Sophos Central Monitoring

Updated Sep 27, 2023

Configure Sophos Central for Arctic Wolf monitoring
- Requirements
- Steps
MDR polling frequency

Configure Sophos Central for Arctic Wolf monitoring

You can configure Sophos Central to send the necessary logs to Arctic Wolf for security monitoring.

Requirements

Super Admin permissions for the Sophos Central environment that you want Arctic Wolf to monitor

Steps

Select a Sub-Estate.
Create Sophos Central API token credentials.
Provide credentials to Arctic Wolf.

Step 1: Select a Sub-Estate

If Enterprise Management mode is enabled for your Sophos Central account, you need to select the Sub-Estate that you want to create API token credentials for.

Note: Repeat this process for all Sub-Estates, as API tokens are required for each Sub-Estate.

Sign in to the Sophos Central portal.
In the navigation menu, if the Sub-Estates tab:
- Appears — Enterprise Management is enabled. Continue with this procedure.
- Does not appear — Enterprise Management is not enabled. Proceed to Create Sophos Central API token credentials.
In the navigation menu, click Sub-Estates.
Click the Sub-Estate that you want Arctic Wolf to monitor.
Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific Sub-Estate.

Step 2: Create Sophos Central API token credentials

Sign in to the Sophos Central portal.
In the navigation menu, click Global Settings.
In the Administration section, click API Token Management.
Click Add Token.
In the Add Token dialog, in the TOKEN NAME field, enter a name fo the API token. For example, Arctic Wolf API Token.
Click Save.

The API Token Summary page appears.
Copy each of these values and save them accordingly. You will provide them to Arctic Wolf later:
- API Access URL — Copy this value into a safe, encrypted location.
- Headers — Copy this content into its own text file.
Caution: To prevent integration errors within the Arctic Wolf Portal, you must use the Copy button to copy these values.

Step 3: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

Sign in to the Arctic Wolf Unified Portal.
In the menu bar, click Telemetry Management > Connected Accounts.
Click Add Account +.
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
From the list of cloud services, select Sophos.
On the Add Account page, configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- API Access URL — Enter the value from Create Sophos Central API token credentials.
- Headers — Click Choose File, and then select the text file that contains the Headers value that you created in Create Sophos Central API token credentials.
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
Click Test and Submit Credentials.

After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.