Does this information look incorrect or out-of-date? Please contact us at firstname.lastname@example.org.
Sophos Central is a single cloud management solution for various Sophos next-gen technologies.
The preferred method of integration with Sophos Central is via the Sophos Central API
Sophos APIs are used to manage users, endpoints, alerts, and security settings. It is also possible to perform forensic analysis.
Sophos uses roles to allow control over what API users can do. A role is assigned to a set of API credentials during creation. This controls what users using those credentials can do.
To add credentials:
Overview > Global Settings > API Credentials Management.
Add Credentialand give the credential an appropriate name and description (e.g. SOC.OS).
Service Principal Read-Onlyrole.
Add. This generates the credentials, together with a Client ID and a Client Secret.
Client Secretand provide to SOC.OS via an agreed channel.
Overview > Global Settings > API Token Management.
You will need to click
Renewto extend the validity of the token once expired after one year.
Deleteto remove the token when it is no longer required.
Sophos Central provides a SIEM Integration script that allows alert data to be exported from Sophos Central and output as CEF, JSON or key-value pairs to the command line, a file or syslog.
This article describes the procedure of creating an API token, modifing config.ini to include the token data and launching the SIEM Integration script, so that Sophos Central data is imported into SOC.OS.
This integration applies to the Sophos Central Admin product only.
Clone or download button to download a zip file containing all components of the Sophos Central SIEM Integration script. The script needs to be run from a machine running Python 2.7.9+.
A token is required in order to access event data via the Sophos Cloud APIs, which are called by the SIEM Integration script. In Sophos Central Admin, go to
Global Settings > API Token Management.
To create a new token, click
Add token from the top-right corner of the screen.
token name and click
API Token Summary for this token is displayed.
Copy to copy the
API Access URL + Headers from the
API Token Summary section into your clipboard.
Open config.ini in a text editor.
Copy and paste the
API Access URL + Headers block from the
API Token Management page in Sophos Central.
Optional: By default, the script will output JSON data to a results.txt file in a subdirectory called logs. You can choose other options in the config file, but we recommend making no further changes and using the default to make an initial successful run.
python siem.py script and review the results.txt output file.
You will need at least one alert or event in your Sophos Central account within the last 12 hours to return any data. Subsequent running of the script will then pull down any new data from within the last 24 hours.
It is possible to run the script on a regular basis, such as every hour, using a scheduled task or cronjob. The script will automatically only retrieve new data since it was last run to avoid duplicate data being exported.
For more options and help on running the script, run
python siem.py -h.
Download Swagger documentation on the API here.
View the downloaded Swagger file using the Swagger Editor.