Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 5.3.3 External Systems Configuration Guide
    5.3.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Sophos Central

    Sophos Central

    Integration points

    Protocol Information Discovered Used For
    Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

    Configuring Sophos Central for API Access

    Sophos provides ample documentation here.

    1. Login to Sophos Central Website.
    2. Go to Global Settings > API Token Management. Click Add Token.
      The Token will display.
    3. Note the following information for later use:
      1. Get Host Name from API Access URL (part after https://).
      2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
      3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

    Configuring FortiSIEM for Sophos Central for API Access

    Use the account in previous step to enable FortiSIEM access.

    1. Login to FortiSIEM.
    2. Go to ADMIN > Setup > Credential.
    3. Click New to create Sophos Central credential:
      1. Choose Device Type = Sophos Central.
      2. Choose Access Protocol = Sophos Central API.
      3. Enter Authorization created in the previous section - step 3b above.
      4. Keep User Name empty.
      5. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events.
      6. Enter API Key created in the previous section - step 3c.
      7. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      8. Click Save.
    4. Enter an IP Range to Credential Association.
      1. Enter Hostname created here - step 3a.
      2. Select the Credential created here - step 3.
      3. Click Save.
    5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
    6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.

    To test for events received via Windows Defender ATP REST API:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

    Parsing and Events

    Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.

    Previous
    Next

    Sophos Central

    Sophos Central

    Integration points

    Protocol Information Discovered Used For
    Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

    Configuring Sophos Central for API Access

    Sophos provides ample documentation here.

    1. Login to Sophos Central Website.
    2. Go to Global Settings > API Token Management. Click Add Token.
      The Token will display.
    3. Note the following information for later use:
      1. Get Host Name from API Access URL (part after https://).
      2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
      3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

    Configuring FortiSIEM for Sophos Central for API Access

    Use the account in previous step to enable FortiSIEM access.

    1. Login to FortiSIEM.
    2. Go to ADMIN > Setup > Credential.
    3. Click New to create Sophos Central credential:
      1. Choose Device Type = Sophos Central.
      2. Choose Access Protocol = Sophos Central API.
      3. Enter Authorization created in the previous section - step 3b above.
      4. Keep User Name empty.
      5. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events.
      6. Enter API Key created in the previous section - step 3c.
      7. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      8. Click Save.
    4. Enter an IP Range to Credential Association.
      1. Enter Hostname created here - step 3a.
      2. Select the Credential created here - step 3.
      3. Click Save.
    5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
    6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.

    To test for events received via Windows Defender ATP REST API:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

    Parsing and Events

    Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.

    Previous
    Next