Providing Sophos Central Credentials to Arctic Wolf

Configuration Guide

Updated Nov 30, 2022

Providing Sophos Central Credentials to Arctic Wolf

Overview Direct link to this section

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor security information using the Sophos Central API. After you complete this configuration, Arctic Wolf can monitor logs from your Sophos Central environment.

As part of this configuration, you must provide the following information for your Sophos Central environment to Arctic Wolf using the Arctic Wolf Portal:

Before you begin Direct link to this section

This process requires that you are a Super Admin for the Sophos Central environment that you want Arctic Wolf to monitor.

Select a Sub-Estate Direct link to this section

If Enterprise Management mode is enabled for your Sophos Central account, you need to select the Sub-Estate that you want to create API token credentials for:

Note: Repeat this process for all Sub-Estates, as API tokens are required for each Sub-Estate.

  1. Sign in to the Sophos Central portal. In the main navigation menu, if the Sub-Estates tab:

  2. Select Sub-Estates from the navigaton menu.

  3. Select the Sub-Estate that you want Arctic Wolf to monitor.

  4. Select Launch Sophos Central Admin to open the Sophos Central Admin console for that specific Sub-Estate.

  5. Proceed to Create Sophos Central API token credentials and complete the steps within this Sophos Central Admin console.

Create Sophos Central API token credentials Direct link to this section

To create API token credentials in your Sophos Central environment:

  1. Sign in to the Sophos Central portal.

  2. Select Global Settings from the navigation menu.

  3. Under Administration, select API Token Management.

  4. Select Add Token to open the Add Token dialog box.

  5. Enter a memorable name fo the API token, such as Arctic Wolf API Token, and then click Save. You are redirected to the API Token Summary page.

  6. Copy each of the following values to provide to Arctic Wolf later:

    • API Access URL — Copy this value somewhere that you can easily retrieve it.
    • Headers — Copy this content into its own text file.

    Caution: You must use the Copy button to copy these values, to prevent integration errors within the Arctic Wolf Portal.

  7. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your Sophos Central API details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Sophos Central from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste the API Access URL value from Create Sophos Central API token credentials.

    3. Select Choose File, and then select the text file that contains the Headers value that you created in Create Sophos Central API token credentials.

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.