Configure Mimecast for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform email-based response actions in your network using Mimecast.

Mimecast supports these response actions:
  • Delete a malicious email

For more information, see Response action descriptions.

These resources are required:

  • A Mimecast plan with a Targeted Threat Protection (TTP) Internal Email Protect license.

    For more information, see Mimecast Plans.

  • A Mimecast administrator account.
  • Threat Remediation service listed and enabled in the Mimecast Administration Console.

    For more information, see Enabling Threat Remediation.

  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.
  • If you are switching from Mimecast API version 1.0 to 2.0, see Remove 1.0 API integration.

Enable Threat Remediation

  1. Sign in to the Mimecast Administration Console.
  2. Make sure that the New Menu toggle is in the on position.
  3. In the navigation menu, click Services > Threat Remediation.
  4. Click the Settings tab.
  5. If the Status is not already Enabled:
    1. Click the Status toggle to the Enabled position.
    2. In the Mode list, select Automatic.
    3. In the Notification Group field, click Select Group, and then select an existing local group to send notifications to.

Create a service account for Active Response

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Users & Groups > Internal Directories.
  3. Select the domain that you want to add the user to.
  4. Click New Address.
  5. In the Address Settings section, enter the email address and global display name for the user.
  6. Create and confirm a password.
  7. Click Save.

Create the API application role for Active Response

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Account > Admin Roles.
  3. Click New Role.
  4. In the Role Name field, enter a name for the role.
    For example, Arctic Wolf Active Response.
  5. In the Description field, enter a meaningful description.
  6. In the Security Permissions section, select Cannot Manage Roles.
  7. In the Application Permissions section, deselect all permissions except:
    • Account Menu > Dashboard > Read
    • Services Menu > Threat Remediation > Read
    • Services Menu > Threat Remediation > Edit
  8. Click Save and Exit.
  9. Locate the newly created role, and then click on the role name.
  10. Click Add User to Role.
  11. Click on the email address of the API service user account from Create a service account for Active Response.

Create the API application and generate keys for Active Response

Note:

Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Integrations > API and Platform Integrations.
  3. Click the Available Integrations tab.
  4. For the Mimecast API 2.0 integration, click Generate Keys.
  5. Review the legal terms, and then select the I accept checkbox.
  6. Click Next.
  7. On the Add Mimecast API 2.0 Application page, in the Details section, configure these settings:
    • Application Name — Enter a name for the API application.
    • Category — Select Other.
    • Products — Select the Threat Management and Account Management checkboxes, and then click Apply.
    • Application Role — Select the role that you created in Create the API application role for Active Response.
    • Description — Enter a description for the API application.
  8. Click Next.
  9. On the Add Mimecast API 2.0 Application page, in the Notifications section, configure these settings:
    • Technical Point of Contact — Enter the name of the person or group of people who Mimecast should contact if necessary. For example, the team responsible for configuring the API application.
    • Email — Enter the email address of the technical point of contact.
  10. Click Next.
  11. Click Add and Generate Keys.
  12. In the Manage API 2.0 Credentials for <application_name> dialog, copy the Client ID and Client Secret values, and then paste them in a safe, encrypted location.
    You will provide these values to Arctic Wolf later.
    Note:

    This is the only time the client secret value is available.

Provide Mimecast Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Mimecast V2.
  5. On the New Active Response Integration page, configure these settings:
  6. Click Save Integration.