Sophos
  • 05 Oct 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Sophos

  • Dark
    Light

Article summary

Overview

This Adapter allows you to connect to Sophos Central to fetch event logs.

Deployment Configurations

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

  • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
  • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
  • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
  • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Adapter-specific Options

Adapter Type: sophos

  • tenantid: your Sophos Central tenant ID

  • clientid: your Sophos Central client ID

  • clientsecret: your Sophos Central client secret

  • url: your Sophos Central URL (ex: https://api-us01.central.sophos.com)

Creating Your Credentials and Getting Your Tenant ID

Sophos documentation - https://developer.sophos.com/getting-started-tenant

  1. Add a new credential here

  2. Get your client ID and client secret from the credentials you just created

  3. Get your JWT -- be sure to replace the values with the client ID and secret from the last step

    curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=token" https://id.sophos.com/api/v2/oauth2/token
    

    Response content -- grab the access_token from the output:

    {
       "access_token": "SAVE_THIS_VALUE",
       "errorCode": "success",
       "expires_in": 3600,
       "message": "OK",
       "refresh_token": "<token>",
       "token_type": "bearer",
       "trackingId": "<uuid>"
    }
    
  4. Get your tenant ID -- you will need the access_token (JWT) from the last step.

    curl -XGET -H "Authorization: Bearer YOUR_JWT_HERE" https://api.central.sophos.com/whoami/v1
    

    Response content -- grab the id (tenant_id) and dataRegion (url) from the output. You will need these for your LimaCharlie Sophos adapter configuration.

    {
        "id": "57ca9a6b-885f-4e36-95ec-290548c26059",
        "idType": "tenant",
        "apiHosts": {
            "global": "https://api.central.sophos.com",
            "dataRegion": "https://api-us03.central.sophos.com"
        }
    }
    
  5. Now you have all the pieces for your adapter:

    1. client_id

    2. client_secret

    3. tenant_id

    4. url

API Doc

See the official documentation.


Was this article helpful?

What's Next