Contents x
    Sophos
    • 05 Mar 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Sophos

    • Updated on 05 Mar 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Overview

    This adapter allows you to connect to Sophos Central to fetch event logs.

    Deployment Configurations

    All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

    • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
    • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
    • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
    • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

    Adapter-specific Options

    Adapter Type: sophos

    • tenantid: your Sophos Central tenant ID
    • clientid: your Sophos Central client ID
    • clientsecret: your Sophos Central client secret
    • url: your Sophos Central URL (ex: https://api-us01.central.sophos.com)

    Creating Your Credentials and Getting Your Tenant ID

    Sophos documentation - https://developer.sophos.com/getting-started-tenant

    1. Add a new credential here
    2. Get your client ID and client secret from the credentials you just created
    3. Get your JWT -- be sure to replace the values with the client ID and secret from the last step
      curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=token" https://id.sophos.com/api/v2/oauth2/token
      Response content -- grab the access_token from the output:
      {
   "access_token": "SAVE_THIS_VALUE",
   "errorCode": "success",
   "expires_in": 3600,
   "message": "OK",
   "refresh_token": "<token>",
   "token_type": "bearer",
   "trackingId": "<uuid>"
}
    4. Get your tenant ID -- you will need the access_token (JWT) from the last step.
      curl -XGET -H "Authorization: Bearer YOUR_JWT_HERE" https://api.central.sophos.com/whoami/v1
      Response content -- grab the id (tenant_id) and dataRegion (url) from the output. You will need these for your LimaCharlie Sophos adapter configuration.
      {
    "id": "57ca9a6b-885f-4e36-95ec-290548c26059",
    "idType": "tenant",
    "apiHosts": {
        "global": "https://api.central.sophos.com",
        "dataRegion": "https://api-us03.central.sophos.com"
    }
}
    5. Now you have all the pieces for your adapter:
      1. client_id
      2. client_secret
      3. tenant_id
      4. url

    API Doc

    See the official documentation.

    Was this article helpful?
    What's Next