Mimecast Integration Guide

This document contains steps to integrate Mimecast.

Please follow below integration steps:

Step 1: Create a New User

  1. Login to the Administration
  2. Navigate to the Administration | Directories | Internal Directories menu item to display a list of internal domains.
  3. Select the internal domain where you would like to create your new user.
  4. Select the New Address button from the menu bar.
  5. Complete the new address form and select Save and Exit to create the new user.
  6. Keep a note of the password set as you will use this to get your Authentication Token in Step 6.

Step 2: Add the User to an Administrative Role

  1. While logged into the Administration Console, navigate to the Administration | Account | Roles menu item to display the Roles page.
  2. Right click the Basic Administrator role and select Add users to role.
  3. Browse or search to find the new user created in the Step 1.
  4. Select the tick box to the left of the user.
  5. Select the Add selected users’ button to add the user to the role.

Step 3: Create a New Group and Add Your New User

  1. While logged into the Administration Console, navigate to the Administration | Directories | Profile Groups menu item to display the Profile groups page.
  2. Create a new group by selecting the plus icon on the parent folder where you would like to create the group. This creates a new group with the Name "New Folder"
  3. To rename the group, select the newly created "New Folder" Then from the Edit group text box type the name you want to give the folder, for example Splunk Admin and press the Enter key to apply the change.
  4. With the group selected select the Build drop down button and select Add Email addresses.
  5. Type the name of the new user created in Step 1.
  6. Select Save and Exit to add the new user to the group.

Step 4: Create a New Authentication Profile

  1. While logged into the Administration Console, navigate to the Administration | Services | Applications menu item to display the Application Settings page. 
  2. Select the Authentication Profiles button.
  3. Select the New Authentication Profile button.
  4. Type a Description for the new profile.
  5. Set the Authentication TTL setting to Never Expires. This will make sure that when you create your Authentication Token it will not expire and impact the data collection of the app.
  6. Leave all other settings as their default.
  7. Select Save and Exit to create the profile.

Step 5: Create a New Application Setting

  1. While logged into the Administration Console, navigate to the Administration | Services | Applications menu item to display the Application Settings page. 
  2. Select the New Application Settings button.
  3. Type a Description.
  4. Use the Group Lookup button to select the Group that you created in Step 3.
  5. Use the Authentication Profile Lookup button to select the Authentication Profile created in Step 4.
  6. Leave all other settings as their default.
  7. Select Save and Exit to create and apply the Application Settings to your new group and user.
  8. Within the administration console Click on administration - account - then go and find the drop down "Enhanced Logging" - within here please tick the three tick boxes and click save.

Step 5: Create a New API Application

  1. While logged into the Administration Console, navigate to the Administration | Services | API Applications menu item to display the API and Platform Integrations Settings page.
  2. Select the Your Application Integrations tab.
  3. Select the Add API Application.
  4. Type an Application Name.
  5. Select the Category to be SIEM Integration.
  6. Insert Description and click next.
  7. Enter the developer name and the service account created earlier and click next.
  8. Check the summery and click save & close.
  9.  As the Application is created now, save the Application ID .

Step 6: Generate the Application Key

  1. Click on the created application to open a side page.
  2. Choose Create Keys, then insert the email for the service account, the password and move to the verification step.
  3. In the service application, select Extended Session Enabled.
  4. Verify the entered information and click save & close.
  5. Save the Application Key.
  6. You will need to wait for 30 minutes before moving to the next step.

 Step 7: Get the Access Key and the Secret Key 

  1. Click on the application you created in the previous step.
  2. Select Create Keys.
  3. Add the service account email.
  4. In the authentication section, select cloud and put the password.
  5. Verify the entered information and click save & close.
  6. You will be having the Access Key and the Secret Key.

 During the onboarding stage, below are needed: 

  • Access Key
  • Secret Key
  • Application ID
  • Application Key
  • Account Code (Can be obtained from the Mimecast >> Administration >> Account >> Account Settings)
  • API Base URL: as below

We need to open the communication from Event collector and QRadar Console to one of the following base URLs, which is applicable. Data collection uses the Mimecast API, outbound HTTPS access (TCP port 443) to the following hosts from IBM QRadar.

Region

Host(s)

 

Europe (Excluding Germany)

 

https://api.mimecast.com AND https://eu- api.mimecast.com

 

Germany

 

https://api.mimecast.com AND https://de- api.mimecast.com

 

United States

 

https://api.mimecast.com ANDhttps://us- api.mimecast.com

 

South Africa

 

https://api.mimecast.com ANDhttps://za- api.mimecast.com

 

Australia

 

https://api.mimecast.com ANDhttps://au- api.mimecast.com

 

Offshore

 

https://api.mimecast.com ANDhttps://je- api.mimecast.com