You must be an Admin or Super Admin to use this feature.
You can integrate other security software with Sophos Central.
For example, you can add Sophos Cloud Optix anomaly alerts to Sophos Central.
When you integrate a third-party product or service, it can send data to the Sophos Data Lake. You can then query that data in our Threat Analysis Center.
There are several types of integration:
- REST API
- Log collector
- Sophos product (for example, Sophos NDR or Sophos Firewall)
Log collector integrations and Sophos NDR require a virtual machine (VM). REST API integrations don't.
The type of integration you use depends on which product you're integrating.
REST API integrations
To integrate a product that uses an API, you must collect authentication information about your account for that product.
The information you need differs from product to product. Our integration assistant prompts you for the information.
Log collector integrations
Log collector integrations use the Sophos log collector to collect data from the third-party product and add it to the Sophos Data Lake.
You install the log collector on a virtual machine. Our assistant helps you configure an image file which you download and deploy on a VM. The image file includes the log collector application.
A data collector is a virtual machine hosting a log collector.
You then configure your third-party product to send data to the data collector. This uses the third-party product's syslog export function. You give the connection details of your data collector instead of a syslog server.
For more information, see the help for the integration you want to add.
You can send data from multiple integrations to the same data collector:
- If you've already set up Sophos NDR, add third-party integrations and select the same data collector in Sophos Central.
- If you've already set up a third-party integration, add other third-party integrations and select the same data collector in Sophos Central.
You can also set up multiple integrations of the same product to use a single data collector. Do this as follows:
- Set up an integration in Sophos Central.
- Configure your third-party product to use your data collector.
Repeat the third-party product configuration for the extra instances of the product.
Direct these instances to the same data collector.
You don't have to repeat the Sophos Central part of the setup.
We put integrations into categories, depending on the type of product they're for. On the Integrations page, we label each integration with its category , for example Firewall.
To find integrations in particular categories, click Show filters, select categories under Integration category, and click Apply.
The categories are shown below.
|Sophos XDR||Products available with an XDR license: Sophos NDR, Sophos Cloud Optix, Microsoft Graph Security, and Microsoft 365 audit data collector.|
|Identity||Products that monitor sign-in attempts and other security-related activity.|
|Endpoint||Products that detect threats on devices or monitor device usage.|
|Network||Products that detect breaches or threats on a network.|
|Products that detect threats that target email.|
|Public cloud||Products that monitor security and compliance on public cloud accounts.|
|Firewall||Products that control incoming and outgoing network traffic.|
If you're an MDR customer, you can try out beta integrations.
Beta integrations are ones that are still under development. They don't generate detections for the MDR team, but they do report detections on the Detections page.
Look for integrations labeled BETA or, to see them all, click Show filters > Availability > BETA.
When an integration is fully released, you can only use it if you have the license pack for that integration category, for example Firewall.
As Sophos continues to develop new integrations, we occasionally offer customers early access to certain integrations that are still in their beta phase to evaluate, free of charge.
Please note that since these integrations are still in beta, they are offered “AS IS” without any warranties or guarantees that we monitor alerts or generate detections for analysis. All use of beta integrations is at your sole discretion. We may reach out to discuss or request changes to your integration configuration.
Once we transition these integrations from beta to generally availability, an applicable license pack purchase will be required for continued use.
Add an integration
To add or manage integrations, go to Threat Analysis Center > Integrations.
You can click the tabs to see the following:
- Integrations: This shows you all the integrations available to you.
- Configured Integrations: This shows you all the integrations you've already configured.
- Data Collectors: This shows you VMs you've already set up, with the integrations that they're hosting.
To add an integration, find the third-party integration you want to add and click it.
For details of how to add or manage each integration, see the following:
Amazon Web Services (AWS)