MENU
      Contents x
      Sophos
      • 05 Mar 2024
      • 1 Minute to read
      • Print
      • Dark
      Contents
        This documentation version is deprecated, please click here for the latest version.

      Sophos

      • Updated on 05 Mar 2024
      • 1 Minute to read
      • Print
      • Dark
      Article summary

      Overview

      This adapter allows you to connect to Sophos Central to fetch event logs.

      Deployment Configurations

      All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

      • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
      • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
      • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
      • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

      Adapter-specific Options

      Adapter Type: sophos

      • tenantid: your Sophos Central tenant ID
      • clientid: your Sophos Central client ID
      • clientsecret: your Sophos Central client secret
      • url: your Sophos Central URL (ex: https://api-us01.central.sophos.com)

      Creating Your Credentials and Getting Your Tenant ID

      Sophos documentation - https://developer.sophos.com/getting-started-tenant

      1. Add a new credential here
      2. Get your client ID and client secret from the credentials you just created
      3. Get your JWT -- be sure to replace the values with the client ID and secret from the last step
        curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=token" https://id.sophos.com/api/v2/oauth2/token
        Bash
        Response content -- grab the access_token from the output:
        {
   "access_token": "SAVE_THIS_VALUE",
   "errorCode": "success",
   "expires_in": 3600,
   "message": "OK",
   "refresh_token": "<token>",
   "token_type": "bearer",
   "trackingId": "<uuid>"
}
        JSON
      4. Get your tenant ID -- you will need the access_token (JWT) from the last step.
        curl -XGET -H "Authorization: Bearer YOUR_JWT_HERE" https://api.central.sophos.com/whoami/v1
        Bash
        Response content -- grab the id (tenant_id) and dataRegion (url) from the output. You will need these for your LimaCharlie Sophos adapter configuration.
        {
    "id": "57ca9a6b-885f-4e36-95ec-290548c26059",
    "idType": "tenant",
    "apiHosts": {
        "global": "https://api.central.sophos.com",
        "dataRegion": "https://api-us03.central.sophos.com"
    }
}
        JSON
      5. Now you have all the pieces for your adapter:
        1. client_id
        2. client_secret
        3. tenant_id
        4. url

      API Doc

      See the official documentation.

      Was this article helpful?
      What's Next