Sophos Central Monitoring

Updated Sep 27, 2023

Configure Sophos Central for Arctic Wolf monitoring

You can configure Sophos Central to send the necessary logs to Arctic Wolf for security monitoring.

Requirements

Steps

  1. Select a Sub-Estate.
  2. Create Sophos Central API token credentials.
  3. Provide credentials to Arctic Wolf.

Step 1: Select a Sub-Estate

If Enterprise Management mode is enabled for your Sophos Central account, you need to select the Sub-Estate that you want to create API token credentials for.

Note: Repeat this process for all Sub-Estates, as API tokens are required for each Sub-Estate.

  1. Sign in to the Sophos Central portal.

  2. In the navigation menu, if the Sub-Estates tab:

  3. In the navigation menu, click Sub-Estates.

  4. Click the Sub-Estate that you want Arctic Wolf to monitor.

  5. Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific Sub-Estate.

Step 2: Create Sophos Central API token credentials

  1. Sign in to the Sophos Central portal.

  2. In the navigation menu, click Global Settings.

  3. In the Administration section, click API Token Management.

  4. Click Add Token.

  5. In the Add Token dialog, in the TOKEN NAME field, enter a name fo the API token. For example, Arctic Wolf API Token.

  6. Click Save.

    The API Token Summary page appears.

  7. Copy each of these values and save them accordingly. You will provide them to Arctic Wolf later:

    • API Access URL — Copy this value into a safe, encrypted location.
    • Headers — Copy this content into its own text file.

    Caution: To prevent integration errors within the Arctic Wolf Portal, you must use the Copy button to copy these values.

Step 3: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Sophos.

  6. On the Add Account page, configure these settings:

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.