Sophos Central is a cloud based device which is added to the UI using API call. This document will help you with the steps to ingest the Sophos Central with Seceon SIEM to have a better visibility of threats happening in your environment.
To add the Sophos Central support Follow the steps that are mentioned below.
Log in to Sophos Central Console as Admin
Navigate to Global Settings → API Token Management
Select Add token to generate new token details
Copy-paste the details present in API Access URL + Headers field
You will get something like this in API Access URL + Headers -
Use the url, x-api-key & Authorization key(ignore the Basic keyword) to configure it for pulling the log
Device: Select the name of the device 'Sophos Central'.
Name: We can take anything here according to our interest.
CCE Host: Enter the CCE IP.
Access ID/user name: x-api-key
Password/Secret Key: Authorization key
Now enter the url in valid JSON Format in the last field. Below is a example:
Note: Actual URL you will get it from Sophos central console, while generating the API token.
{"api": "https://api5.central.sophos.com/gateway"}
Click on the Save button.
For seeing the sophos central logs please try to generate below mentioned events to see the logs on UI:
Sophos Central doc - https://support.sophos.com/support/s/article/KB-000038309?language=en_US ,
Event::Endpoint::HmpaExploitPrevented
Event::Endpoint::Threat::Detected
Event::Endpoint::Threat::PuaDetected
Event::Endpoint::WebControlViolation
Event::Endpoint::WebFilteringBlocked (total 6 events generate)
Event::Endpoint::Application::Blocked (total 5 events generate)
Event::Endpoint::DownloadReputationUserBlocked (total 5 events generate)
To see the logs on UI navigate to System Tab >> Log/Flow Collection tab .