fbpx

Integrating with Mimecast

 

Set Up Instructions

Overview

Mimecast safeguards an organization and its employees against sophisticated email-borne attacks. It helps defend against attackers trying to steal data or credentials, plant ransomware, trick employees into transferring money, and springboard to attack supply chains. These kinds of threats require advanced security measures beyond what is provided by traditional email security systems.

With Blumira, customers can reduce the noise and focus on the highest priority alerts from Mimecast while they tune and manage it for their organization.

Before you begin

First, ensure that logging is enabled for your organization in Mimecast. Logging begins as soon as settings are enabled, but collecting the files can take up to 30 minutes after saving the new settings.

Note: The Mimecast integration allows Blumira to receive logs up to 30 minutes into the past from the time of configuration and onward.

To enable Mimecast logging:

  1. In the Mimecast Administrator Console, navigate to Administration > Account > Account Settings.
  2. Expand the Enhanced Logging section.
  3. Select the check box next to all log types:
    • Inbound: Logs for messages from external senders to internal recipients.
    • Outbound: Logs for messages from internal senders to external recipients.
    • Internal: Logs for messages between internal domains.
  4. Click Save.

Creating and gathering your Mimecast credentials

Gather credentials for the Blumira Cloud Connector by completing the steps in the table below.

# Step Mimecast Credential Instructions
1 Obtain your Global Base URL Global Base URL You can find your Global Base URL in the Global Base URLs list or by viewing the URL in your browser while logged in to Mimecast.
Example: If your host region is the U.S., the base URL is “https://us-api.mimecast.com”.
2 Add a new API application in Mimecast for Blumira, then gather the Application ID and Key Application ID and Application Key Complete the steps in Adding an API Application.

Important: It takes at least 30 minutes for the new application to be created in Mimecast. You will not be able to create access and secret keys (Step 4) before 30 minutes have passed.

3 Create an administrator service account user none Follow the steps in Prerequisites: Creating a service account user. Ensure that the user has at least Basic Administrator access.
4 Create the keys for the new application Access Key and Secret Key Follow the steps in Generate Access and Secret Keys.

Tip: An error displays in the Create Keys window if 30 minutes have not yet passed since completing Step 2.

 

Providing your Mimecast credentials to Blumira

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.

To configure your integration with Blumira Cloud Connector:

  1. In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. Enter the API credentials that you collected in the “Before you begin” section above.
  6. Click Connect.
  7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
    Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.

Screen Shot 2022-08-03 at 2.34.40 PM.png

Endpoints included in the integration

The integration with Mimecast delivers the secure email gateway functionality, which includes these endpoints:

Additional Reference

Troubleshooting

Unable to create application keys in Mimecast

Problem: Unable to create keys and receiving an error like “Sorry, something went wrong. Please close this page and try again. If the issue persists, contact Support.”

Resolution: In order to generate API keys, you may need to ask Mimecast Support to disable the Account_Administrators_Authentication_Profile, as it may interfere with generating API keys.

image-20221012-202459.png

Unable to authenticate to create application keys in Mimecast

Problem: Unable to authenticate while trying to create keys in Mimecast and receiving an error like “The supplied credentials are incorrect.”

Screen Shot 2022-06-21 at 11.27.05 AM.png

Resolution: It is possible that the account used does not have an administrator role assigned to it. We recommend creating a new service account user for the Blumira integration, and that user must have an administrator role assigned when generating the keys.

To resolve this problem:

  1. Add the service account user to an Administrator role:
    1. Navigate to Administration > Account > Roles.
    2. Click on the administrator role that you want the user to have (e.g., Basic Administrator).
    3. Click Add User to Role.
    4. Click on the email address of the API service user account.
  2. After the role of the user is set, navigate to Your Application Integrations (Services > API and Platform Integrations > Your Application Integrations).
  3. Select the Blumira SIEM application and click Generate Application Keys.

Blumira error when entering Mimecast credentials

Problem: Receiving an error in the Blumira Cloud Connector such as “Forbidden to perform operation for address.”

Resolution: Ensure that and administrator role is assigned to the user account in Mimecast. Non-administrators cannot generate keys.

To resolve this problem:

  1. In Mimecast, navigate to Accounts > Directories > Internal Directories and locate the user that is being used to generate the API Keys.
  2. Ensure that the Administration Console Role value is set to an appropriate administrator role. Mimecast suggests using the Basic Administrator Role for API Utility accounts.
    Reference: See Managing API Applications for additional information.

Cloud Connector error: Unauthorized

Problem: Receiving an “Unauthorized” error message in the Blumira Cloud Connector.

Resolution: The password for the user that generated the API Application Keys has likely changed since the keys were created, and you must create new keys.

To resolve this problem:

  1. Navigate to Services > API and Platform Integrations > Your application integrations.
  2. Click on your Blumira API application, and then click Create Keys.
  3. Provide the email and password of the API Utility user.
  4. In Blumira’s Mimecast Cloud Connector, enter the newly created set of Application Keys.
    Note: If the error doesn’t resolve after updating the password, check the Last Update field of the Cloud Connector to see if the app has updated since the password was changed. If it has been updated and the error message hasn’t gone away, contact Support.

Cloud Connector error: Access Key Expired

Problem: Receiving an “AccessKey Expired” error message in the Blumira Cloud Connector.

Resolution: Extended session is likely not enabled in the service application.
Screen Shot 2022-05-19 at 12.00.36 PM.png

To enable extended session for the application:

  1. In Mimecast, navigate to Administration > Services > API and Platform Integrations.
  2. Click Your Application Integrations.
  3. Click the Blumira application.
  4. Click Edit.
  5. Click the check box next to Enable extended session.
  6. Click Save & Close.

Alternatively, you may update the Authentication Profile Authentication TTL to “Never Expires” by navigating to Administration > Services > Applications > Authentication Profiles and editing the relevant profile.