Configure Sophos Central for Arctic Wolf monitoring using OAuth2

You can configure Sophos Central to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

These resources are required:

  • Super Admin permissions for the Sophos Central environment that you want Arctic Wolf to monitor.

These actions are required:

  • Install curl.
    Note: If you are using Windows 10 or 11, curl is included. To verify that curl is installed, run curl.exe -V. For more information, see curl.

Identify if Enterprise Management mode is enabled

If Enterprise Management mode is enabled for your Sophos Central account, then you must create credentials for each sub-estate that you want Arctic Wolf to monitor. Otherwise, you can create a single set of credentials for monitoring purposes.

  1. Sign in to the Sophos Central portal.
  2. Review the navigation menu to see if the Sub-Estates tab:

Select a sub-estate

If Enterprise Management mode is enabled for your Sophos Central account, you must select the sub-estate that you want to create API token credentials for.

Note: You must repeat this process for each sub-estate that you want Arctic Wolf to monitor.
  1. Sign in to the Sophos Central portal.
  2. In the navigation menu, click Sub-Estates.
  3. Click the sub-estate that you want Arctic Wolf to monitor.
  4. Click Launch Sophos Central Admin to open the Sophos Central Admin console for that specific sub-estate.

Create Sophos Central credentials

  1. Sign in to the Sophos Central portal.
  2. Click My Products > General Settings > API Credentials Management.
  3. Click Add Credential.
  4. In the Add credential dialog, complete these fields:
    1. Credential name — Enter a name for the credentials, such as Arctic Wolf Credentials.
    2. Optional: Description — Enter a description for the credentials.
    3. Role — Select Service Principal ReadOnly.
  5. Click Add.

    An API credentials page opens.

  6. Copy the Client ID value to a safe, encrypted location to provide to Arctic Wolf later.
  7. Click Show Client Secret, and then copy the value to a safe, encrypted location to provide to Arctic Wolf later.

Authenticate the API

Using cURL, you can make API calls to authenticate the API.

  1. In the command line, run this command:
    Note: If you are using Windows, replace curl with curl.exe.
    SHELL 
    curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=token" https://id.sophos.com/api/v2/oauth2/token

    Where:

    Expected output:

    JSON 
    {
"access_token": "<access_token>",
"errorCode": "success",
"expires_in": 3600,
"message": "OK",
"refresh_token": "<token>",
"token_type": "bearer",
"trackingId": "<uuid>"
}
  2. Copy the access_token value to a safe, encrypted location to use in subsequent API calls.

Find your tenant ID

Using cURL, you can find your tenant ID.

  1. Run this command:
    Note: If you are using Windows, replace curl with curl.exe.
    SHELL 
    curl -XGET -H "Authorization: Bearer <access_token>" https://api.central.sophos.com/whoami/v1

    Where:

    Successful output:

    JSON 
    {
"id": "<tenant_id>",
"idType": "tenant",
"apiHosts": {
      "global": "https://api.central.sophos.com",
      "dataRegion": "<data_region>"
}
}
  2. Copy these values, and then save them in a safe, encrypted location to provide to Arctic Wolf later.
    • tenant_id
    • data_region

Provide Sophos Central credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Sophos Central.
  5. Configure these settings:
  6. Click Test and submit credentials.