Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Sophos Device Configuration

            Modified on Wed, 9 Jul at 6:15 PM


            TABLE OF CONTENTS


            Overview

            Sophos Central is a cloud-based device that is added to the UI using API calls. This document will help you with the steps to ingest the Sophos Central with ARIA ADR to have a better visibility of threats happening in your environment.


            Prerequisite

            CCE must be upgraded to Version 10.3.2 or newer, along with improvement pack-2 applied on the server. If the CCE is running on a version newer than 10.3.2, no additional packages need to be applied on the CCE server.


            Steps Of Integration

            To add the Sophos Central support, follow the steps below.


            Steps to Generate API Token (Sophos Central Console)

            1. Log in to Sophos Central Console as Super Admin.
            2. Navigate to Global Settings → API Token Management.
            3. Select Add Token to generate new token details.
            4. Copy the url, x-api-key and Authorization key from API Access URL + Headers field. You will see something like this:
            5. Provide the url, x-api-key & Authorization key (ignore the Basic keyword) to ARIA Technical Support (aria_support@ariacybersecurity.com) or enter it in the APE screens below if you have access to the dashboard.


            Steps to Configure Sophos Central (ARIA UI)

            1. Go to Add-On Store → Sophos Central.
            2. Select Add Sophos Central.
            3. Complete the fields below.
              • Device: Select the name of the device 'Sophos Central'.
              • Name: Enter a descriptive name.
              • CCE Host: Enter the IP Address of your CCE VM.
              • Access ID/user name: x-api-key (Exact value of this key needs to be entered. You will get it from the Sophos console).
              • Password/Secret Key: Authorization key (Exact value of this key needs to be entered. You will get it from the Sophos console).
              • Config:
                • For tenant-level: put blank json {}.
                • For enterprise or partner-level: Use this format: {"tenant_id": "<id>"}
                • Refer to the Sophos developer documentation for additional information:
                • Note: The updated Sophos Central 2.0 script can fetch data only one tenant at a time (for Partner or Enterprise level).
            4. Click Save.

            Verification

            To see the logs in the UI, go to System Tab > Log/Flow Collection tab.


            Verification for CCE server

            1. Login to the CCE and run the below command:
              otmdoc -s addondevices
            2. It will move you inside the add-on container. Then run:
              crontab -l
            3. It will show us all the cronjobs for all the add-on devices. Copy the Python script for that device and run it.


            Troubleshooting

            In case there is a JSON invalid issue, run this command:

            rm -rf /usr/local/seceon/sopcentral/state/siem_sophos.json 

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0