Sophos MDR integrations are now GA, up to date documentation can be found at the following link: Integrations
Detects threats that target email, including phishing, ransomware, and brand impersonation.
You can integrate Mimecast with Sophos Central so that it sends audit data to Sophos for analysis.
This integration is API-based.
The key steps are as follows:
-
Get details of your Mimecast service.
-
Create a service user in Mimecast which the Sophos platform can use to call the Mimecast API.
-
Add an integration in Sophos Central.
What you'll need from Mimecast
To integrate Mimecast, you need the following details:
- The Base URL for your service.
- Application ID - A GUID of the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
- Application Key - A GUID of the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
- Access Key - A long string of random characters.
- Secret Key - A shorter string of random characters.
The following sections tell you how to get this information.
Find your base URL
The base URL of your Mimecast service depends on your account type, the region where you use Mimecast, and your account code.
To find this out, use the Mimecast documentation. See Global Base URLs.
Get Mimecast authentication details
You need to create a service user in Mimecast, with permissions to read data, and credentials that the Sophos platform can use to call the Mimecast API.
To create and configure the service user, do as follows:
- Go to Mimecast.
-
Create a sophos@mydomain.com
Set the following permissions for the service user:
Monitoring | URL Protection | Read
Monitoring | Impersonation Protection | Read
Monitoring | Attachment Protection | Read
-
Update the Authentication Cache TTL setting in the service user's effective Authentication Profile to Never Expire.
-
Copy the following items from the Mimecast portal:
- Application ID - A GUID of the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
- Application Key - A GUID of the form ca16c415-658f-4c87-8fb6-e3e6957771dc.
- Access Key - A long string of random characters.
- Secret Key - A shorter string of random characters.
Add an integration
To integrate Mimecast with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
-
Click Mimecast.
If you've already set up connections to Mimecast, you see them here.
-
Click Add integration.
Note
If this is the first integration you've added, we'll ask for details of your internal domains and IPs. See My domains and IPs.
In Integration steps you configure an API to collect data from Mimecast.
Do as follows:
- Enter a name and description for the integration.
- Enter your Mimecast base URL.
-
Enter the following authentication details you copied from Mimecast:
- Application ID
- Application Key
- Access Key
- Secret Key
-
Select the Request type. This specifies the type of data you want this integration to collect.
Choose from the following:
- URL logs
- Impersonation logs
- Attachment logs
You need to add an integration for each Request type you want to use.
-
Click Save.
The integration is created for you and appears in your list.
If your integration shows Connected, then your data should appear in the Sophos Data Lake after validation.
More information about Mimecast
When you create the service user, the permissions you grant allow read access to do the following:
- Get TTP URL logs.
- Get TTP Impersonation Protect logs.
- Get Attachment Protection logs.
For more information on these permissions, see the following Mimecast documents: