Skip to content
Find out how we support MDR.

Mimecast Email Security Cloud Gateway

API

Detects threats that target email, including phishing, ransomware, and brand impersonation.

You can integrate Email Security Cloud Gateway with Sophos Central so that it sends audit data to Sophos for analysis.

This integration is API-based.

The key steps are as follows:

  • Get details of your Email Security Cloud Gateway service.
  • Create a service user in Email Security Cloud Gateway which we can use to call the Email Security Cloud Gateway API.
  • Add an integration in Sophos Central.

What you need from Email Security Cloud Gateway

To integrate Email Security Cloud Gateway, you need the following details:

  • The Base URL for your service.
  • Application ID: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
  • Application Key: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
  • Access Key: A long string of random characters.
  • Secret Key: A shorter string of random characters.

The following sections tell you how to get this information.

Note

Currently the Mimecast integration setup only allows you to choose one of the three available request types. To collect data about more than one request type, run the integration multiple times with the same credentials, choosing a different alert type each time.

See Enter API details.

Find your base URL

The base URL of your Email Security Cloud Gateway service depends on your account type, the region where you use Email Security Cloud Gateway, and your account code.

To find this out, use the Email Security Cloud Gateway documentation. See Global Base URLs.

Create service user

You need to create a service user in Email Security Cloud Gateway, with permissions to read data, and credentials that we can use to call the Email Security Cloud Gateway API.

To create and configure the service user, do as follows:

  1. Go to Email Security Cloud Gateway.
  2. Create a sophos@mydomain.com service user.

    You must set the following permissions for the service user:

    • Monitoring | URL Protection | Read
    • Monitoring | Impersonation Protection | Read
    • Monitoring | Attachment Protection | Read

    Warning

    You must set these permissions or the integration can't work.

  3. In the service user's effective Authentication Profile, set Authentication Cache TTL to Never Expire.

    Warning

    You must set this to Never Expire or the integration can't work.

  4. Copy the following items from the Email Security Cloud Gateway portal to use later in Sophos Central:

    • Application ID: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
    • Application Key: A GUID in the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
    • Access Key: A long string of random characters.
    • Secret Key: A shorter string of random characters.

Add an integration

To integrate Email Security Cloud Gateway with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Mimecast Email Security Cloud Gateway.

    If you've already set up connections to Email Security Cloud Gateway, you see them here.

  3. Click Add integration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

Enter API details

In Integration steps you configure an API to collect data from Email Security Cloud Gateway.

To do this, do as follows:

  1. Enter a name and description for the integration.
  2. Enter your Email Security Cloud Gateway base URL.
  3. Enter the following authentication details you copied from Email Security Cloud Gateway:

    • Application ID
    • Application Key
    • Access Key
    • Secret Key
  4. Select the Request type. This specifies the type of data you want this integration to collect.

    Note

    Currently you can only choose one request type each time you add an integration. To add more than one, once you've finished the first integration, go to Threat Analysis Center > Integrations and click Mimecast Email Security Cloud Gateway.

    Go through the integration setup again, using the same credentials, and select a different request type. Then repeat the process if you want to add a third request type.

    We are working to change this. When the change is made, you'll be able to select multiple request types in one integration setup.

    Choose from the following request types:

    • URL logs
    • Impersonation logs
    • Attachment logs
  5. Click Save.

We create the integration and it appears in your list.

If your integration shows as Connected, your data should appear in the Sophos Data Lake after validation.

Note

If your data doesn't appear after a few hours, go back to the instructions for configuring Mimecast.

Check that you've created the service user with the correct permissions, and set Authentication Cache TTL to Never Expire in the service user's effective Authentication Profile.

More information about Email Security Cloud Gateway

When you create the service user, the permissions you grant allow read access to do the following:

  • Get TTP URL logs.
  • Get TTP Impersonation Protect logs.
  • Get Attachment Protection logs.

For more information on these permissions, see the following Email Security Cloud Gateway documents: