Sophos Central has APIs available for, these allow the retrieval of event and alert data from Sophos Central, to allow integration with Security Information and Event Management (SIEM) solutions.
The below steps describe the procedure to create an API token, change config.ini to include token data, and run the script to import data into your SIEM solution.
- Log in to Sophos Central with admin privileges
- Click the Clone or Download to download the zip file containing all components of the Sophos Central SIEM Integration script. You must run the script from a device running Python 3+.
- You will require API Credentials to access event and alert data via the API. In Sophos Central Admin, go to Global Settings > API Credentials Management.
- To create a new token, click Add Credential from the top-right corner of the screen.
- Select a Credential name and select the appropriate role, add an optional description, and click Add. The API credential Summary for this credential is displayed.
- Click Show Client Secret to display Client Secret.
- Open config.ini in a text editor. (skip the 'token_info' section).
- Copy Client ID and Client Secret from the API Credentials Management page in Sophos Central to client_id and client_secret fields.
- Update the auth_url and api_host sections to be:
- auth_url = https://id.sophos.com/apc
- api_host = api.central.sophos.com
- If you are using a Partner or organization account, you will need to specify the tenent_id.
- If you are using a Tenant account ID for client_id, do not put the tenant id in. The siem.py script will fail if it is added.
Note: To get a tenant list of specific partner/organization accounts, you can use the commands below.
- curl -H “Authorization: Bearer ” -H “X-Partner-ID: ” target="_blank">https://api.central.sophos.com/partner/v1/tenants
- curl -H “Authorization: Bearer ” -H “X-Organization-ID: ” target="_blank">https://api.central.sophos.com/organization/v1/tenants
- You can obtain jwt from sophos id api and partner-id/organization-id from who am i API. You can visit https://developer.sophos.com/getting-started for more details about these APIs.
- Optional: By default, the script will output JSON data to a results.txt file in a subdirectory called logs. You can choose other options in the config file, but we recommend making no further changes and using the default to make an initial successful run.
- Run the python siem.py script and review the results.txt output file.