- Integration Points
- Event Types
- Configuring Sophos Central for API Access
- Configuring FortiSIEM for Sophos Central for API Access
|Protocol||Information Discovered||Used For|
|Sophos Central API||Endpoint suspicious activity detected by Sophos agent||Security and Compliance|
Over 20 events are parsed. See event types in RESOURCES > Event Types by searching for "Sophos-Central" in the main content panel Search... field.
Sophos provides ample documentation here.
- Login to Sophos Central Website.
- Go to Global Settings > API Token Management. Click Add Token.
The Token will display.
- Note the following information for later use:
- Get Host Name from API Access URL (part after https://).
- Get Authorization from API Access URL + Headers (part after Authorization:Basic).
- Get API Key from Headers (part between x-api-key: and Authorization Basic).
Use the account in the previous step to enable FortiSIEM access. For FortiSIEM configuration, follow the steps here.
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials, click New to create a Sophos Central credential.
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Sophos Central Access Protocol Sophos Central API Authorization Enter the Authorization created in the previous section - step 3b above.
Fill in the URI field as:
Enter the API Key created in the previous section - step 3c.
Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers. Description Description of the device.
From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).
- In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
- Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. If it succeeds, the credential is correct.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
To view events received via Windows Defender ATP REST API:
- Go to ADMIN > Setup > Pull Events.
- Select the Windows Defender ATP entry and click Report.
The system will take you to the ANALYTICS tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.