Document toolboxDocument toolbox

Sophos Central collector

Service description

Sophos is a set of cloud-native and AI-enhanced solutions that are able to adapt and evolve secure endpoints and networks against never-before-seen cybercriminal tactics and techniques. Sophos Central is the unified console for managing Sophos products.

The Sophos Central collector extracts Event and Alerts audit logs and sends them to Devo.

Data source description

The collector processes the Sophos Central API responses and sends them to the Devo platform, which will categorize all the information received on tables in your Devo domain.

The Sophos Central API allows to retrieve account activities for alert and event resources:

Resource type

Definition

Devo data tables

Resource type

Definition

Devo data tables

Alerts

Returns a list of alerts.

cloud.sophos.central.alerts

Events

Returns a list of events.

cloud.sophos.central.events

The Sophos Central: API Specification and Documentation has some API schemas that you can use. Also, you can load the schemas using this schema editor.

Setup

Getting the required credentials

You can generate and manage the required API token used for secure access to the Security Information and Event Management (SIEM) Integration API. This enables you to pull new event and alert data from Sophos Central.

You must be a Super Admin to manage and generate API tokens.

To add a new token:

  1. Go to Settings and open the API Token Management page.

  2. Click Add Token.

  3. Give the token a name and click Save. This generates the API token valid for a year.

  4. Save your API Access URL, x-api-key, Authentication Basic, and Expires. You will need them in the config file later on.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).