1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations

Mimecast Advanced Email Security Setup for Workbench

This guide covers how to set up Mimecast Advanced Email Security with Expel Workbench. This integration allows Expel to apply our detection strategy to Mimecast Targeted Threat Protection (TTP) alerts and pull them into the Workbench queue for investigation and remediation.

Prerequisites

  1. You must have the Organization Admin role in Workbench to set up this integration.
  2. You must have a Mimecast administrator account with permissions to create API 2.0 Applications and manage Roles.
  3. Your organization must have Mimecast Targeted Threat Protection (TTP) enabled for at least one of the following: URL Protect, Attachment Protect, or Impersonation Protect.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create a Custom Role for the Expel Integration
  2. Create an API 2.0 Application in Mimecast
  3. Add Mimecast as a Security Device in Workbench

Step 1: Create a Custom Role for the Expel Integration

Mimecast recommends creating a dedicated custom role with only the permissions required for the integration.

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Account > Admin Roles.
  3. Select New Role.
  4. Configure the role as follows:
    1. Role Name - enter "Expel Integration Role".
    2. Description - enter "Role for Expel integration".
    3. Cannot Manage Roles - leave selected.

    4. Application Permissions - ensure the following required permissions are selected. If your organization does not have all TTP products enabled, you only need to grant permissions for the products you have.

      Permission Purpose
      Monitoring Menu > URL Protection > Read Allows retrieval of TTP URL click protection logs
      Monitoring Menu > Attachment Protection > Read Allows retrieval of TTP attachment sandbox logs
      Monitoring Menu > Impersonation Protection Logs > Read Allows retrieval of TTP impersonation protection logs
    5. Select Save and Exit.

Step 2: Create an API 2.0 Application in Mimecast

Next, you will create an API 2.0 Application to generate the Client ID and Client Secret that Expel uses to authenticate.

  1. In the Mimecast Administration Console, navigate to Integrations > API and Platform Integrations.
  2. Select the Available Integrations tab.
  3. Locate the Mimecast API 2.0 tile and select Generate Keys.
    mimecast-api2-generatekeys.png
  4. Select Create New Integration.
  5. If applicable, read the Terms & Conditions and select I accept.
  6. Complete the Details section as follows:
    • Application Name - enter "Expel Integration".
    • Products - Select Select All (or choose the specific TTP products you have enabled)
    • Application Role - Select "Expel Integration Role" (the role you created in Step 1).
    • Description - enter "Expel API Integration."
  7. In Notification Settings, provide a point of contact name and email address. Mimecast uses this to notify you about API updates or issues.
  8. Scroll to the top of the page and select Save.
  9. A dialog displays confirming the credentials were created successfully. Copy and save the Client ID and Client Secret to a safe place for use in the next step. The Client Secret is only displayed once. If you lose these credentials, you must generate new ones.

Step 3: Add Mimecast as a Security Device in Workbench

Now that you have your API credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Mimecast” and then select the Mimecast integration.
    WB_mimecast_securitydevice.png
  5. A configuration pane displays. Complete the fields as follows:
    1. Name - enter a name that might help you more easily identify this integration, such as “CompanyName Mimecast”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    2. Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    3. Server URL - enter the Mimecast API base URL for your region:
      • Global (recommended) - https://api.services.mimecast.com
      • U.S. Regional - https://us-api.services.mimecast.com
      • U.K. Regional - https://uk-api.services.mimecast.com
        The Global URL automatically routes traffic to the nearest Mimecast instance. Use regional URLs only if you have specific compliance or data residency requirements. 
    4. Client ID - enter the Client ID from Step 2.
    5. Client secret - enter the Client Secret from Step 2.
  6. Select Save.
  7. On the console access screen, select No thanks, I will not provide console access from the dropdown.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.
       

Related articles