Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=MimecastV2

Integrate Mimecast 2.0

API Email

You must have the Email integrations license pack to use this feature.

You can integrate the cloud gateway version of Mimecast 2.0 Email Security with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a Mimecast API to collect and forward the data.

The key steps are as follows:

  • Turn on logging in Mimecast.
  • Make sure your Mimecast account lets Sophos access API calls.
  • Create a role for the Mimecast API.
  • Add the Mimecast API.
  • Configure an integration in Sophos Central.

Mimecast can send three types of data to Sophos Central: URL logs, impersonation logs, and attachment logs. You must add an integration for each data type you want.

When you set up the Mimecast API, make sure you use the company-branded administrator account, not the temporary onboarding administrator account provided by Mimecast.

Turn on logging

To turn on logging in Mimecast, do as follows:

  1. Sign in to your Mimecast Administrator Console.
  2. Go to Administration > Account > Account Settings.

  3. In Enhanced Logging, choose the following logging types:

    • Inbound
    • Outbound
    • Internal

  4. Click Save.

Make sure Sophos can access API calls

If your Mimecast account gives permission for administrative actions only to specific IP ranges, read this section. Otherwise, skip to Create a role for the API.

If your Mimecast account gives permission for administrative actions only to specific IP ranges, you must add Sophos IPs to those IP ranges. This allows Sophos to access API calls.

Note

Make sure that all your IP addresses are permitted, not just the Sophos IP addresses.

To allow Sophos to access API calls, do as follows:

  1. Go to Account > Account Settings > User Access and Permissions.

  2. Make sure that Sophos IP addresses are included in the addresses with permission for administrative actions.

    The IP addresses depend on your Sophos Central region. To find the IP addresses you need, see Allow Sophos IPs.

You might need to add these addresses to the allow lists in your network infrastructure.

Alternatively, move these IP restrictions to an authentication profile for your admins. See Email Security Cloud Gateway - Configure Authentication Profiles.

Create a role for the API

Create a role with the permissions the API needs, as follows:

  1. Go to Account > Roles.
  2. Click New Role and enter a name. For example, "Sophos integration".

  3. In Application Permissions, select the following permissions:

    • Monitoring Menu > Attachment Protection > Read
    • Monitoring Menu > URL Protection > Read
    • Monitoring Menu > Impersonation Protection Logs > Read
    • Security Events and Data Retrieval > Threat and security events (SIEM) > Read
    • Security Events and Data Retrieval > Threat and security statistics > Read

  4. Click Save and Exit.

Add the API

Add the Mimecast API. Sophos Central will connect to this API later.

  1. Go to Services > API and Platform Integrations.
  2. In Available Integrations, click the Mimecast API 2.0 tile.
  3. Click Generate Keys. We'll show you the keys later.

  4. Read the Terms & Conditions, select the I accept check box, and click Next.

    The Application Details section opens.

  5. Enter an Application Name. For example, "Sophos integration".

  6. In Category, select SIEM Integration.
  7. In Products, choose Select All.
  8. In Application Role, select the role you created earlier.

  9. In the Notification Settings section, provide email contact details in case Mimecast needs to speak to you about the use of this API.

    We recommend that you specify a group rather than an individual.

  10. Review the Summary and click Add.

    Your Client ID and Client Secret keys are shown. Copy them and keep them safe. You'll use them in Sophos Central when you add the integration.

Configure an integration

To integrate Mimecast 2.0 Email Security with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Mimecast 2.0 - Email Security Cloud Gateway.

    The Mimecast 2.0 - Email Security Cloud Gateway page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.

    The Integration steps open. These let you enable Sophos Central to collect data from Mimecast.

  4. Enter a name and description for the integration.

  5. Enter the Client Id and Client secret you copied from Mimecast.

  6. Select the Request type. This specifies the type of data you want this integration to collect. Select one of these data types:

    • URL logs
    • Impersonation logs
    • Attachment logs

    Note

    You can only choose one request type each time you configure an integration. You can add more after you complete the current integration. Go to Threat Analysis Center > Integrations, click Mimecast 2.0 - Email Security Cloud Gateway, and repeat the integration steps, using the same authentication details.

  7. Click Save.

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.