Configure Mimecast for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform email-based response actions in your network using Mimecast.

Mimecast supports these response actions:
  • Delete a malicious email

For more information, see Response action descriptions.

These resources are required:

  • A Mimecast plan with a Targeted Threat Protection (TTP) Internal Email Protect license.

    For more information, see Mimecast Plans.

  • A Mimecast administrator account.
  • Threat Remediation service listed and enabled in the Mimecast Administration Console.

    For more information, see Enabling Threat Remediation.

  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.
  • If you are switching from Mimecast API version 1.0 to 2.0, see Remove 1.0 API integration.

Enable Threat Remediation

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Services > Threat Remediation.
  3. Click the Settings tab.
  4. If the Status is not already Enabled:
    1. Click the Status toggle to the Enabled position.
    2. In the Mode list, select Automatic.
    3. In the Notification Group field, click Select Group, and then select an existing local group to send notifications to.
  5. Click Save.

Create a service account for Active Response

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Users & Groups > Internal Directories.
  3. Select the domain that you want to add the user to.
  4. Click New Address.
  5. In the Address Settings section, enter the email address and global display name for the user.
  6. Create and confirm a password.
  7. Click Save.

Create the API application role for Active Response

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Account > Admin Roles.
  3. Click New Role.
  4. In the Role Name field, enter a name for the role.
    For example, Arctic Wolf Active Response.
  5. In the Description field, enter a meaningful description.
  6. In the Security Permissions section, select Cannot Manage Roles.
  7. In the Application Permissions section, clear all of the checkboxes, and then select these permissions:
    • Account Menu > Dashboard > Read and Edit
    • Services Menu > Threat Remediation > Read
    • Services Menu > Threat Remediation > Edit
  8. Click Save and Exit.
  9. Locate the newly created role, and then click on the role name.
  10. Click Add User to Role.
  11. Click on the email address of the API service user account from Create a service account for Active Response.
  12. Click Add Selected Users.

Create the API application and generate keys for Active Response

Note:

Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

  1. Sign in to the Mimecast Administration Console.
  2. In the navigation menu, click Integrations > API and Platform Integrations.
  3. Click the Available Integrations tab.
  4. For the Mimecast API 2.0 integration, click Generate Keys.
  5. Click Create New Integration.
  6. On the Custom API 2.0 Integration page, configure these settings:
    • Application Name — Enter a name for the API application.
    • Products — In the list, select the Threat Management and Account Management checkboxes.
    • Application Role — Select the role that you created in Create the API application role for Active Response.
    • Description — Enter a description for the API application.
    • Technical Point of Contact — Enter the name of the person or group of people who Mimecast should contact if necessary. For example, the team responsible for configuring the API application.
    • Email — Enter the email address of the technical point of contact.
  7. Click Save.
  8. In the Credentials generated successfully dialog, copy the Client ID and Client Secret values, and then save them in a safe, encrypted location.

    You will provide these values to Arctic Wolf later.

    Note:

    This is the only time that the client secret value is available.

  9. Click Close.

Provide Mimecast Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Mimecast V2.
  5. On the New Active Response Integration page, configure these settings:
  6. Click Save Integration.