Configure Sophos Central for Arctic Wolf monitoring using an API token

You can configure Sophos Central using an API token to send the necessary logs to Arctic Wolf® for security monitoring.

Note: This is a legacy method of configuring monitoring. If you are a new customer or want to use the updated OAuth2 method, see Configure Sophos Central for Arctic Wolf monitoring using OAuth2.

These resources are required:

Super Admin permissions for the Sophos Central environment that you want Arctic Wolf to monitor.

Identify if Enterprise Management mode is enabled

If Enterprise Management mode is enabled for your Sophos Central account, then you must create credentials for each sub-estate that you want Arctic Wolf to monitor. Otherwise, you can create a single set of credentials for monitoring purposes.

Sign in to the Sophos Central portal.
Review the navigation menu to see if the Sub-Estates tab:
- Appears — Enterprise Management is enabled. Proceed to Select a sub-estate.
- Does not appear — Enterprise Management is not enabled. Proceed to Create Sophos Central API token credentials.

Select a sub-estate

If Enterprise Management mode is enabled for your Sophos Central account, you must select the sub-estate that you want to create API token credentials for.

Note: You must repeat this process for each sub-estate that you want Arctic Wolf to monitor.

Sign in to the Sophos Central portal.
In the navigation menu, click Sub-Estates.
Click the sub-estate that you want Arctic Wolf to monitor.
Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific sub-estate.

Create Sophos Central API token credentials

Sign in to the Sophos Central portal.
In the navigation menu, click Global Settings.
In the Administration section, click API Token Management.
Click Add Token.
In the Add Token dialog, in the Token Name field, enter a name fo the API token. For example, Arctic Wolf API Token.
Click Save.

The API Token Summary page appears.
Copy each of these values and save them to a safe, encrypted location to provide to Arctic Wolf later:
CAUTION: To prevent integration errors in the Arctic Wolf Unified Portal, you must use the Copy button to copy these values.
- API Access URL
- Headers — Copy this content into its own text file.

Provide Sophos Central credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Cloud Sensors.
Click Add Account +.
On the Add Account page, click Sophos Central (Legacy Authentication).
Configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- API Access URL — Enter the value from Create Sophos Central API token credentials.
- Headers — Click Choose File, and then select the text file that contains the Headers value that you created in Create Sophos Central API token credentials.
- Credential Expiry — (Optional) Enter the credential expiration date, if applicable.
Click Test and submit credentials.

Active Response, Log Forwarding, and Security Monitoring