Configure Mimecast for Arctic Wolf monitoring

You can configure Mimecast® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: If you are migrating from Mimecast API version 1.0 to 2.0, complete Delete the Arctic Wolf API 1.0 application after configuring the new application.

These resources are required:

  • A Mimecast plan with a Targeted Threat Protection (TTP) license

    For more information, see Mimecast Plans.

  • A Mimecast account with administrator permissions

Create the API application role

  1. Sign in to the Mimecast Administration Console.
  2. Navigate to Account > Admin Roles.
  3. Click New Role, and then in the Properties section, configure these settings:
    • Role Name — Enter a unique name for the role. For example, Arctic Wolf App Role.
    • Description — Enter a description for the role.
  4. In the Application Permissions section, clear all of the checkboxes, and then select these permissions:
    • Account Menu > Logs > Read
    • Monitoring Menu > Attachment Protection > Read
    • Monitoring Menu > Impersonation Protection Logs > Read
    • Monitoring Menu > URL Protection > Read
  5. Click Save and Exit.

Create the API application

Note:

Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Integrations > API and Platform Integrations.
  3. Click the Available Integrations tab.
  4. For the Mimecast API 2.0 integration, click Generate Keys.
  5. Click Create New Integration.
  6. On the Custom API 2.0 Integration page, configure these settings:
    • Application Name — Enter a unique name for the API application.
    • Products — In the list, select the Audit Events and Security Events checkboxes.
    • Application Role — Select the role that you created in Create the API application role.
    • Description — Enter a description for the API application.
    • Technical Point of Contact — Enter the name of the person who Mimecast should contact if necessary. For example, the active user configuring the API application.
    • Email — Enter the email address of the technical point of contact. This email address must be valid in your Mimecast directory.
  7. Click Save.
  8. In the Credentials generated successfully dialog, copy the Client ID and Client Secret values, and then save them in a safe, encrypted location.

    You will provide these values to Arctic Wolf later.

    Note:

    This is the only time that the client secret value is available.

  9. Click Close.
  10. Optional: Set admin IP address ranges:
    Note:

    You must set admin IP address ranges to apply IP address restrictions. For example, a public IP address range.

    1. In the navigation menu, click Account > Account Settings.
    2. In the User Access and Permissions section, in the Admin IP Ranges field, enter the IP addresses.
      CAUTION:

      Do not only enter Arctic Wolf IP addresses. This restricts sign in permissions for all other accounts except for managed service providers.

    3. Click Save.

Provide Mimecast credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Mimecast (v2).
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Client ID — Enter the client ID value from Create the API application.
    • Client Secret — Enter the client secret value from Create the API application.

    • Credential Expiry — Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.