API & Integrations - Microsoft Sentinel v3.1.0

Updated

This article contains information on installing and configuring Mimecast Sentinel Integration version 3.1.0, including steps for setting up the Mimecast Data Connector, configuring workbooks, installing analytic rules, and setting up playbooks in Microsoft Sentinel.

Considerations

Some steps (e.g., preparing the workspace) may already be done generically for your Microsoft Sentinel deployment, but will be needed if they do not already exist in the way described below. 
An explanation is given at the start of each section, to help explain the need for that section’s steps.

Prerequisites

  • You have a Basic Administrator role, for using the Mimecast Administration Console.
  • You have Administrator login credentials, for using the Microsoft Azure portal and Microsoft Defender.

Generating API 2.0 Keys in Mimecast

Before getting started, you will need to generate a set of API 2.0 keys; these are used to allow the integration to connect to your Mimecast account.

You can generate API 2.0 keys by using the following steps:

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Integrations | Integrations Hub.
     

    Navigation to Integrations Hub

  3. Locate the Microsoft Sentinel tile, and click on Configure New.

    Configure New Microsoft Sentinel Integration

  4. Configure as follows:

    • Application Name: Enter a name to uniquely identify this Microsoft Sentinel integration deployment.
    • Products: The API products that cover the API calls that will be made by this integration. 
      The products needed are provided by default and do not need to be modified, unless you need to provide less access than the fully configured integration requires.
    • Application Role: Select a role that has at least the following permissions:
      • Account | Logs | Read.
      • Awareness Training | Dashboard | Read.
      •  Monitoring | Attachment Protection | Read.
      • Monitoring | Impersonation Protection | Read.
      • Monitoring | URL Protection | Read.
      • Monitoring | Data Leak Prevention | Read.
      • Services |Gateway / Tracking | Read.
      • Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read.

    The Basic Administrator role should have all the required permissions for this integration.

  5. Description: You can use this free-form text field to explain the purpose of this Microsoft Sentinel integration deployment.
  6. Technical Point of Contact: The name of someone that Mimecast may reach if needed about this deployment. The contact may a be team, or distribution list.
  7. Email: The email address of the contact. This may be a distribution list or named email address.
Microsoft Sentinel integration configuration
  1. Click on Save.

  2. Your API keys will be displayed.

    Copy and store your Client ID and Client Secret securely, for use in Configuring Data Connectors


    API Keys Generated
  3. Click on Close.

Creating a Microsoft Sentinel App Registration

This integration uses an Enterprise application to send data collected from Mimecast to Microsoft Sentinel. This section details the steps needed to get an application created, as well as collecting information required in future sections.

You can create a Microsoft Sentinel App Registration, by using the following steps:

  1. Log in to the Microsoft Azure Portal.

  2. Search for "App Registrations", and select it.

    Search for App Registrations

  3. Click on New Registration.

    App registrations

  4. Enter a Name for the application, and use the default values for the other fields.

    Register an application
  5. Click on Register.

  6. Once registered, the application overview page is displayed.

    Copy and securely store the Application (client) ID and Tenant ID for a future step.

     

    Application Overview Page

  7. In the left-hand menu, click on Certificates & secrets.

    New Client Secret
  8. Under Client Secrets, click on New client secret.
  9. Provide a Description and Expires time-frame.

  10. Click on Add.

    • Store the secret Value securely for a future step.
    • Create a reminder, or monitor the application, to remember to refresh the secret before it expires.
    Secret Value

  11. In the search bar at the top of the page, search for "Enterprise Applications", and select it.

    Search for Enterprise Applications

  12. Find the application you created.

    Securely store the Object ID (this is not available in the App registrations section) for use in a future step.

     

    Object ID

Preparing The Workspace

A workspace is needed within Microsoft Azure and Microsoft Sentinel, for the integration to exist in.

You can create the workspace by using the following steps:

  1. Log in to the Microsoft Azure Portal.

  2. Search for "Microsoft Sentinel" and select it.

     Search for Microsoft Sentinel

  3. Click on Create.

    Create Microsoft Sentinel Workspace

  4. Click on Create a new workspace.

    Create a new workspace

  5. Select your Subscription, Create new and select (or select an existing) Resource Group, provide an instance Name, and select your Region

    Create Log Analytics Workspace
  6. Click on Review + Create.

  7. On the Review page, click on Create. Microsoft will create a deployment, and you should see a confirmation screen when complete.

    Create Deployment

  8. Navigate to Microsoft Defender | Settings | Microsoft Sentinel.

    Microsoft Defender Sentinel Settings

  9. Select your new workspace, and click on Connect workspace.

    Connect Workspace
  10. A confirmation screen will appear.
    Read and understand the product changes, then click on Connect.

Obtain a Workspace Resource ID

The Workspace Resource ID will be used when adding Data Connectors in Configuring Data Connectors.

You can create a Workspace Resource ID by using the following steps:

  1. Navigate to the to the Microsoft Azure Portal.
  2. Search for "Log Analytics workspaces" and select it.
  3. Select the workspace you created or previously selected.

  4. Click on Properties.

    Securely store the Resource ID value.


    Workspace Properties

Assign IAM Role

After both the Enterprise Application and the Resource Group have been created, permissions are needed to allow the application to interact with the workspace.

You can assign the IAM Role by using the following steps:

  1. Log in to the Microsoft Azure Portal.

  2. Search for "Resource Groups" and select it.

    Resource Groups
  3. Select the resource group you previously created.
  4. Click on Access Control (IAM).

  5. Click on Add and select Add role assignment.

    Add role assignment
  6. Search for "Microsoft Sentinel Contributor" and select it.

  7. Click on Next.

    Microsoft Sentinel Contributor
  8. Select User, group, or service principal, and click on Select members

  9. Select the application previously created, and click on Select.

    Select members

  10. Click on Review + assign to apply the permissions.

    You may need to click this button twice.

Installing the Mimecast Sentinel Integration

This section covers installing the Mimecast integration with Microsoft Sentinel.

  1. Navigate to Microsoft Defender | Microsoft Sentinel | Content management | Content Hub.
  2. Search for "Mimecast" and select it.

  3. Click on Install.

     Install Mimecast Sentinel Integration

Configuring Data Connectors

Data Connectors are used to pull events from Mimecast and send them to Microsoft Sentinel.

You can configure Data Connectors by using the following steps:

  1. If you are still in the install screen, click on Manage.
    Alternatively, it can be found under the Microsoft Defender | Content management | Content hub  then searching for and selecting "Mimecast / Manage".

    Manage data connectors

  2. Select a data connector you wish to use for pulling an associated data type, and click on Open connector page.
    The Data Connectors available are:

    • Mimecast Audit.
    • Mimecast Awareness Training.
    •  Mimecast Cloud Integrated (Email Security Cloud Integrated customers only, not for Email Security Cloud Gateway).
    • Mimecast Secure Email Gateway.
    • Mimecast Targeted Threat Protection.
    Open Connector Page

  3. Locate and click on Deploy to Azure.

    Deploy to Azure

  4. Click on Yes, when the confirmation pop-up warns that you will be directed to Azure.

    Redirected to Azure

  5. Populate the fields for the Custom deployment:

    • Subscription: The subscription that the created resource group exists within.
    •  Resource group: The resource group previously created.
    • Function Name: Provide an Azure Function Name to identify this connector.
    • Workspace Name: Provide the name of the Workspace previously created.
    • Azure Client ID: Enter the Azure Client ID that you stored when creating the App Registration.
    • Azure Client Secret: Enter the Azure Client Secret that you stored when creating the App Registration.
    • Azure Tenant ID: Enter the Azure Tenant ID that you stored when creating the App Registration.
    • Azure Entra Object ID: Enter Object ID that you stored when opening the Enterprise Application.
    • Mimecast Base URL: Enter Base URL for API 2.0 starting with "https://" followed by hostname. Default is ‘https://api.services.mimecast.com’.
    • Mimecast Client ID: Provide the Mimecast Client ID you stored when creating the API 2.0 application.
    • Mimecast Client Secret: Provide the Mimecast Client Secret that you stored when creating the API 2.0 application.
    • Mimecast {{data connector type}} Table Name: Override the name of the table used to store data for this connector type, if needed (there may be multiple fields for different data types).
    • Start Date (optional, not available for all connector types): A day that you would like to initially start pulling events from in ISO8601 format (Example: 2025-10-01). If not populated, then the oldest available date for that event type is used.
    • Schedule: Override with a valid Quartz Cron-Expression (Example: 0 0 0 * * *), if needed. Do not leave the value empty.
    •  Log Level: Override the log severity value, if needed. Default is 'INFO'.
    • App Insights Workspace Resource ID: Provide the Resource ID that you stored.
    Populate Custom Deployment
  6. Click on Review + create.
  7. Review and click on Create.
  8. Repeat the steps in this section for any other Data Connectors you require.

Configuring Dashboards

The integration includes five predefined dashboards, that you can configure:

  1. Mimecast Audit Workbook.
  2. Mimecast Awareness Training Workbook.
  3. Mimecast Secure Email Gateway Workbook.
  4. Mimecast Targeted Threat Protection Workbook/
  5. Mimecast Cloud Integrated Workbook (for Cloud Integrated customers only)/

You can configure a workbook, by using the following steps:

  1. Navigate to Microsoft Defender | Microsoft Sentinel | Threat Management | Workbooks.

  2. Click on the Templates tab and select a Mimecast workbook.
    You can optionally view the workbook to see the pre-configured fields, or click Save to store and customize the workbook.

    Customize Workbooks

  3. If saving a workbook, click on Save and select a region to which it should be saved, and click on Yes.
    You'll be able to see this dashboard under My Workbooks.

    Save Workbook

Related to

Was this article helpful?
0 out of 4 found this helpful

Comments

2 comments
Date Votes
  • Avatar
    Garwin, Rikki

    Just deployed this from the sentinel marketplace (3.0.0) and it looks like their are some issues. All the tables seem to be being created without a Mimecast prefix, for example MimecastAudit_CL is being created a Audit_CL

    0
  • Avatar
    Admin - LI

    Hi Garwin,

    Thank you for your comment. We can confirm that we have ceased the use of the Mimecast prefix. If your issue is more urgent and/or you wish to open a new Support case, please do so here.

    0

Please sign in to leave a comment.