API & Integrations - Data Collection Scripts Administrator Guide

Updated

The Mimecast for QRadar extension allows QRadar administrators to process Mimecast SIEM, Audit, and Targeted Threat Protection event data using IBM QRadar.

Depending on the services subscribed to, the Mimecast security data available to customers includes:

  • SIEM Logs
    • Receipt
    • Process 
    • Delivery 
    • Internal/Journal 
    • Spam Event Thread 
    • Impersonation Protect 
    • Attachment Protect 
    • URL Protect 
    • Internal Email Protect 
    • AV
  • Audit Logs 
  • Targeted Threat Protection
    • Impersonation Protect 

Compatibility 

  • IBM QRadar v7.4.1 patch 2 and subsequent 7.4.1 patches only.
  • IBM QRadar v7.4.0 is not supported.
  • IBM QRadar v7.3.3 patch 8 and subsequent 7.3.3 patches only.

Configuring Your Network

Data collection uses the Mimecast API. Outbound HTTPS access (TCP port 443) to the following hosts from IBM QRadar is required depending on your Mimecast region:

Region Hosts
Europe (Excluding Germany) https://eu-api.mimecast.com
Germany https://de-api.mimecast.com
United States of America https://us-api.mimecast.com
United States of America (USB) https://usb-api.mimecast.com
Canada https://ca-api.mimecast.com
South Africa https://za-api.mimecast.com
Australia https://au-api.mimecast.com
Offshore https://jer-api.mimecast.com

Configuring Mimecast

Data collection requires a Mimecast administrator authentication token. By default, an authentication token expires after three days, meaning your log data stops collecting data from Mimecast after this time. For the best experience, create a user and authentication profile defining an authentication token with an extended TTL. This is better suited for automated tasks, and the steps are described below.

The preparation required in the Mimecast Administration Console involves the following:

Enabling Enhanced Logging

  1. Navigate to Account | Account Settings 
  2. Expand the Enhanced Logging section.
  3. Select the types of logs you want to enable: 
  • Inbound: These are logs for messages from external senders to internal recipients. 
  • Outbound: These are logs for messages from internal senders to external recipients. 
  • Internal: These are logs for messages between your internal domains. 
  1. Click Save. 

Once these settings are saved, the Mimecast MTA starts logging data for your account 30 minutes later.

Registering an Application Integration

  1. Navigate to Integrations | API and Platform Integrations 
  2. On the Available Integrations tab, locate the IBM QRadar card.
  3. Click on Generate Keys.
  4. Enter a Description.
  5. Click Next.
  6. Enter a name in the Technical Point of Contact field.
  7. Enter an email address for the Technical Point of Contact in the Email field.
  8. Select the Opt-In checkbox to stay informed about changes that could impact the API integration.
  9. Click Next. 
  10. Review the Summary page.
  11. Click Add.
  12. A slide-out panel appears. 
  13. Copy the Application ID and Application Key into a notepad for use later in this guide.
  14. You must wait at least 30 minutes before obtaining an Access Key and Secret Key.

Creating a Dedicated Service User Account

  1. Navigate to Directories | Internal Directories 
  2. Click on the domain the user will be added to. 
  3. Click New Address.
  4. Complete the user's Email Address
  5. Enter a Password and Confirm the Password. You will need to remember this password for use later in this article. 
  6. Click Save.

Creating a Profile Group Containing the Service User

  1. Navigate to Directories | Profile Groups 
  2. Click on the icon next to the Root folder.
  3. A "New Folder" appears.
  4. Click on the "New Folder."
  5. Rename the folder in the Edit Group text box.
  6. Press the Enter key. 
  7. To add the Service User to the group, click Build | Add Email Addresses.
  8. Type the Service User's email address into the Group Additions text box. 
  9. Click Save and Exit.

Creating an Authentication Profile and Application Settings for the Service User

  1. Navigate to Services | Applications | Authentication Profiles
  2. Click New Authentication Profile. 
  3. Configure using the following settings:
    1. Authentication TTL: Use the dropdown to select Never Expires.
    2. Leave all other settings as the default values. 
  4. Click Save and Exit.
  5. Click Go Back.
  6. Click New Application Settings.
  7. Configure using the following settings: 
    1. Group: Click Lookup and select the profile group previously made in this article.
    2. Authentication Profile: Click Lookup and then click Select and the Authentication Profile previously made in this article. 
    3. Leave all other settings as the default values.
  8. Click Save and Exit.

Generating Access and Secret Keys

  1. Navigate to Integrations | API and Platform Integrations 
  2. Click on the Your Application Integrations tab.
  3. Click on the newly registered IBM QRadar application integration entry. 
  4. A slide-out panel appears. 
  5. Click on Create Keys.
  6. The Create Keys Wizard is displayed. 
  7. Enter the Email Address of the dedicated administrator account. 

You will need to know the dedicated administrator account domain or cloud password for the next step.

  1. Click Next
  2. Using the Type dropdown, select Cloud or Domain authentication.
  3. Enter the administrator's Password.
  4. Click Next.
  5. Copy the Access Key and Secret Key into a notepad for use later in this guide.

Adding the User to an Administrator Role 

Application Role Permissions 

See the table below for the endpoints, the data collection scripts used, and the associated Mimecast Administrator permissions required. For convenience, all permissions are included in the Basic Administrator role. 
 

Field / Option Description
/api/audit/get-audit-events Logs | Read
/api/audit/get-siem-logs Tracking | Read 
/api/ttp/impersonation/get-logs Monitoring | Impersonation Protect | Read 
  1. Navigate to Account | Roles.
  2. Right-click Administration Role (e.g., Basic Administrator).
  3. Select the Add Users to Role menu item.
  4. Browse for the User created in the "Creating a User" section. 
  5. Select the Tick Box to the left of the user. 
  6. Click Add Selected Users

Installing Mimecast for QRadar 

The Mimecast for QRadar extension is available from IBM X-Force Exchange. Once you have logged on, you should be able to download the extension:

  1. Log on to the IBM QRadar Admin Console.
  2. Click on the Admin tab.
  3. Click on Extension Management.
  4. Click Add.
  5. Click Browse.
  6. Navigate to the location where the Mimecast for QRadar extension has been stored.
  7. Follow the instructions on the screen to proceed with the installation.

Configuring Mimecast for QRadar

Mimecast for QRadar collects data every 15 minutes from the Mimecast API. For data collection, access and secret keys are required for the user created in step 2 of the "Configuring the Mimecast Administration Console" section above.

To configure Mimecast for QRadar:

  1. Log in to the ​​​​​​IBM QRadar Admin Console
  2. Click on the Mimecast API Configuration plug-in located in the Plug-Ins | Admin section. The Mimecast API Connection Configuration Panel is displayed. 
  3. Enter the Application ID and Application Key into the respective fields. 
  4. Enter the Access Key and Secret Key into the respective fields. 
  5. Enter the Mimecast Base URL for the geographic region your Mimecast account is hosted in. See the "Configuring Your Network" section above. 
  6. Click Save Connection

Mimecast security log data will start to be collected. The data is viewable from the Log Activity tab in the QRadar Admin Console. Quick searches are created when the extension is installed. These can be viewed from the Log Activity tab under the Quick Searches drop-down menu.

To add additional accounts (e.g., for AAA mail processing or geographically dispersed accounts), click on the + button. This allows additional access and secret keys to be added with either the same or a different Mimecast base URL.

Troubleshooting

The Mimecast for QRadar extension generates log files for troubleshooting purposes. These logs are stored in the docker container where the app has been installed. Once logged into the docker container, logs are located in the /store/log directory. The logs generated should be used to diagnose issues where data is not being pulled into QRadar.

Mimecast Support requires these logs to investigate any issues. As the logs will not provide insight into IBM QRadar, consult IBM QRadar Documentation and/or support for issues relating to docker and the IBM QRadar system. 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.