Providing Mimecast Credentials to Arctic Wolf

Configuration Guide

Updated Feb 24, 2023

Providing Mimecast Credentials to Arctic Wolf

Overview Direct link to this section

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor security information using the Mimecast API. After you complete this configuration, Arctic Wolf can monitor logs from your Mimecast service.

As part of this configuration, you must provide the following information about your Mimecast API to Arctic Wolf using the Arctic Wolf Portal:

Note: The Access Key and Secret Key are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

Before you begin Direct link to this section

You must have a Mimecast plan with a Targeted Threat Protection (TTP) license. See Mimecast Plans for more information on which plans include the TTP license.

If you have not already done so, you must also configure a password and SMS multi-factor authentication (MFA) for your Mimecast administrator account:

  1. Sign in to the Mimecast Administration Console.
  2. In the Administration menu, select Directories > Internal Directories.
  3. Select the domain and email of your administrator account.
  4. Create and confirm an appropriate password.
  5. Click Save and Exit.

Create a service account user Direct link to this section

To prevent any permissions overrides during the configuration process, create a dedicated service account user. The service account user does not need mailbox access. For more information about service accounts and the API application process, see Managing API Applications in the external Mimecast documentation.

To create a new service account user:

  1. Sign in to the Mimecast Administration Console.
  2. In the Administration menu, select Directories > Internal Directories.
  3. Select the domain the user will be added to.
  4. Enter the email address for the user.
  5. Create and confirm a password.
  6. Click Save.
  7. Proceed to Create a profile group

Create a profile group Direct link to this section

  1. In the Administration menu, select Directories > Profile Groups.
  2. Click the icon next to the root folder.
  3. Click the new folder to open the Edit Group text box, and then rename the folder.
  4. Press Enter to save the new name.
  5. Click Build > Add Email Addresses.
  6. Enter the email address of the service account user in the Group Additions text box.
  7. Click Save and Exit.
  8. Proceed to Create an API user Authentication Profile.

Create an API user Authentication Profile Direct link to this section

  1. In the Administration menu, select Services > Applications and click Authentication Profiles.
  2. Click New Authentication Profile.
  3. In the 2-Step Authentication list, select SMS.
  4. In the Authentication TTL list, select Never Expire.
  5. Click Save and Exit
  6. Proceed to Configure 2-Step authentication for service account user.

Configure 2-Step authentication for service account user Direct link to this section

  1. Sign in to Mimecast as the service account user created in Create a service account user.
  2. Register an appropriate phone number that can be used for multi-factor authentication (MFA) with SMS for the service account.
    1. Click the flag icon to select the correct country code.
    2. Enter the phone number.
    3. Click Next.
    4. Enter the verification code you received.
    5. Click Verify.
  3. Proceed to Create application settings.

Create application settings Direct link to this section

  1. On the Applications screen, create an application settings definition by right-clicking Default Application Settings and selecting Clone Configuration.
  2. Assign the profile group and authorization profile you just created to this settings definition. This will apply the settings to the service account.
  3. Click Save and Exit
  4. Proceed to Create the API application.

Create the API application Direct link to this section

Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If Arctic Wolf monitors your Cloud Services.

To add these IP addresses to the Mimecast AllowList, proceed to Set up admin IP address ranges.

  1. In the Administration menu, select Services > API and Platform Integrations.

  2. Under the Available Integrations tab, scroll down to the Arctic Wolf card and click Generate Keys.

    1. Enter a description for this API application in the Description text box.

    2. Click Next.

  3. Enter your application settings:

    1. In the Technical Point of Contact text box, enter the name of the person who Mimecast should contact if necessary. Usually, this is the active user configuring the API application.

    2. In the Email text box, enter the corresponding email for the point of contact.

    3. Click Next.

  4. Verify that your information is correct and that the Status toggle is set to Enabled.

  5. Click Add to create the API application.

  6. Click the application that you created to open the information panel.

  7. Copy the following values to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

    • Application ID
    • Application Key
  8. Wait at least 30 minutes before proceeding to Create API keys.

    Note: This is part of the Mimecast application creation time.

  9. (Optional) While waiting, proceed to Set up admin IP address ranges.

Set up admin IP address ranges Direct link to this section

If you are applying any IP restrictions, for example for a public IP range, you must set up admin IP address ranges. Otherwise, no action is required and you can proceed to Create API keys.

To set up admin IP address ranges:

  1. In the Administration menu, select Account > Account Settings.

  2. Click to expand the User Access and Permissions tab. Add the IP addresses to the Admin IP Ranges text box.

    Caution: Do not only add Arctic Wolf IP addresses in this section. This will restrict the login for all other accounts except for Managed Service Providers.

Create API keys Direct link to this section

To create API keys for the API application:

Note: You must wait 30 minutes after creating your API application before creating the API keys.

  1. Sign in to the Mimecast web UI console.

  2. Select Administration Console.

  3. In the Administration menu, select Services > API and Platform Integrations.

  4. Under the Your Application Integrations tab, select the application that you created as part of Create the API application.

  5. In the information panel, select Create Keys.

  6. In the Email Address text box, enter the email address of the service account. This is the email of the account that you used in Create a service account user.

  7. Click Next.

  8. In the Type menu, select Cloud.

  9. In the Password text box, enter the password of the service account, and then click Next.

  10. When prompted to verify the service account, follow the instructions on the screen, and then click Next.

  11. Click the eye next to the following keys to reveal the values, and then copy each value to provide to Arctic Wolf in Provide credentials to Arctic Wolf.

    • Access Key
    • Secret Key

    Note: These values are only available to view during key creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create new keys for the API.

  12. Click Finish.

  13. Proceed to Assign API service account permissions.

Assign API service account permissions Direct link to this section

  1. In the Administration menu, select Account > Roles.
  2. Click Basic Administrator.
  3. Click Add User to Role.
  4. Select the email address of the API service user account.
  5. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Mimecast from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Enter the values obtained in Create the API application and Create API keys:

      • Application ID
      • Application Key
      • Access Key
      • Secret Key
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.