- Integration points
- Configuring Sophos Central for API Access
- Configuring FortiSIEM for Sophos Central for API Access
- Parsing and Events
|Protocol||Information Discovered||Used For|
|Sophos Central API||Endpoint suspicious activity detected by Sophos agent||Security and Compliance|
Configuring Sophos Central for API Access
Sophos provides ample documentation here.
- Login to Sophos Central Website.
- Go to Global Settings > API Token Management. Click Add Token.
The Token will display.
- Note the following information for later use:
- Get Host Name from API Access URL (part after https://).
- Get Authorization from API Access URL + Headers (part after Authorization:Basic).
- Get API Key from Headers (part between x-api-key: and Authorization Basic).
Configuring FortiSIEM for Sophos Central for API Access
Use the account in previous step to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credential.
- Click New to create Sophos Central credential:
- Choose Device Type = Sophos Central.
- Choose Access Protocol = Sophos Central API.
- Enter Authorization created in the previous section - step 3b above.
- Keep User Name empty.
- Leave the URI field empty. FortiSIEM will use
- Enter API Key created in the previous section - step 3c.
- Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
- Click Save.
- Enter an IP Range to Credential Association.
- Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
To test for events received via Windows Defender ATP REST API:
- Go to ADMIN > Setup > Pull Events.
- Select the Windows Defender ATP entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.
Parsing and Events
Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.