Providing Mimecast credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor security information using the Mimecast API. After you complete this configuration, Arctic Wolf can monitor logs from your Mimecast service.

As part of this configuration, you must provide the following information about your Mimecast API to Arctic Wolf using the Arctic Wolf Portal:

Note: The Access Key and Secret Key are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

Before you begin

You must have:

Creating the API application

To create an API application in the Mimecast web interface:

Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for the Arctic Wolf IP addresses listed under If Arctic Wolf monitors your Cloud Services on the Arctic Wolf IP Addresses page in the Arctic Wolf Portal. To add these IP addresses to the Mimecast AllowList, navigate to Administration > Account > Account Settings > User Access and Permissions > Admin IP Ranges.

  1. Sign in to the Mimecast web UI console.

  2. Select Administration Console.

  3. In the Administration menu, select Services > API and Platform Integrations.

  4. Under the Your Application Integrations tab, click Add API Application and then:

    1. Enter a unique memorable name in the Application Name text box.

    2. Under Category, select either SIEM Integration or Other.

    3. Verify that Enable Extended Session is selected.

    4. Enter a description for this API application in the Description text box.

    5. Click Next.

  5. Enter your application settings:

    1. In the Developer text box, enter the name of the application developer with the Basic Administrator role. Usually, this is the active user configuring the API application.

    2. In the Email text box, enter the corresponding email of the application developer.

    3. Click Next.

  6. Verify that your information is correct and that the Status toggle is set to Enabled.

  7. Click Add to create the API application.

  8. Click on the application that you created to open the information panel.

  9. Copy the following values to a secure location. You must provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

    • Application ID
    • Appplication Key
  10. Wait at least 30 minutes before proceeding to Creating API keys.

    Note: This is part of the Mimecast application creation time.

Creating API keys

To create API keys for the API application:

Note: You must wait 30 minutes after creating your API application before creating the API keys.

  1. Sign in to the Mimecast web UI console.

  2. Select Administration Console.

  3. In the Administration menu, select Services > API and Platform Integrations.

  4. Under the Your Application Integrations tab, select the application that you created as part of Creating the API application.

  5. In the information panel, select Create Keys.

  6. In the Email Address text box, enter the email address of the service account. This is the email of the account that is signed in to Mimecast.

    Note: Mimecast only supports SMS or email 2-factor authentication (2FA). If this email address uses a 2FA method that Mimecast does not support, Mimecast does not allow you to create API keys under this account. To resolve this issue, either reach out to the Mimecast Support Team or change the administrative authentication profile of the service account to use a supported 2FA method and then create the API keys. You can change the 2FA method back after the API keys are created.

  7. Click Next.

  8. In the Type menu, select Cloud.

  9. In the Password text box, enter the password of the service account from step 6, and then click Next.

  10. When prompted to verify the service account, follow the instructions on the screen, and then click Next.

  11. Copy the following values to a secure location. You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

    • Access Key
    • Secret Key

    Note: These values are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

Providing credentials to Arctic Wolf

To provide your credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Mimecast from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values:

      • Application ID
      • Application Key
      • Access Key
      • Secret Key
  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your Mimecast API, the status of your Mimecast credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.