DescriptionThis article will describe how to configure the Sophos central API URI in order to pick up logs from sophos central
ScopeFortiSIEM All Versions
SolutionIn order to collect data from Sophos Central, we will need the following:
1 - Authorization Key
2 - API Key
3 - Sophos Central URL
This information is then broken up into 4 parts:
1 - Authorization Key
2 - API Key
3 - Sophos Central URI
4 - Sophos Central Destination
The Authorization Key and API key provided from Sophos Central will be respectively configured within the credentials page.
The Sophos URL is broken up into two pieces:
A - https://api1.central.sophos.com
NOTE: depending on the account creation, sophos may provide you a
different api endpoint (eg. api1.central.sophos.com would also work)
B - /gateway/siem/v1/events
To Apply the configuration provided by Sophos:
1 - In the URI field, fill in with "gateway/siem/v1/events" as illustrated below
Admin > Setup > Credentials > Step 1 > New
2 - Add the address to the 2nd step within the credential's tab
Admin > Setup > Credentials > Step 2 > New
|
|
3 - Save this and Click on Test Connectivity without Ping:
|
|
|
4 - Verify that this entry has been scheduled for event pulling Admin > Setup > Pull Events
|