Sophos Central Monitoring — Legacy

Updated Jan 26, 2024

Configure Sophos Central for Arctic Wolf monitoring using an API token

You can configure Sophos Central using an API token to send the necessary logs to Arctic Wolf® for security monitoring.

Note: This is a legacy method of configuring Sophos Central monitoring. If you are a new customer or want to use the updated OAuth2 method, see Sophos Central Monitoring.



  1. Select a sub-estate.
  2. Create Sophos Central API token credentials.
  3. Provide credentials to Arctic Wolf.

Step 1: Select a sub-estate

If Enterprise Management mode is enabled for your Sophos Central account, you must select the sub-estate that you want to create API token credentials for.

Note: Repeat this process for all sub-estates, as API tokens are required for each sub-estate.

  1. Sign in to the Sophos Central portal.

  2. In the navigation menu, if the Sub-Estates tab:

  3. In the navigation menu, click Sub-Estates.

  4. Click the sub-estate that you want Arctic Wolf to monitor.

  5. Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific sub-estate.

Step 2: Create Sophos Central API token credentials

  1. Sign in to the Sophos Central portal.

  2. In the navigation menu, click Global Settings.

  3. In the Administration section, click API Token Management.

  4. Click Add Token.

  5. In the Add Token dialog, in the TOKEN NAME field, enter a name fo the API token. For example, Arctic Wolf API Token.

  6. Click Save. The API Token Summary page appears.

  7. Copy each of these values and save them accordingly. You will provide them to Arctic Wolf later:

    • API Access URL — Copy this value into a safe, encrypted location.
    • Headers — Copy this content into its own text file.

    Caution: To prevent integration errors in the Arctic Wolf Unified Portal , you must use the Copy button to copy these values.

Step 3: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, select Sophos Central (Legacy Authentication).

  6. On the Add Account page, configure these settings:

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.