Configure Mimecast for Arctic Wolf monitoring

You can configure Mimecast® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: If you are migrating from Mimecast API version 1.0 to 2.0, complete the steps in Delete the Arctic Wolf API 1.0 application after configuring the new application.

These resources are required:

  • A Mimecast plan with a Targeted Threat Protection (TTP) license

    For more information, see Mimecast Plans.

  • A Mimecast account with administrator permissions

Create the API application role

  1. Sign in to the Mimecast Administration Console.
  2. Navigate to Account > Roles.
    Tip: If the New Menu toggle is enabled, navigate to Account > Admin Roles.
  3. Click New Role, and then in the Properties section, configure these settings:
    • Role Name — Enter a unique name for the role. For example, Arctic Wolf App Role.
    • Description — Enter a description for the role.
  4. In the Application Permissions section, clear all of the checkboxes.
  5. Select these checkboxes:
    • Account Menu > Logs > Read
    • Monitoring Menu > Attachment Protection > Read
    • Monitoring Menu > Impersonation Protection Logs > Read
    • Monitoring Menu > URL Protection > Read
  6. Click Save and Exit.

Create the API application

Note:

Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

  1. Sign in to the Mimecast Administration Console.
  2. Navigate to Integrations > API and Platform Integrations.
  3. Click the Available Integrations tab.
  4. For the Mimecast API 2.0 integration, click Generate Keys.
  5. Review the legal terms, and then select the I accept checkbox.
  6. Click Next.
  7. On the Add Mimecast API 2.0 Application page, in the Details section, configure these settings:
    • Application Name — Enter a unique name for the API application.
    • Category — Select Managed SOC Integration.
    • Products — Search for and select the Audit Events and Security Events checkboxes, and then click Apply.
    • Application Role — Select the role that you created in Create the API application role.
    • Description — Enter a description for the API application.
  8. Click Next.
  9. On the Add Mimecast API 2.0 Application page, in the Notifications section, configure these settings:
    • Technical Point of Contact — Enter the name of the person who Mimecast should contact if necessary. For example, the active user configuring the API application.
    • Email — Enter the email address of the technical point of contact. This email address must be valid in your Mimecast directory.
  10. Click Next.
  11. Click Add and Generate Keys.
  12. In the Manage API 2.0 Credentials for <application_name> dialog, copy the Client ID and Client Secret values, and then paste them in a safe, encrypted location. You will provide them to Arctic Wolf later.
    Note:

    This is the only time the client secret value is available.

  13. Optional: Set admin IP address ranges:
    Note:

    You must set admin IP address ranges to apply IP address restrictions. For example, a public IP address range.

    1. In the Administration menu, click Account > Account Settings.
    2. In the User Access and Permissions tab, in the Admin IP Ranges field, enter the IP addresses.
      CAUTION:

      Do not only enter Arctic Wolf IP addresses. This restricts sign in permissions for all other accounts except for managed service providers.

Provide Mimecast credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Mimecast (v2).
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Client ID — Enter the client ID value from Create the API application.
    • Client Secret — Enter the client secret value from Create the API application.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.