Help Documentation

Cloud Detection and Response

Mimecast Monitoring

Updated Sep 27, 2023

Configure Mimecast monitoring

You can configure Mimecast® monitoring to receive alerts for suspicious or malicious activity.

To implement Mimecast monitoring, you must provide this information to Arctic Wolf:

Requirements

Steps

  1. Add the API application.
    1. Create the API application.
    2. (Optional) Set up admin IP address ranges.
  2. Configure the API service account user.
    1. Create a service account user.
    2. Assign service account user permissions.
    3. Create a profile group.
    4. Create an API user Authentication Profile.
    5. Create application settings.
  3. Configure 2-Step authentication.
  4. Create API keys.
  5. Verify Mimecast region.
  6. Provide credentials to Arctic Wolf.

Step 1: Add the API application

You may need to wait a maximum of 30 minutes after creating the API application before creating the API keys. Create the API application first, then use the waiting time to configure the API service account user.

Step 1a: Create the API application

Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Cloud Service Integrations.

To add these IP addresses to the Mimecast AllowList, proceed to Set up admin IP address ranges.

  1. In the Administration menu, select Services > API and Platform Integrations.

  2. Under the Available Integrations tab, scroll down to the Arctic Wolf card and click Generate Keys.

    1. Enter a description for this API application in the Description field.
    2. Click Next.

  3. Enter your application settings:

    1. In the Technical Point of Contact field, enter the name of the person who Mimecast should contact if necessary. Usually, this is the active user configuring the API application.
    2. In the Email field, enter the corresponding email for the point of contact.
    3. Click Next.

  4. Verify that your information is correct and that the Status toggle is set to Enabled.

  5. Click Add to create the API application.

  6. Click the application that you created to open the information panel.

  7. Copy the following values to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

    • Application ID
    • Application Key

Note: You may need to wait a maximum of 30 minutes after creating the API application before creating the API keys. In the meantime, proceed to Set up admin IP address ranges if needed, and Configure an API service account user.

Step 1b: Set up admin IP address ranges

This is an optional step. If you are applying any IP restrictions, for example for a public IP range, you must set up admin IP address ranges.

  1. In the Administration menu, select Account > Account Settings.

  2. Click the User Access and Permissions tab.

  3. Add the IP addresses to the Admin IP Ranges field.

    Caution: Do not only add Arctic Wolf IP addresses in this section. This will restrict the login for all other accounts except for Managed Service Providers.

Step 2: Configure an API service account user

To prevent any permissions overrides during the configuration process, create a dedicated service account user. For more information about service accounts and the API application process, see Managing API Applications in the external Mimecast documentation.

Note: If you enabled the default Mimecast administrator authentication profile, Account_Administrators_Authentication_Profile, it overrides the API service account and prevents you from creating the API keys. Contact Mimecast support to temporarily disable this default profile while configuring Arctic Wolf monitoring of your Mimecast environment.

Step 2a: Create a service account user

  1. Sign in to the Mimecast Administration Console.
  2. In the Administration menu, select Directories > Internal Directories.
  3. Select the domain the user will be added to.
  4. Enter the email address for the user.
  5. Create and confirm a password.
  6. Click Save.

Step 2b: Assign service account user permissions

  1. In the Administration menu, select Account > Roles.
  2. Click Basic Administrator.
  3. Click Add User to Role.
  4. Select the email address of the API service user account.

Step 2c: Create a profile group

  1. In the Administration menu, select Directories > Profile Groups.
  2. Click next to the root folder.
  3. Click the new folder to open the Edit Group field, and then rename the folder.
  4. Press Enter to save the new name.
  5. Click Build > Add Email Addresses.
  6. Enter the email address of the service account user in the Group Additions field.
  7. Click Save and Exit.

Step 2d: Create an API user authentication profile

  1. In the Administration menu, select Services > Applications and click Authentication Profiles.
  2. Click New Authentication Profile.
  3. In the 2-Step Authentication list, select SMS.
  4. Click Save and Exit.

Step 2e: Create application settings

  1. On the Applications screen, create an application settings definition by right-clicking Default Application Settings and selecting Clone Configuration.
  2. Assign the profile group and authorization profile you just created to this settings definition. This will apply the settings to the service account.
  3. Click Save and Exit.

Step 3: Configure 2-step authentication

  1. Sign in to Mimecast as the service account user created in Create a service account user.
  2. Register an appropriate phone number that can be used for 2-factor authentication with SMS for the service account:
    1. Click the flag icon to select the correct country code.
    2. Enter the phone number.
    3. Click Next.
    4. Enter the verification code you received.
    5. Click Verify.
  3. Sign out of Mimecast.

Step 4: Create API keys

Notes:

  • You may need to wait a maximum of 30 minutes after creating the API application before creating the API keys.
  • If you enabled the default Mimecast administrator authentication profile, Account_Administrators_Authentication_Profile, it overrides the API service account and prevents you from creating the API keys. Contact Mimecast support to temporarily disable this default profile while configuring Arctic Wolf monitoring of your Mimecast environment.

  1. Sign in to the Mimecast Administration Console with an administrator account.

  2. In the Administration menu, select Services > API and Platform Integrations.

  3. Under the Your Application Integrations tab, select the application that you created as part of Create the API application.

  4. In the information panel, click Create Keys.

  5. In the Email Address field, enter the email address of the service account. This is the email of the account that you used in Create a service account user.

  6. Click Next.

  7. In the Type menu, select Cloud.

  8. In the Password field, enter the password of the service account, and then click Next.

  9. When prompted to verify the service account, follow the instructions on the screen, and then click Next.

  10. Click the eye next to the following keys to reveal the values, and then copy each value to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

    • Access Key
    • Secret Key

    Note: These values are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

  11. Click Finish.

Step 5: Verify Mimecast region

  1. Sign in to the Mimecast Administration Console with an administrator account.
  2. Review the console URL, and note the region. You need this information as part of Provide credentials to Arctic Wolf. For example: login-<region>.mimecast.com/...

Step 6: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Mimecast.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Create the API application and Create API keys:
      • Application ID
      • Application Key
      • Access Key
      • Secret Key
    3. From the API base URL list, select the appropriate URL based on the region obtained in Verify Mimecast region.
    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.