Integrating Blumira with Sophos Central

Sophos Central is an integrated management platform to help simplify the administration of multiple Sophos products, including endpoint, mobile device management (MDM), server protection and a secure web gateway. It helps you stop spam, phishing, malware and data loss.

 

Blumira’s integration allows you to retrieve event data from Sophos Central directly to your Blumira sensor to start tracking logs for threat detection and response.

 

Related Integration: Sophos XG Firewall Integration With Blumira

Set Up Instructions

Sophos Central Log Collection Configuration

Preparing Sophos Central

Before Blumira can retrieve logs from Sophos Central, you will first need to obtain credentials to access the Sophos Central API. To obtain these credentials, please follow these steps.

  1. From the Sophos Central Admin page (https://central.sophos.com) go to Global Settings > API Token Management.
  2. Click Add token on the top-right corner of the screen.
  3. Select a token name and click Save.
  4. In the API Token Summary that is displayed, check the API Access Url + Headers section, and take note of the url value, the x-api-key, value and the Authorization value (for example, Basic ZjAyODczYjctAxm42adfGhi3aE3…aSDF=).

Configuring Blumira

Next, you’ll need to configure your Blumira sensor to connect to the Sophos Central API, using the credentials you obtained in the steps above.

Here’s how to add the Sophos Central module:

    1. Once you have chosen or installed a Blumira sensor that you would like to add Sophos Central log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors > [click on your chosen sensor]).
    2. In the Modules section for your sensor, click on the Add Module button. In the Module drop-down, find the Sophos Module, and select the latest version.
    3. Fill in the New Module form, shown here:

  1. For the Sophos Central URL, please use the url value you obtained from Sophos Central. For the Sophos Central APIkey, use the x-api-key value. For the Sophos Central AUTH, use the entire Authorization value, which should look like:
    Basic <RANDOM TOKEN STRING>
  2. You can leave Log Source Name empty, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the Sophos integration, in case you later have multiple (e.g. “main” or “primary”).
  3. Press Install and wait a few seconds for the system to process your request.

The Add New Module window should close, and, back in your sensor detail page view, you should now see the Sophos Module listed in the table of modules.

Within minutes, the module will be operational, and will ingest Sophos Central logs from the last 12 hours into the Blumira platform. It will then poll Sophos Central every minute for the latest available logs.