Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Sophos Central

Integration points

Protocol Information Discovered Used For
Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

Configuring Sophos Central for API Access

Sophos provides ample documentation here.

  1. Login to Sophos Central Website.
  2. Go to Global Settings > API Token Management. Click Add Token.
    The Token will display.
  3. Note the following information for later use:
    1. Get Host Name from API Access URL (part after https://).
    2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
    3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

Configuring FortiSIEM for Sophos Central for API Access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create Sophos Central credential:
    1. Choose Device Type = Sophos Central.
    2. Choose Access Protocol = Sophos Central API.
    3. Enter Authorization created in the previous section - step 3b above.
    4. Keep User Name empty.
    5. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events.
    6. Enter API Key created in the previous section - step 3c.
    7. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    8. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Enter Hostname created here - step 3a.
    2. Select the Credential created here - step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.

To test for events received via Windows Defender ATP REST API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Windows Defender ATP entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

Parsing and Events

Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.

Sophos Central

Integration points

Protocol Information Discovered Used For
Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

Configuring Sophos Central for API Access

Sophos provides ample documentation here.

  1. Login to Sophos Central Website.
  2. Go to Global Settings > API Token Management. Click Add Token.
    The Token will display.
  3. Note the following information for later use:
    1. Get Host Name from API Access URL (part after https://).
    2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
    3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

Configuring FortiSIEM for Sophos Central for API Access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create Sophos Central credential:
    1. Choose Device Type = Sophos Central.
    2. Choose Access Protocol = Sophos Central API.
    3. Enter Authorization created in the previous section - step 3b above.
    4. Keep User Name empty.
    5. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events.
    6. Enter API Key created in the previous section - step 3c.
    7. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    8. Click Save.
  4. Enter an IP Range to Credential Association.
    1. Enter Hostname created here - step 3a.
    2. Select the Credential created here - step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.

To test for events received via Windows Defender ATP REST API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Windows Defender ATP entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

Parsing and Events

Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.