API & Integrations - Rapid7 InsightIDR Troubleshooting

This article explains how to troubleshoot the integration of Mimecast API 2.0 with Rapid7 InsightIDR.

When integrating Mimecast API 2.0 with Rapid7 InsightIDR, you may encounter several data ingestion challenges that can impact security monitoring effectiveness. These issues include:

• Null or empty values in critical fields like recipient information.
• Missing metadata such as spam scores.
• Incomplete key/value pairs.
• Absence of investigation-critical data points.

These issues can potentially lead to incomplete log analysis and false positives. Additionally, if an email is rejected, no log may be captured at all, which can impact the completeness of log data.

Workaround

Prerequisites and Requirements

Before troubleshooting, ensure you have the following prerequisites in place:

• Use a Basic admin role when creating integration keys.
• Enable Security Permissions specifically for Security Events and Data Retrieval | Threat and Security Events (SIEM) with Read access.
• It's recommended to uncheck all other sections to limit the role's permissions to only the required access.

Configuration Steps

To successfully configure Mimecast API 2.0 for SIEM integrations, please refer to API & Integrations – Managing API 2.0 for Cloud Gateway and ensure the following:

1. Select all necessary product options in the API configuration.
2. Generate new API keys after confirming product selections.
3. Ensure the admin authorization profile is enabled.
4. Verify authentication settings.
5. Consult the official Mimecast API integration documentation for detailed guidance.

It's critical to ensure all products are selected during configuration to prevent data gaps.

Log Integration Setup and Verification

When integrating Mimecast logs with Rapid7 InsightIDR, follow these verification steps:

1. Verify connector registration (can be done via API).
2. Check that you're using an Administrator role to generate new integration keys.
3. Confirm that logs are being properly imported into the system.
4. Investigate any potential access issues with the Integration Hub.

For troubleshooting log transmission specifically:

1. Verify that the integration connection is successful.
2. Ensure Enhanced Logging is enabled in your account settings.
3. Check that credentials are correct.
4. Confirm the event source is running.
5. Allow some time for logs to start flowing (potentially several hours after initial setup).

Common Troubleshooting Scenarios

When troubleshooting Mimecast API v2 integration issues, check the following:

1. Authentication Issues: Avoid using SAML/SSO for service account authentication, as this can cause authentication problems.
2. Endpoint Configuration: Verify the correct endpoint paths for API calls.
3. IP Authorization: Check Admin IP Ranges in the Mimecast Administration Console to ensure the IPs making API calls are authorized.
4. Permissions: Confirm the service account has appropriate permissions (e.g., Basic administrator role).
5. Product Selection: Verify the specific products and access levels selected for the integration.

If you encounter data quality issues, be aware that potential missing or null information can include:

• Recipient fields.
• Spam score.
• Critical metadata fields.
• Certain key/value pairs are needed for investigations.