Sophos Central Monitoring

Updated Jan 17, 2024

Configure Sophos Central for Arctic Wolf monitoring using OAuth2

You can configure Sophos Central to send the necessary logs to Arctic Wolf® for security monitoring.

Notes:

  • If you have a Sophos Central API token to use for configuring monitoring, see Sophos Central Monitoring - API Token.
  • If you need to update your Sophos credentials and previously used an API token, contact your CST to have the existing sensor deprecated. Then, complete these steps.

Requirements

Before you begin

Steps

  1. Select a sub-estate.
  2. Create Sophos Central credentials.
  3. Authenticate the API.
  4. Find your tenant ID.
  5. Provide credentials to Arctic Wolf.

Step 1: Select a sub-estate

If Enterprise Management mode is enabled for your Sophos Central account, you must select the sub-estate that you want to create API token credentials for.

Note: Repeat this process for all sub-estates, as API tokens are required for each sub-estate.

  1. Sign in to the Sophos Central portal.

  2. In the navigation menu, if the Sub-Estates tab:

    • Appears — Enterprise Management is enabled. Continue with this procedure.
    • Does not appear — Enterprise Management is not enabled. Complete Create Sophos Central credentials.
  3. In the navigation menu, click Sub-Estates.

  4. Click the sub-estate that you want Arctic Wolf to monitor.

  5. Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific sub-estate.

Step 2: Create Sophos Central credentials

  1. Sign in to the Sophos Central portal.

  2. Click Global Settings > API Credentials.

  3. Click Add Credential.

  4. In the Add credential dialog, in the Credential name field, enter a name for the credential. For example, Arctic Wolf Credentials.

  5. (Optional) In the Description field, enter a description for the credentials.

  6. Click Add. An API credentials page opens.

  7. Copy the Client ID value into a safe location. You will provide this to Arctic Wolf later.

  8. Click Show Client Secret and copy the value into a safe location. You will provide this to Arctic Wolf later.

Step 3: Authenticate the API

Using cURL, you can make API calls to authenticate the API.

  1. Run this command:

    curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=token" https://id.sophos.com/api/v2/oauth2/token

    Where:

    Note: If you are using Windows, replace curl with curl.exe.

    Expected output:

    {
    "access_token": "<access_token>",
    "errorCode": "success",
    "expires_in": 3600,
    "message": "OK",
    "refresh_token": "<token>",
    "token_type": "bearer",
    "trackingId": "<uuid>"
    }
  2. Copy the <access_token> value to a safe location. You will use this in subsequent API calls.

Step 4: Find your tenant ID

Using cURL, you can find your tenant ID.

  1. Run this command:

    curl -XGET -H "Authorization: Bearer <access_token>" https://api.central.sophos.com/whoami/v1

    Where:

    Note: If you are using Windows, replace curl with curl.exe.

    Successful output:

    {
    "id": "<tenant_id>",
    "idType": "tenant",
    "apiHosts": {
          "global": "https://api.central.sophos.com",
          "dataRegion": "<data_region>"
    }
    }
  2. Copy these values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

    • <tenant_id>
    • <data_region>

Step 5: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, select Sophos Central.

  6. On the Add Account page, configure these settings:

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.