Sophos Central collector
Sophos is a set of cloud-native and AI-enhanced solutions that are able to adapt and evolve secure endpoints and networks against never-before-seen cybercriminal tactics and techniques. Sophos Central is the unified console for managing Sophos products.
The Sophos Central collector extracts Event and Alerts audit logs and sends them to Devo.
Data source description
The collector processes the Sophos Central API responses and sends them to the Devo platform, which will categorize all the information received on tables in your Devo domain.
The Sophos Central API allows to retrieve account activities for alert and event resources:
Devo data tables
Returns a list of alerts.
Returns a list of events.
The Sophos Central: API Specification and Documentation has some API schemas that you can use. Also, you can load the schemas using this schema editor.
Getting the required credentials
You can generate and manage the required API token used for secure access to the Security Information and Event Management (SIEM) Integration API. This enables you to pull new event and alert data from Sophos Central.
You must be a Super Admin to manage and generate API tokens.
To add a new token:
- Go to Settings and open the API Token Management page.
- Click Add Token.
- Give the token a name and click Save. This generates the API token valid for a year.
- Save your API Access URL, x-api-key, Authentication Basic, and Expires. You will need them in the config file later on.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
The following directory structure should be created for use when running the Sophos Central collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config-sophos-central.yaml file
In the config-sophos-central.yaml file, replace
Download the Docker image
The collector should be deployed as a Docker container. Click here to download the Docker image of the collector as a .tgz file.
Use the following command to add the Docker image to the system:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "
The Docker image can be deployed on the following services:
Execute the following command on the root directory
The following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
Click here to download a preconfigured Activeboard that makes use of this collector and try in your Devo domain.
To start working with it, follow these instructions:
Create a new Activeboard in your domain. Learn how to do it here.
In Edit mode, click the ellipsis button and select Edit raw configuration.
Open the downloaded file, select all the text, and copy it into the clipboard.
Paste the contents of the file in the raw editor. Make sure you replace the existing configuration completely.
Click Save changes. The Activeboard should show up immediately.