Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Sophos Central

Integration Points

Protocol Information Discovered Used For
Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

Event Types

Over 20 events are parsed. See event types in RESOURCES > Event Types by searching for "Sophos-Central" in the main content panel Search... field.

Configuring Sophos Central for API Access

Sophos provides ample documentation here.

  1. Login to Sophos Central Website.
  2. Go to Global Settings > API Token Management. Click Add Token.
    The Token will display.
  3. Note the following information for later use:
    1. Get Host Name from API Access URL (part after https://).
    2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
    3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

Configuring FortiSIEM for Sophos Central for API Access

Use the account in the previous step to enable FortiSIEM access. For FortiSIEM configuration, follow the steps here.

Define Sophos Central Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a Sophos Central credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Sophos Central
      Access Protocol Sophos Central API
      Authorization Enter the Authorization created in the previous section - step 3b above.

      URI

      Fill in the URI field as: gateway/siem/v1/events

      API Key

      Enter the API Key created in the previous section - step 3c.

      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the Hostname created here - step 3a in the IP/Host Name field.
      2. Select the name of the credential created in step 2 of Define Sophos Central Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. If it succeeds, the credential is correct.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
    Viewing Pull Events

    To view events received via Windows Defender ATP REST API:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.

    Sophos Central

    Integration Points

    Protocol Information Discovered Used For
    Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance

    Event Types

    Over 20 events are parsed. See event types in RESOURCES > Event Types by searching for "Sophos-Central" in the main content panel Search... field.

    Configuring Sophos Central for API Access

    Sophos provides ample documentation here.

    1. Login to Sophos Central Website.
    2. Go to Global Settings > API Token Management. Click Add Token.
      The Token will display.
    3. Note the following information for later use:
      1. Get Host Name from API Access URL (part after https://).
      2. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
      3. Get API Key from Headers (part between x-api-key: and Authorization Basic).

    Configuring FortiSIEM for Sophos Central for API Access

    Use the account in the previous step to enable FortiSIEM access. For FortiSIEM configuration, follow the steps here.

    Define Sophos Central Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a Sophos Central credential.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Sophos Central
      Access Protocol Sophos Central API
      Authorization Enter the Authorization created in the previous section - step 3b above.

      URI

      Fill in the URI field as: gateway/siem/v1/events

      API Key

      Enter the API Key created in the previous section - step 3c.

      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the Hostname created here - step 3a in the IP/Host Name field.
      2. Select the name of the credential created in step 2 of Define Sophos Central Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. If it succeeds, the credential is correct.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API.
    Viewing Pull Events

    To view events received via Windows Defender ATP REST API:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.