during the configuration process, create a dedicated service account user. The service account user does not need mailbox access. For more information about service accounts and the API application process, see Managing API Applications.

To create a new service account user:

  1. Sign in to the Mimecast Administration Console.

  2. In the Administration menu, select Directories > Internal Directories.

  3. Select the domain the user will be added to.

  4. Enter the email address for the user.

  5. Create and confirm a password.

  6. Click Save.

  7. Proceed to Creating a profile group

Creating a profile group Direct link to this section

To create a profile group for your new service account user:

  1. In the Administration menu, select Directories > Profile Groups.

  2. Click on the + icon next to the root folder.

  3. Click on the new folder to open the Edit Group text box and rename the folder.

  4. Press Enter to save the new name.

  5. Click Build > Add Email Addresses.

  6. Enter the service account user's email address in the Group Additions text box.

  7. Click Save and Exit.

  8. Proceed to Creating an API user Authentication Profile.

Creating an API user Authentication Profile Direct link to this section

To create an Authentication Profile:

  1. In the Administration menu, select Services > Applications and click Authentication Profiles.

  2. Click New Authentication Profile.

  3. Disable all SAML and 2FA options.

  4. Set the Authentication TTL to Never Expire.

  5. Click Save and Exit

  6. Proceed to Creating application settings.

Creating application settings Direct link to this section

  1. On the Applications screen, create an application settings definition by right-clicking Default Application Settings and selecting Clone Configuration.

  2. Assign the profile group and authorization profile you just created to this settings definition. This will apply the settings to the service account.

  3. Click Save and Exit

  4. Proceed to Creating the API application.

Creating the API application Direct link to this section

To create an API application:

Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see a complete list of IP addresses that you must AllowList, go to the Arctic Wolf Portal, click on your organization name, and select Arctic Wolf IP Addresses. The IP addresses that must be AllowListed are listed under If Arctic Wolf monitors your Cloud Services.

To add these IP addresses to the Mimecast AllowList, proceed to Setting up admin IP address ranges.

  1. In the Administration menu, select Services > API and Platform Integrations.

  2. Under the Available Integrations tab, scroll down to the Arctic Wolf card and click Generate Keys.

    1. Enter a description for this API application in the Description text box.

    2. Click Next.

  3. Enter your application settings:

    1. In the Technical Point of Contact text box, enter the name of the person who Mimecast should contact if necessary. Usually, this is the active user configuring the API application.

    2. In the Email text box, enter the corresponding email for the point of contact.

    3. Click Next.

  4. Verify that your information is correct and that the Status toggle is set to Enabled.

  5. Click Add to create the API application.

  6. Click on the application that you created to open the information panel.

  7. Copy the following values to provide to Arctic Wolf in Providing credentials to Arctic Wolf.

    • Application ID
    • Application Key
  8. Wait at least 30 minutes before proceeding to Creating API keys.

    Note: This is part of the Mimecast application creation time.

  9. While waiting, proceed to Setting up admin IP address ranges.

Setting up admin IP address ranges Direct link to this section

If you are applying any IP restrictions, for example for a public IP range, you must set up admin IP address ranges. If there are no restrictions, no action is required.

To set up admin IP address ranges:

  1. In the Administration menu, select Account > Account Settings.

  2. Click to expand the User Access and Permissions tab. Add the IP addresses to the Admin IP Ranges text box.

    Note: Do not only add Arctic Wolf IP addresses in this section. This will restrict the login for all other accounts except for Managed Service Providers.

Creating API keys Direct link to this section

To create API keys for the API application:

Note: You must wait 30 minutes after creating your API application before creating the API keys.

  1. Sign in to the Mimecast web UI console.

  2. Select Administration Console.

  3. In the Administration menu, select Services > API and Platform Integrations.

  4. Under the Your Application Integrations tab, select the application that you created as part of Creating the API application.

  5. In the information panel, select Create Keys.

  6. In the Email Address text box, enter the email address of the service account. This is the email of the account that you used in Creating a service account user.

  7. Click Next.

  8. In the Type menu, select Cloud.

  9. In the Password text box, enter the password of the service account, and then click Next.

  10. When prompted to verify the service account, follow the instructions on the screen, and then click Next.

  11. Click the eye next to the following keys to reveal the values, and then copy each value to provide to Arctic Wolf in Providing credentials to Arctic Wolf.

    • Access Key
    • Secret Key

    Note: These values are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

  12. Click Finish.

  13. Proceed to Assigning API service account permissions.

Assigning API service account permissions Direct link to this section

Now that key creation is complete, assign the administrator role to the service account:

  1. In the Administration menu, select Account > Roles.

  2. Click on the Basic Administrator.

  3. Click Add User to Role.

  4. Select the email address of the API service user account.

  5. Proceed to Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf Direct link to this section

To provide your credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Mimecast from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Enter the values obtained in Creating the API application and Creating API keys:

      • Application ID
      • Application Key
      • Access Key
      • Secret Key
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.