API & Integrations - Microsoft Azure Sentinel v3

This article contains information on installing and configuring Mimecast Sentinel Integration version 3, including steps for setting up the Mimecast Data Connector, configuring workbooks, installing analytic rules, and setting up playbooks in Microsoft Sentinel.

Generating API 2.0 Keys in Mimecast

Before getting started, make sure you have generated a set of API 2.0 keys. Refer to the following article for instructions on Managing API 2.0 for Cloud Gateway.

After completion, you will receive a Client ID and Client Secret for later use in this guide.

When generating keys following that guide, ensure you enable the following products:

• Audit Events.
• Awareness Training.
• Email Security Cloud Gateway.
• Security Events.
• Threat Management.
• Threats, Security Events and Data.

Steps to Create Azure App Registration

1. To create Azure App Registration, search for App Registrations | select New Registration. 

   

2. Give the Registration a name and keep all other settings as default and click Register.

   

3. In the New Registration’s Overview pane, copy the Application (Client) ID and Directory (Tenant) ID. Select Certificates and Secrets | New Client Secret. Give the Secret a name and expiration period, and click on Add. Copy the Value from the Secret’s Value field now, as it will be hidden the next time you visit this page. If you lose this Value, you’ll need to generate a New Secret.

Identify your App Insights Workspace Resource ID

1. To identify your App Insights Workspace Resource ID, search for Log Analytics Workspaces in Azure: 

   

2. Locate the Workspace you want to use and click to open it. (Remember, this is specifically for integration runtime logs, so it doesn’t need to be the same workspace used for Mimecast logs.) Next, go to the Properties section and copy the Resource ID, it’s the long string that starts with “/subscriptions/…”.

Installing Mimecast into your Sentinel workspace

This outlines the setup process for SIEM Logs, but the steps are the same for all log types, with only minor differences in specific details. To set up additional Data Connectors, simply repeat Steps 2 and onward for each connector, filling in any required fields as appropriate.  

1. Select the Sentinel Workspace where you intend to send Mimecast Logs, and navigate to the Content Hub. You might be redirected to the Defender Portal, but the process remains the same. Once there, search for Mimecast, and click Install.

   

2. Once the installation is complete, select the specific data connector you wish to install, and click on Open Connector Page.

   

3. On this page, you can record the Workspace ID and Primary Key, then select Deploy to Azure.

   

4. Enter your data.

   

   Required fields are as follows:

   Subscription	The Azure Subscription the data connector will fall under.
   Resource Group	The Resource Group under which all needed resources will be created.
   Region	The Azure Region under which the connector will be housed.
   Function Name/Location	Do not modify these fields.
   Workspace Name	The name of the Log Analytics Workspace where logs will be sent.
   Azure Client ID/Secret	The Application (Client) ID and Secret created in Azure at the beginning of this guide.
   Azure Tenant ID	The ID of your Azure tenant, which can be retrieved while creating the App Registration, per the steps at the beginning of this guide.
   Azure Entra Object ID	The Object ID of the admin creating the Data Connector, retrieved from Entra ID.
   Mimecast Base URL	The base URL of the Mimecast API. This should default to https://api.services.mimecast.com and should not be modified.
   Mimecast Client ID/Secret	The Client ID and Secret are generated within the Mimecast Administration Console.
   Mimecast CG/DLP Table Name	If you would like to choose a different name for the tables in Sentinel that logs are fed into, it can be modified here. Generally recommended to leave these as default.
   Start Date	If you want to define a specific date that log collection should begin at, it can be entered here. If left blank, logs will default to seven days in the past. It’s generally recommended to leave this empty unless you have a specific reason to change it.
   Schedule	A cron expression defining how frequently the collector will run. Defaults to every half hour for SIEM logs.
   App Insights Workspace Resource ID	The resource ID of the Log Analytics Workspace is identified at the beginning of this guide.

5. Click on Next, then Create. After the deployment completes successfully, you’re all set.

Steps to Configure Mimecast Workbook (Dashboards)

Workbooks in Microsoft Sentinel provide a flexible canvas for data analysis and the creation of rich visual reports within the Microsoft Azure portal. Mimecast Sentinel integration offers a convenient workbook to analyze various events and logs provided by Mimecast

1. There are 5 workbooks provided in Mimecast MS Sentinel Integration.

• Mimecast Audit Workbook.
• Mimecast Targeted Threat Protection Workbook.
• Mimecast SEG Workbook.
• Mimecast Awareness Training Workbook.
• Mimecast Cloud Integrated Workbook.

To install this workbook, start by navigating to the Microsoft Sentinel homepage:

2. Now go to Microsoft Sentinel Workspace in which you have installed the template, go to Workbook, search for Mimecast, and click on any Workbook that you want to Install.

3. Click on Save.

4. Select the location of your Microsoft Sentinel Workspace and click on Yes.

5. After successful completion, you will be able to see the View Saved workbook button to see the configured workbook.
6. You can also now see workbook under “My workbooks”

Steps to Install Analytic Rules

Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, and generate incidents. For Mimecast, there is an analytic rule that the user can install if required.

1. Go to Microsoft Sentinel

2. Go to the Workspace in which you have installed the solution and click on configuration | Analytics. Now Click on Rule Template, select the analytic rule you want to install, then right-click and click on Create Rule.

3. After clicking Create Rule, select Review + Create and click on Save.

4. Now you can see the installed rule in Active Rule. Similarly, install other Analytic rules.

Steps to Configure Playbook (Logic Apps)

Installation of Playbook

1. Go to Microsoft Sentinel

2. Go to the Workspace in which you have installed the template, go to Automation | Playbook Templates (Preview), and search for Infoblox. Click on the Create Playbook button.

3. In the Basic tab, select Subscription and Resource Group and click on Next: Parameters.

4. In the Parameters tab, provide parameters as below:

•  
  •  
    • Azure Client ID: Client ID of Azure Sentinel.
    • Azure Client Secret: Client Secret of Azure Sentinel.
    • Resource Group: Resource Group Name.
    • Subscription ID: Subscription ID of Azure.
    • Tenant ID: Tenant ID of Azure

5. Click on Next: Review+Create.
6. Click on Create Playbook.
7. Make sure you follow the Post Deployment Steps mentioned here before executing the playbook
8. This playbook is created to trigger all the function apps simultaneously if they are not triggered automatically.