Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Mimecast Monitoring

Updated Apr 4, 2024

Configure Mimecast for Arctic Wolf monitoring

You can configure Mimecast to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

  1. Create the API application.
  2. Configure the API service account user.
  3. (Optional) Temporarily disable SAML authentication.
  4. Configure 2-step authentication with SMS.
  5. Create API keys.
  6. (Optional) Revert to previous authentication methods.
  7. Provide your Mimecast credentials to Arctic Wolf.

Step 1: Create the API Application

Note: Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click > Allowlist Requirements, and then view the IP addresses in the section for your product.

  1. Sign in to the Mimecast Administration Console.

  2. In the Administration menu, click Services > API and Platform Integrations.

  3. On the Available Integrations tab, for the Arctic Wolf integration, click Generate Keys.

  4. In the Description field, enter a description for this API application.

  5. Click Next.

  6. Configure these settings:

    • Technical Point of Contact — Enter the name of the person who Mimecast should contact if necessary. For example, the active user configuring the API application.
    • Email — Enter the corresponding email for the point of contact.
  7. Click Next.

  8. Verify that your information is correct, and then click the Status toggle to the Enabled position.

  9. Click Add.

  10. Click the application that you created to open the information panel.

  11. Copy the Application ID and Application Key to a safe, encrypted location to provide to Arctic Wolf later.

  12. (Optional) Set admin IP address ranges:

    Note: You must set admin IP address ranges to apply IP address restrictions, such as a public IP address range.

    1. In the Administration menu, click Account > Account Settings.
    2. In the User Access and Permissions tab, in the Admin IP Ranges field, enter the IP addresses.

      Caution: Don't enter only Arctic Wolf IP addresses. This action restricts sign ins for all other accounts, except Managed Service Providers.

Step 2: Configure the API service account user

To prevent permission overrides during the configuration process, create a dedicated service account user. For more information, see Managing API Applications.

  1. Sign in to the Mimecast Administration Console.
  2. Create a service account user:
    1. In the Administration menu, click Directories > Internal Directories.
    2. Select the domain the user will be added to.
    3. Enter the email address for the user.
    4. Create and confirm a password.
    5. Click Save.
  3. Assign the service account user permissions:
    1. In the Administration menu, click Account > Roles.
    2. Click Basic Administrator.
    3. Click Add User to Role.
    4. Select the email address of the API service user account.

Step 3: Temporarily disable SAML authentication

This step is optional.

If your API service account uses an authentication profile with SAML authentication, you must temporarily disable it in favor of 2-step authentication with SMS to create the API keys. After creating the API keys, you can revert to the previous SAML authentication method.

Note: If you enabled the default Administrator Authentication Profile, Account_Administrators_Authentication_Profile, then all accounts with the Basic Administrator role use this default authentication profile. For more information, see Email Security Cloud Gateway - Administrator Authentication Profiles.

  1. Sign in to the Mimecast Administration Console.

  2. In the Administration menu, click Services > Applications.

  3. Click Authentication Profiles and select the administrator authentication profile that applies to the service account user you just created.

    Tip: If you enabled the default Administrator Authentication Profile, select Account_Administrators_Authentication_Profile.

  4. In the settings dialog:

    1. Make sure that Allow Cloud Authentication is set to Allow Always.
    2. Set 2-Step Authentication to SMS.
    3. Record the values in the SAML-related fields, and then disable the Enforce SAML Authentication for Administration Console option.
    4. Click Save and Exit.

Note: Keep this tab open to revert the authentication method back to SAML after creating the API keys. The settings automatically repopulate and save when you re-enable Enforce SAML Authentication for Administration Console.

Step 4: Configure 2-step authentication with SMS

You must configure 2-step authentication with SMS to create the API keys. After creating the API keys, you can revert to your previous authentication method.

  1. In a new browser tab, sign in to the Mimecast Administration Console as the service account user created in Configure the API service account user.
  2. Register a phone number for the service account that can be used for 2-step authentication with SMS:
    1. Click the flag icon to select the correct country code.
    2. Enter the phone number.
    3. Click Next.
    4. Enter the verification sent to the registered phone number.
    5. Click Verify.
  3. Sign out of Mimecast.
  4. Return to the previous browser tab.

Step 5: Create API keys

Notes:

  • You might need to wait a maximum of 30 minutes after creating the API application before creating the API keys.
  • If your organization uses SAML authentication methods to access Mimecast, you must complete the Temporarily disable SAML authentication steps before creating the API keys.
  • You must configure 2-step authentication with SMS for the service account to create the API keys. For instructions, see Configure 2-step authentication with SMS.
  1. In the browser tab that you just returned to, in the Administration menu, click Services > API and Platform Integrations.

  2. In the Your Application Integrations tab, select the application that you created in Create the API application.

  3. In the information pane, click Create Keys.

  4. In the Email Address field, enter the email address for the service account that you created in Configure the API service account user.

  5. Click Next.

  6. In the Type menu, click Cloud.

  7. In the Password field, enter the service account password, and then click Next.

  8. Follow the prompts to verify the service account, and then click Next.

  9. Click the eye next to Access Key and Secret Key to reveal each value.

  10. Copy the Access Key and Secret Key values and save them in a safe, encrypted location to provide to Arctic Wolf later.

    Note: The Access Key and Secret Key values are only available to view during key creation. If this information is lost before it is submitted on the Arctic Wolf Unified Portal, you must create new API keys.

  11. Click Finish.

Step 6: Revert to previous authentication method

This step is optional.

After creating and saving the API keys, you can disable 2-step authentication with SMS and revert to your previous SAML or other authentication method.

  1. In the same browser tab, in the Administration menu, click Services > Applications.

  2. Click Authentication Profiles and select the administrator authentication profile that you previously edited, such as Account_Administrators_Authentication_Profile.

  3. In the settings dialog, revert the settings to your previous configuration.

    Notes:

    • After you enable Enforce SAML Authentication for Administration Console, your previous SAML authentication settings repopulate and save.
    • If you receive an error that the metadata URL does not match, click Import next to the Metadata URL field in the Domain Authentication Mechanisms section.
  4. Click Save and Exit.

Step 7: Provide your Mimecast credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click Mimecast.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application ID — Enter the application ID from Create the API application.

    • Application Key — Enter the application key from Create the API application.

    • Access Key — Enter the access key from Create API keys.

    • Secret Key — Enter the secret key from Create API keys.

    • API Base URL — Select the appropriate URL based on the region. For more information, see Mimecast Global Base URLs.

      Note: If you are located in the UK, you must use the EU URL.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.