Skip to content
Find out how we support MDR.

Mimecast Email Security, Cloud Gateway

API

You must have the Email integrations license pack to use this feature.

You can integrate the cloud gateway version of Mimecast Email Security with Sophos Central so that it sends audit data to Sophos for analysis.

This integration is API-based.

The key steps are as follows:

  • Get details of your Mimecast service.
  • In Mimecast, create an API application and a service user. We use these to call the Mimecast API.
  • Configure an integration in Sophos Central. You need to add an integration for each data type you want Mimecast to send to us.

What you need from Email Security Cloud Gateway

To integrate Email Security Cloud Gateway, you need the following details:

  • The Base URL for your service.
  • Application ID: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
  • Application Key: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
  • Access Key: A long string of random characters.
  • Secret Key: A shorter string of random characters.

The following sections tell you how to get this information.

Note

Currently the Mimecast integration setup only allows you to choose one of the three available request types. To collect data about more than one request type, run the integration multiple times with the same credentials, choosing a different alert type each time.

See Enter API details.

Find your base URL

The base URL of the Mimecast service depends on your account type, the region where you use it, and your account code.

To find this out, use the Mimecast documentation. See Global Base URLs.

Turn on logging

To turn on logging in Mimecast, do as follows.

  1. Sign in to your Mimecast Administrator Console.
  2. Go to Administration > Account > Account Settings.
  3. In Enhanced Logging, choose the following logging types:

    • Inbound
    • Outbound
    • Internal
  4. Click Save.

Create an API application

You need to add an API application in Mimecast. Sophos Central will connect to this API.

To add an API application, do as follows.

  1. In your Mimecast Administrator Console, go to Services > API and Platform Integrations.
  2. In Available Integrations, find and click the Mimecast API 1.0 card.
  3. In Add API Application, fill in your application details as follows:

    • Application Name: Enter a name for your application.
    • Category: Select SIEM Integration.
    • Service Application: Select Enable Extended Session.
    • Description: Optionally enter a description for the application.
  4. Click Next.

  5. In Notification Settings, enter an administrator's name and email address to receive notifications about the API application.
  6. Choose whether or not Mimecast can notify the administrator when the API is updated.
  7. Click Next.
  8. In Review Information, check that the information is correct and that Status is Enabled.
  9. Click Add.

    The application is created.

  10. Copy the Application ID and Application Key. You use these in Sophos Central when you add the integration.

You must wait 30 minutes before you can create and save the Access Key and Secret Key, which you also need.

You don't have to wait to create the service user.

Create and configure service user

You need to create a service user in Mimecast. The service user must have permissions to read data, and credentials that we can use to call the Mimecast API application you created.

To create and configure the service user, do as follows:

  1. In your Mimecast Administrator Console, go to Directories > Internal Directories.
  2. Select the domain and click New address.
  3. Create a sophos@mydomain.com service user and enter a password for it.
  4. Click Save and Exit.
  5. Go to Account > Roles.
  6. Click New Role and enter a name, for example Sophos Integration.
  7. In Application Permissions, select the following permissions:

    • Monitoring Menu > Attachment Protection > Read
    • Monitoring Menu > URL Protection > Read
    • Monitoring Menu > Impersonation Protection Logs > Read

    Warning

    You must set these permissions, or the integration can't work.

  8. Click Save and Exit.

  9. Click on the role you created.
  10. Click Add User to Role.
  11. Search for the sophos@mydomain.com service user and select it to add it to the role.

Ensure Sophos can access API calls

If your Mimecast account gives permission for administrative actions only to specific IP ranges, read this section. Otherwise, skip to Create access secret and key.

To ensure that Sophos can access administrative actions, including API calls, do as follows:

  1. Go to Account > Account Settings > User Access and Permissions.
  2. If administrative actions are permitted only to specific IP ranges, ensure that Sophos IP addresses are included.

    The IP addresses depend on your Sophos Central region. To find the IP addresses you need, see Sophos IPs for integrations.

You might need to add these addresses to the allow lists in your network infrastructure.

Alternatively, move these IP restrictions to an authentication profile for your admins. See Email Security Cloud Gateway - Configure Authentication Profiles.

Create access secret and key

To create the access and secret keys, do as follows.

  1. In your Mimecast Administrator Console, go to Services > API and Platform Integrations.
  2. In Your Application Integrations, click the API application you created.
  3. Click Create Keys.
  4. Enter the email address and password of the service user you created.
  5. Copy the following keys to use in Sophos Central when you add the integration:

    • Access Key: A long string of random characters.
    • Secret Key: A shorter string of random characters.

Configure an integration

To integrate Mimecast Email Security, Cloud Gateway with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Mimecast Email Security Cloud Gateway.

    The Mimecast Email Security Cloud Gateway page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

Enter API details

In Integration steps you configure an API to collect data from Email Security Cloud Gateway.

To do this, do as follows:

  1. Enter a name and description for the integration.
  2. Enter your Mimecast base URL.
  3. Enter the following authentication details you copied from Mimecast:

    • Application ID
    • Application Key
    • Access Key
    • Secret Key
  4. Select the Request type. This specifies the type of data you want this integration to collect.

    Note

    Currently you can only choose one request type each time you add an integration. To add more than one, once you've finished the first integration, go to Threat Analysis Center > Integrations and click Mimecast Email Security Cloud Gateway.

    Go through the integration setup again, using the same credentials, and select a different request type. Then repeat the process if you want to add a third request type.

    We are working to change this. When the change is made, you'll be able to select multiple request types in one integration setup.

    Choose from the following request types:

    • URL logs
    • Impersonation logs
    • Attachment logs
  5. Click Save.

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.

Note

If your data doesn't appear after a few hours, go back to the instructions for configuring Mimecast.

Check that you've created the service user with the correct permissions, and set Authentication Cache TTL to Never Expire in the service user's effective Authentication Profile.

More information about Mimecast Email Security, Cloud Gateway

When you create the service user, the permissions you grant allow read access to do the following:

  • Get TTP URL logs.
  • Get TTP Impersonation Protect logs.
  • Get Attachment Protection logs.

For more information on these permissions, see the following Mimecast documents: