Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.3.3 External Systems Configuration Guide
    6.3.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Sophos Central

    Sophos Central

    Integration Points

    Protocol Information Discovered Used For
    Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

    Event Types

    Over 20 events are parsed. See event types in RESOURCES > Event Types by searching for "Sophos-Central" in the main content panel Search... field.

    Configuring Sophos Central for API Access

    Sophos provides ample documentation here.

    1. Login to Sophos Central Website.
    2. Go to Global Settings > API Token Management. Click Add Token.
      The Token will display.
    3. Note the following information for later use:
      1. Get Host Name from API Access URL (part after https://).
      2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
      3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

    Configuring FortiSIEM for Sophos Central for API Access

    Use the account in the previous step to enable FortiSIEM access. For FortiSIEM configuration, follow the steps here.

    Define Sophos Central Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a Sophos Central credential.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Sophos Central
      Access Protocol Sophos Central API
      Authorization Enter the Authorization created in the previous section - step 3b above.

      URI

      Fill in the URI field as: gateway/siem/v1/events

      API Key

      Enter the API Key created in the previous section - step 3c.
      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the Hostname created here - step 3a in the IP/Host Name field.
      2. Select the name of the credential created in step 2 of Define Sophos Central Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. If it succeeds, the credential is correct.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
    Viewing Pull Events

    To view events received via Sophos Central:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

    Previous
    Next

    Sophos Central

    Sophos Central

    Integration Points

    Protocol Information Discovered Used For
    Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

    Event Types

    Over 20 events are parsed. See event types in RESOURCES > Event Types by searching for "Sophos-Central" in the main content panel Search... field.

    Configuring Sophos Central for API Access

    Sophos provides ample documentation here.

    1. Login to Sophos Central Website.
    2. Go to Global Settings > API Token Management. Click Add Token.
      The Token will display.
    3. Note the following information for later use:
      1. Get Host Name from API Access URL (part after https://).
      2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
      3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

    Configuring FortiSIEM for Sophos Central for API Access

    Use the account in the previous step to enable FortiSIEM access. For FortiSIEM configuration, follow the steps here.

    Define Sophos Central Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a Sophos Central credential.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Sophos Central
      Access Protocol Sophos Central API
      Authorization Enter the Authorization created in the previous section - step 3b above.

      URI

      Fill in the URI field as: gateway/siem/v1/events

      API Key

      Enter the API Key created in the previous section - step 3c.
      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the Hostname created here - step 3a in the IP/Host Name field.
      2. Select the name of the credential created in step 2 of Define Sophos Central Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. If it succeeds, the credential is correct.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
    Viewing Pull Events

    To view events received via Sophos Central:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

    Previous
    Next