Skip to content
Find out how we support MDR.

Mimecast integration

You can integrate Mimecast Email Security Cloud Gateway with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

This page applies to integration with Mimecast API 1.0 or Mimecast API 2.0.

Mimecast API 1.0 is a legacy version. It might no longer be available for your Mimecast account.

We recommend that you use Mimecast API 2.0 if you're any of the following:

  • A new Email Security Cloud Gateway customer.
  • An existing Email Security Cloud Gateway customer with no active integrations.
  • An existing customer, with or without active integrations, who wants to use new capabilities that are only available in Mimecast.

Mimecast product overview

Mimecast's Email Security Cloud Gateway is a cloud-based solution that defends against a multitude of email-borne threats, including phishing, malware, and spam. Through its centralized platform, it offers multi-layered detection mechanisms, ensuring the safety of inbound and outbound emails while providing real-time threat intelligence and rapid incident response.

Sophos documents

You can set up an integration to get alerts using Mimecast API 1.0 or Mimecast API 2.0. The alerts ingested are the same.

What we ingest

Sample alerts seen by Sophos:

  • Impersonation Attempt
  • Unsafe Email Attachment
  • URL Protection
  • IP Temporarily Blacklisted
  • Anti-Spoofing policy - Inbound not allowed
  • Invalid Recipient
  • Exceeding outbound thread limit
  • Message bounced due to Content Examination Policy

Alerts ingested in full

We ingest alerts from three Mimecast categories:

  • attachment
  • impersonation
  • URL

Filtering

We filter alerts as follows:

  • Confirm the format of the alerts returned is as expected.
  • Remove alerts where Mimecast has marked the scan result as clean or safe.

Sample threat mappings

Alert mapping is defined based on each of the 3 specific types or endpoints and is one of the following:

Attachment: Default to "Unsafe Email Attachment"

Impersonation: Default to “Impersonation Attempt”

Click: If the field ttpDefinition is empty, use the value of creationMethod. Otherwise, use the value of reason.

{"alertType": "Impersonation Attempt", "threatId": "T1598.003", "threatName": "Spearphishing Link"}
{"alertType": "Unsafe Email Attachment", "threatId": "T1598.002", "threatName": "Spearphishing Attachment"}
{"alertType": "URL Protection", "threatId": "T1598.003", "threatName": "Spearphishing Link"}
{"alertType": "Default URL Protection", "threatId": "T1598.003", "threatName": "Spearphishing Link"}
{"alertType": "IP Temporarily Blacklisted", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Submitter failed to authenticate", "threatId": "T1078", "threatName": "Valid Accounts"}
{"alertType": "Anti-Spoofing policy - Inbound not allowed", "threatId": "T1598.003", "threatName": "Spearphishing Link"}
{"alertType": "Invalid Recipient", "threatId": "TA0005", "threatName": "Defense Evasion"}
{"alertType": "Exceeding outbound thread limit", "threatId": "T1041", "threatName": "Exfiltration Over C2 Channel"}
{"alertType": "Message bounced due to Content Examination Policy", "threatId": "T1598", "threatName": "Phishing for Information"}
{"alertType": "Default Inbound URL Protect Definition", "threatId": "T1598.003", "threatName": "Spearphishing Link"}

Vendor documentation

Here is documentation for the three endpoints we query:

Get TTP Attachment Protection Logs

Get TTP Impersonation Protect Logs

Get TTP URL Logs