Device Configuration: Sophos Central

Overview

Sophos Central is a cloud based device which is added to the UI using API call. This document will help you with the steps to ingest the Sophos Central with Seceon SIEM to have a better visibility of threats happening in your environment.

Steps Of Integration

To add the Sophos Central support Follow the steps that are mentioned below.

Steps to Generate API Token (Sophos Central Console):

• Log in to Sophos Central Console as Admin

• Navigate to Global Settings → API Token Management

• Select Add token to generate new token details

• Copy-paste the details present in API Access URL + Headers field

• You will get something like this in API Access URL + Headers -

Open

• Use the url, x-api-key & Authorization key(ignore the Basic keyword) to configure it for pulling the log

Steps to Configure Sophos Central (Seceon UI):

Open

• Device: Select the name of the device 'Sophos Central'.

• Name: We can take anything here according to our interest.

• CCE Host: Enter the CCE IP.

• Access ID/user name: x-api-key

• Password/Secret Key: Authorization key

• Now enter the url in valid JSON Format in the last field. Below is a example:

Note: Actual URL you will get it from Sophos central console, while generating the API token.

{"api": "https://api5.central.sophos.com/gateway"}

• Click on the Save button.

Verification:

For seeing the sophos central logs please try to generate below mentioned events to see the logs on UI:

Sophos Central doc - https://support.sophos.com/support/s/article/KB-000038309?language=en_US ,

• Event::Endpoint::HmpaExploitPrevented

• Event::Endpoint::Threat::Detected

• Event::Endpoint::Threat::PuaDetected

• Event::Endpoint::WebControlViolation

• Event::Endpoint::WebFilteringBlocked (total 6 events generate)

• Event::Endpoint::Application::Blocked (total 5 events generate)

• Event::Endpoint::DownloadReputationUserBlocked (total 5 events generate)

To see the logs on UI navigate to System Tab >> Log/Flow Collection tab .