Sophos Central Alerts

The Sophos Central Alerts API provides real-time security alerts across all Sophos products, including endpoint, network, email, and cloud security. It returns details such as alert severity, affected devices, detection timestamps, and recommended actions. For detailed information refer to the Sophos official documentation.

Integration Method: API

Tables: Detection Finding (2004)

This integration supports the following events.

This integration supports the following versions.

Note:

We have integrated the Sophos Common API, which consolidates alerts from all Sophos products, including Endpoint, Server, and Mobile. However, each product maintains its own independent release version. There is no single unified version across all products.

Prerequisites

• The user should have access to the Sophos Central alerts portal with an account that has the Global Administrator privileges.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate an API token with the required scopes

2. Add the Sophos Central Alerts data feed in the DataBee console with the below parameters.

   DataBee Parameters	Sophos Central Alerts Parameters
   Client Key	Client ID
   Client Secret	Client Secret

Sophos Central Alerts Configuration

1. Sign in to the Sophos Central Dashboard.

2. Click on the General Settings option in the menu bar at the top right corner
    

3. Click on the API Credentials Management option.
    

4. Click on Add Credential.
    

5. In the “Add credential” window, confirm the following and Add.

   • Credential name: enter Credential name.

   • Description: enter description if any.

   • Role: select Service Principal ReadOnly.

   

6. Click on the Show Client Secret.
    

7. Copy Client ID and Client Secret.

   

   Note:

   Copy and Save the Client details. The Client Secret cannot be shown again. These credentials will expire in 36 months, you will have to generate them again and update them in DataBee again.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Sophos Central Alerts and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: OAuth2

   • API Base URL: this is the base URL that DataBee will interact with.

   • Client Key: enter the Client ID.

   • Client Secret: enter the Client Secret.

   • Token URL: this is the token URL.

   • Event Types: preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips

• Ensure the Client Key and Client Secret is pasted correctly. Since you cannot view the Client Secret after the 1^st time, re-create the API credential, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.