SOPHOS XDR INTEGRATION via API
You will need to perform some configurations on Sophos so that you can see the logs from your Sophos device over the Logsign SIEM product.
First of all, the IP address is written in your WEB browser to access your Sophos device.
You can manage and add credentials for the Partner Provisioning APIs.
You must be a Partner Super Admin to manage and add API credentials.
You can use Sophos APIs to manage users, endpoints, alerts, and security settings. You can also perform forensic analysis.
We use roles to allow you to control what API users can do. You assign a role to a set of API credentials when you create them. This controls what users using those credentials can do.
Roles with management permissions allow users to use APIs to do the following:
- Query, create, update, and delete users and user groups.
- Query and deal with alerts.
- Query endpoints and perform actions on them, such as run a scan.
- View and change endpoint protection global settings.
Roles with forensic permission allow users to use the API to run predefined or custom Live Discover queries on selected endpoints.
Note: The first time you click API Credentials Management you must read and accept the terms and conditions of use.
To add credentials, do as follows:
- Go to Settings & Policies> API Credentials Management.
- Click Add Credentialand give the credential a name and description.
- Choose which role you want to assign. Choose from the following roles:
- Service Principal Super Admin: Users with this role can perform all API operations with full CRUD (Create Read Update Delete) capabilities and have access to queries.
- Service Principal Management: Users with this role can view and manage admins, roles, endpoints, and security policies but can't run or view queries.
- Service Principal Forensics: Users with this role can create, view, run, and delete Live Discover queries.
- Service Principal Read-Only: Users with this role can view all information in the account but can't add, modify, or remove information. They can't run Live Discover queries.
- Service Principal Active Directory Sync: Users with this role can perform Active Directory synchronization. They can't do anything else. You must use this role for synchronizing with Active Directory.
We recommend giving API users and applications only the level of access they need. You should keep their access as specific as possible.
- Click Add.
This generates the credential, together with a Client ID and a Client Secret.
- Copy the Client IDand Client Secret.
Note: You can only see the Client Secret once.
After these processes, you'll add the source to view logs from the Sophos device from the Logsign SIEM product.
Open the Logsign and click on the "+ Device" button under the Sources tab, which is then clicked on the Settings -> Data Collection tab in the menu bar on the top of the page. In the Source Type Selection page, choose API as the method and Sophos XDR is selected as Provider information. There is some information about the source that you want to add on the page.
The client id and client secret are filled according to the information received from Sophos and the "Check Connection" button is pressed.
On the page that opens, the necessary information is filled (Device Name, Tag, Groups, Role etc.) and the integration is completed by clicking the "save" button.