AQUILA - Mimecast API v2 Integration

Mimecast Integration Guide

Integrate Mimecast with your security platform via API to collect email threat data, archive logs, DLP events, and other security-related logs for centralized visibility and incident response.

API 2.0 is the current standard - It's been generally available for over a year and is what Mimecast recommends for new integrations

Credentials & API Access Setup (Mimecast)Mimecast API v2)

Before configuring the integration, prepare your API credentials from the Mimecast Admin Console.

StepsCreating an API 2.0 Application:

1.To ~~Prepare~~create ~~Your Mimecast~~an API ~~Credentials~~2.0 Application, follow the steps below:

~~Follow these steps in the Mimecast Admin Console to generate the required credentials.~~
- Log in to ~~the~~ Mimecast Administration Console
- Navigate to Integrations | API and Platform Integrations
- Locate the following Mimecast API 2.0 tile and click on Generate Keys.

After reading the Terms & Conditions, complete the I accept check box to enable the Next button to progress onto the next step.
Go
Complete ~~to:~~the AdministrationApplication →Details Account → API Applications
section.

~~Click~~

~~Once~~Should ~~registered,~~we
~~note~~need ~~the~~to ~~following~~contact ~~credentials~~:you
- ~~Application ID~~
- ~~Application Key~~
- ~~Access Key~~
- ~~Secret Key~~

~~Also, confirm your~~ ~~Mimecast~~this API ~~Base~~application, ~~URL~~please provide details for a Technical Point of Contact.

~~(region-specific).~~
~~Examples:~~

https://api.mimecast.com ~~(US)~~

https://au-api.mimecast.com ~~(AU)~~

~~Note:~~Mimecast ~~Some log types (like DLP or Threat Intel) may require~~recommends a ~~separate~~group ~~Access~~rather ~~Key~~than ~~due~~an toindividual ~~rate limits or limited scopes per API app.~~contact.

~~Required~~
Review ~~Fields~~the Summary information for ~~Integration~~the API application and click on Add if you are happy to proceed with creating the application.

~~Once~~ 8. The wizard completes and displays a pop-up window including your Client ID and Client Secret key data, where you can copy and save the credentials ~~above gathered,~~for the ~~following fields will be required during the integration:~~

API ~~URL:~~application.
~~Your~~
~~region’s~~

Base URL (Mimecast API ~~base~~v2)
~~URL~~
To
~~Application~~transition ~~Key:~~from ~~From~~your ~~the~~current ~~registered~~API ~~application~~
1.0
~~Application ID:~~ ~~From the registered application~~

~~Access Key:~~ ~~From the account with log access~~

~~Secret Key:~~ ~~Secret tied~~URLs to ~~the~~API ~~Access~~2.0, ~~Key~~
we
provide

three

API
3.gateway ~~Access~~options ~~Key~~tailored ~~Permissions~~to &fulfill ~~Scope~~your ~~Behavior~~
performance,

~~In Mimecast,~~ ~~permission scopes are not manually assigned~~ ~~via the UI. Instead, they are~~ ~~automatically granted~~ ~~based on:~~

~~The~~ ~~role~~compliance, and ~~privileges~~ ~~of the Mimecast user account that created the~~ ~~Access Key~~

~~The~~ ~~features enabled~~ ~~in your Mimecast subscription (e.g., SIEM, DLP, Threat Intelligence)~~

~~Note~~~~: Use a~~ ~~Mimecast Administrator account~~ ~~when generating the Access Key to ensure full access to all supported~~ data ~~streams.~~
residency

~~4. Additional Requirements for v2 API Endpoints (OAuth 2.0)~~

~~Some Mimecast log types may use~~ ~~v2 API endpoints~~~~, which require a different set of credentials using OAuth 2.0. Fom the same registered application, collect the following:~~requirements:

~~API~~Global ~~URL:~~URL: ~~Your~~The ~~region’s Mimecast~~global API ~~base~~URL ~~URL~~api.services.mimecast.com which serves traffic from the nearest instance ensuring reduced latency and enhanced performance.

~~Client~~UK ~~ID:~~Instance URL: ~~From~~For compliance and data residency requirements, customers can choose to process traffic via the ~~registered~~UK ~~application~~instance using the regional URL: uk-api.services.mimecast.com. This ensures API traffic is only processed within the UK instance of the Apigee Gateway.

~~Client~~US ~~Secret:~~Instance URL: ~~Tied~~Similarly, customers with compliance or residency requirements in the US can use us-api.services.mimecast.com to process API traffic exclusively through the ~~registered~~US ~~Client~~instance IDof the Apigee Gateway.

~~These are required for integrations that rely on~~ ~~Mimecast’s OAuth 2.0 authorization flow.~~

~~Permissions Reference (Mimecast API App)~~

~~Ensure the API Application and associated Access Key have the following scopes:~~

failoverforhighNofailover

~~Data Stream~~Factor ~~Permission~~Global ~~Scope~~URL UK Instance URL US Instance URL

~~Archive~~URL ~~/ Audit Logs~~Details auditevents:readapi.services.mimecast.com uk-api.services.mimecast.com us-api.services.mimecast.com

~~DLP & SIEM Logs~~Availability dlplogs:read,✅Auto siemlogs:read

~~Threat Intel Feeds~~uptime ti_logs:read

~~TTP~~- ~~Logs~~requests fail if UK instance is down ttp_logs:read No failover - requests fail if US instance is down

Aquila Integration Configuration

AQUILA – Mimecast Integration

1. Log in to AQUILA click here - CyTech - AQUILA. Choose Cyber Monitoring and click the small arrow icon to redirect you to the Cyber Monitoring Dashboard.

2. In the dashboard, choose Cyber Incident Management (SIEM and XDR).

3. Navigate through the top left icon and click the Collapse/Expand button.

4. Navigate the "Cyber Incident Monitoring" then hover the "Cyber Incident Management" till you see the settings.

5. Click the "Settings and Navigate through Settings>Log Source>Search Bar (Search the Source to Add)>Add to Agent.

6. Choose your Log Collector. (If you not yet installed your Log Collector please refer to this link - Log Collector Installation.)

7. In the integration settings follow the instructions given below.

Click the drop arrow to display the contents needed for the integration setup.

Upon clicking the drop arrow, it will display two versions of Mimecast Integration, v1 API and v2 API Endpoints.

This is for API v1 Endpoints. Input the required Fields: API URL (Mimecast API base URL), Application Key, Application ID, Access Key, and Secret Key.

This one is for API v2 Endpoints. Enter the required fields API URL (Mimecast API base URL), Client ID, and Client Secret.

Finally, click Next to install the log source integration.

8. Wait for the Successful window to display, this will confirm the successful integration.

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

~~Data Stream~~Factor	~~Permission~~Global ~~Scope~~URL	UK Instance URL	US Instance URL
~~Archive~~URL ~~/ Audit Logs~~Details	`auditevents:read`api.services.mimecast.com	uk-api.services.mimecast.com	us-api.services.mimecast.com
~~DLP & SIEM Logs~~Availability	`dlplogs:read`,✅Auto `siemlogs:read`
~~Threat Intel Feeds~~uptime	`ti_logs:read`
~~TTP~~- ~~Logs~~requests fail if UK instance is down	`ttp_logs:read` No failover - requests fail if US instance is down

AQUILA - Mimecast API v2 Integration

Mimecast Integration Guide

Credentials & API Access Setup (Mimecast)Mimecast API v2)

StepsCreating an API 2.0 Application:

Base URL (Mimecast API basev2)

Permissions Reference (Mimecast API App)

Aquila Integration Configuration

AQUILA – Mimecast Integration