Mimecast

Integrating Mimecast with ThreatDefence

Mimecast provides an API which allows for the retrieval of data from Mimecast directly to ThreatDefence. If you are using Mimecast, please follow this guide.

Before ThreatDefence can retrieve logs from Mimecast, you must identify your regional base URL, enable enhanced logging, add a custom API application, create a new user profile and application setting, and generate API access and secret Keys in the Mimecast administrator portal.

Identify your base domain URL

Copy and paste the base URL for your host region in a safe place for later.

Mimecast Permissions

See the table below for the endpoints used by the data collection scripts and the associated Mimecast administrator permissions required. For convenience all permissions are included in the Basic Administrator role.

Endpoint	Permission
/api/login/discover-authentication	N/A
/api/audit/get-audit-events	Logs | Read
/api/audit/get-siem-logs	Tracking | Read

Step 1: Creating a User

To create a user:

1. Navigate to Administration | Directories | Internal Directories
2. Select the Internal Domain where you would like to create the user.
3. Click New Address.
4. Complete the New Address form. See the Managing User Email Addresses page for further details.

Note:

Keep a note of the password set, as you will use this when setting up the scripts.

5. Click Save and Exit.

Step 2: Adding the User to an Administrator Role

To add the user to an administrator role:

1. Navigate to Administration | Account | Roles
2. Right click Administrator Role (e.g. Basic Administrator).
3. Select the Add Users to Role menu item.
4. Browse for the User created in Step 1: Creating a User.
5. Select the Tick Box to the left of the user.
6. Click Add Selected Users.

Step 3: Creating a Group and Adding the User

To create a group and add the user to it:

1. Navigate to Administration | Directories | Profile Groups
2. Create a Group.

Note:

Give the group a descriptive name (e.g. TD Admin).

3. With the group selected, click on the Build button.
4. Click Add Email Addresses.
5. Type the name of the User created in Step: 1 Creating a User.
6. Click Save and Exit.

Step 4: Creating an Authentication Profile

Note:

2-Step authentication must be disabled for this authentication profile.

To create an authentication profile:

1. Navigate to Administration | Services | Application | Authentication Profiles
2. Click on the New Authentication Profile button.
3. Type a Description for the profile.
4. Set the Authentication TTL setting to "Never Expires". This makes sure that when you create your authentication token, it will not expire and impact the data collection of the app.
5. Leave all other settings as their default.
6. Click Save and Exit.

Step 5: Creating an Application Setting

To create an application setting:

1. Navigate to Administration | Services | Applications
2. Click on the New Application Settings button.
3. Type a Description.
4. Select the Group you created in the Step 3: Creating a Group and Adding the User.
5. Select the Authentication Profile created in Step 4: Creating an Authentication Profile.
6. Leave all other settings as their default.
7. Click ave and Exit.

Step 6: Enabling Logging

To enable logging on your account:

1. Navigate to Administration | Account | Account Settings
2. Expand the Enhanced Logging section.
3. Select the types of logs you want to enable. The choices are:
   1. Inbound: from external senders to internal recipients.
   2. Outbound: from internal senders to external recipients.
   3. Internal: between internal domains.
4. Click Save.

Step 7: Registering an Integration

Register Application Integration

1. Navigate to Administration | Services | API and Platform Integrations
2. On the Available Integrations tab.
3. Click on the Generate Keys button.
4. Enter a Description.
5. Click Next.
6. Enter a name in the Technical Point of Contact field
7. Enter the technical point of contact's email address in the Email field.
8. To stay informed with changes that could impact the API integration, select the Opt-in checkbox.
9. Click Next.
10. Review the Summary page and click Add.
11. A slide-out will panel appear.
12. Make a copy of the Application ID and Application Key.

Note:

You will need to wait for at least 30 minutes before obtaining an Access ID and Secret key.

Step 8: Configuration in ThreatDefence

1. Provide ThreatDefence with Client Information:

• Provide the following information to your ThreatDefence representative at support@threatdefence.com:

  • MIMECAST_API_BASE_URL (eg: xx-api.mimecast.com)
  • MIMECAST_ACCOUNT_CODE (eg: "CAU13A177")
  • MIMECAST_APP_ID (Step 5: Creating an Application Setting)
  • MIMECAST_APP_KEY (Step 5: Creating an Application Setting)
  • MIMECAST_ACCESS_KEY (Step 6: Get your authentication token)
  • MIMECAST_SECRET_KEY (Step 6: Get your authentication token)

  If you have any questions or need further assistance, please feel free to contact us at support@threatdefence.com