Sophos

Updated on 12 Jun 2025
3 Minutes to read

Print
Share
Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Overview

This Adapter allows you to connect to Sophos Central to fetch event logs.

Deployment Configurations

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Adapter-specific Options

Adapter Type: sophos

tenantid: your Sophos Central tenant ID
clientid: your Sophos Central client ID
clientsecret: your Sophos Central client secret
url: your Sophos Central URL (ex: https://api-us01.central.sophos.com)

Creating Your Credentials and Getting Your Tenant ID

Sophos documentation - https://developer.sophos.com/getting-started-tenant

Add a new credential here
Get your client ID and client secret from the credentials you just created

Get your JWT -- be sure to replace the values with the client ID and secret from the last step

curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=token" https://id.sophos.com/api/v2/oauth2/token

Response content -- grab the access_token from the output:

{
   "access_token": "SAVE_THIS_VALUE",
   "errorCode": "success",
   "expires_in": 3600,
   "message": "OK",
   "refresh_token": "<token>",
   "token_type": "bearer",
   "trackingId": "<uuid>"
}

Get your tenant ID -- you will need the access_token (JWT) from the last step.

curl -XGET -H "Authorization: Bearer YOUR_JWT_HERE" https://api.central.sophos.com/whoami/v1

Response content -- grab the id (tenant_id) and dataRegion (url) from the output. You will need these for your LimaCharlie Sophos adapter configuration.

{
    "id": "57ca9a6b-885f-4e36-95ec-290548c26059",
    "idType": "tenant",
    "apiHosts": {
        "global": "https://api.central.sophos.com",
        "dataRegion": "https://api-us03.central.sophos.com"
    }
}

Now you have all the pieces for your adapter:
1. client_id
2. client_secret
3. tenant_id
4. url

Infrastructure as Code Deployment

# Sophos Central Specific Docs: https://docs.limacharlie.io/docs/adapter-types-sophos-central

sensor_type: "sophos"
sophos:
  clientid: "YOUR_SOPHOS_CENTRAL_CLIENT_ID" # (required) your Sophos Central client ID.
  clientsecret: "YOUR_SOPHOS_CENTRAL_CLIENT_SECRET" # (required) your Sophos Central client secret. Store securely.
  tenantid: "YOUR_SOPHOS_TENANT_ID" # (required) your Sophos Central tenant ID.
  url: "https://api-us-east-1.central.sophos.com" # (required) your Sophos Central API URL (e.g., https://api-us01.central.sophos.com - adjust region as needed).
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_SOPHOS" # (required) Installation key associated with the OID.
    hostname: "sophos-central-adapter-prod-01.example.com" # (required if not using sensor_hostname_path)
    platform: "saas_api" # (required) Indicates the source is the Sophos Central SaaS API.
    architecture: null # (optional) Not applicable for SaaS API.
    mapping:
      # Sophos Central API returns JSON, so parsing_re is usually null.
      parsing_re: null
      # (optional) Path to uniquely ID the original alert, event, or endpoint. Sophos events often have 'id'.
      sensor_key_path: "id"
      # (optional) If client_options.hostname is NOT set, use this to dynamically extract a device hostname from the event.
      sensor_hostname_path: null # Example: "endpoint.hostname" if events contain endpoint details.
      # (optional) Example: "SOPHOS_ALERT_MALWARE", "SOPHOS_EVENT_DEVICE_ISOLATED" based on 'type' or other fields.
      event_type_path: "SOPHOS_{{ .type | token | upper }}_{{ .severity | token | upper | default \"INFO\" }}"
      # (optional) JSON path to the event's occurrence time. Sophos uses various timestamp fields like 'raisedAt', 'createdAt', 'when'.
      event_time_path: "raisedAt" # Or "createdAt", "when", "threat_event_occured_at", depending on the event type.
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "threatCaseId" # Or "managementAgent.id" for endpoint events.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+sophos_data_source": "SophosCentralAPI"
        "+sophos_alert_id": "{{ .id }}"
        # Example of enriching with tenant ID from adapter config if not in event:
        "+sophos_customer_id_from_config": "{{ .config.tenantid }}"
        "-items[*].description_verbose": null # Remove a potentially very long field from a list of items
        # "+endpoint_os_name": "{{ .endpoint.os.name }}" # Example: extracting nested data
        # (optional) A list of field paths to drop.
      drop_fields:
      - "page_metadata"
      - "internal_sophos_correlation_id"
      sid_replication_path: null # (optional)
    # mappings: null
    indexing:
      enabled: true
      default_index: "sophos-central-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional)
    sensor_seed_key: "SEED_KEY_SOPHOS_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.

API Doc

See the official documentation.

Was this article helpful?

What's Next

Stdin

Table of contents

Overview
Deployment Configurations
API Doc