Does this information look incorrect or out-of-date? Please contact us at email@example.com.
Sophos Central provides a SIEM Integration script that allows alert data to be exported from Sophos Central and output as CEF, JSON or key-value pairs to the command line, a file or syslog.
This article describes the procedure of creating an API token, modifing config.ini to include the token data and launching the SIEM Integration script, so that Sophos Central data is imported into SOC.OS.
This integration applies to the Sophos Central Admin product only.
Click the Clone or download button to download a zip file containing all components of the Sophos Central SIEM Integration script.
You should run the script from a machine running Python 2.7.9+.
A token is required in order to access event data via the Sophos Cloud APIs, which are called by the SIEM Integration script.
In Sophos Central Admin, go to Global Settings > API Token Management.
To create a new token, click Add token from the top-right corner of the screen.
Select a token name and click Save. The API Token Summary for this token is displayed.
Click Copy to copy your API Access URL + Headers from the API Token Summary section into your clipboard.
Open config.ini in a text editor.
Copy and paste the API Access URL + Headers block from the API Token Management page in Sophos Central.
Optional: By default, the script will output JSON data to a results.txt file in a subdirectory called logs. You can choose other options in the config file, but we recommend making no further changes and using the default to make an initial successful run.
Run the python siem.py script and review the results.txt output file.
You will need at least one alert or event in your Sophos Central account within the last 12 hours to return any data. Subsequent running of the script will then pull down any new data from within the last 24 hours.
You can run the script on a regular basis, such as every hour, using a scheduled task or cronjob. The script will automatically only retrieve new data since it was last run to avoid duplicate data being exported.
For more options and help on running the script, run python siem.py -h
You can download Swagger documentation on the API here.
You can view the downloaded Swagger file using the Swagger Editor.