Sophos Central
Copy link

Sophos Central is a cloud-based security management platform that provides endpoint, server, and workload protection through the Sophos Agent. The Sophos Central event source enables SIEM (InsightIDR) Managed Detection & Response (MDR) to ingest security events and detections generated by the Sophos Agent in customer environments.

SIEM (InsightIDR) retrieves these events through the Sophos Central API, using a credential configured with the Service Principal Read Only role. Once collected, SIEM (InsightIDR) can detect malware activity, behavioral detections, and endpoint threat indicators based on the incoming event data.

SIEM (InsightIDR) parses these alert types as Virus Alert events:

  • event::endpoint::coreclean
  • event::endpoint::corehmpacleannothingfound
  • event::endpoint::threat::cleanedup
  • event::endpoint::threat::cleanupfailed
  • event::endpoint::coredetection
  • event::endpoint::threat::detected

There are two methods of collecting data from Sophos Central: through a cloud connection or through a collector.

Configure the Sophos Central event source
Copy link

Choose one of these collection methods:

Use the Cloud Connection method

To set up Sophos Central via the cloud connection method:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Sophos Central to send data to SIEM (InsightIDR).
  3. Configure SIEM (InsightIDR) to collect data from the event source.

Requirements
Copy link

Before you start configuration, ensure that:

  • You have an active Sophos Central account with the ability to create API credentials.
  • You can create a Service Principal Read Only credential in Sophos Central.
  • You have access to the Sophos Central Customer ID, Client ID, and Client Secret, which are required to authenticate SIEM (InsightIDR).
  • You have IAM permissions in SIEM (InsightIDR) to create event sources and cloud connections.

To learn more about Sophos API credentials, refer to Sophos developer documentation: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/AWSAutoscaling/ConfigureAWS/CreateAPICredentials/index.html 

Configure Sophos Central to send data to SIEM (InsightIDR)
Copy link

To allow SIEM (InsightIDR) to collect events, you must create and record the required API credentials.

Task 1: Retrieve the Sophos Customer ID
Copy link

  1. Log in to Sophos Central: https://central.sophos.com/ 
  2. Click the Profile icon in the top-right corner.
  3. Copy the displayed Customer ID. You will need this later in SIEM (InsightIDR).

Task 2: Create the Service Principal Read Only credential
Copy link

  1. In Sophos Central, click the Global Settings icon.
  2. Go to Access Control > API Credentials.
  3. Click Credentials.
  4. Click Add Credential.
  5. Enter a name for the credential.
  6. Select the role Service Principal Read Only.
  7. Securely record the Client ID and Client Secret. You will enter these values in SIEM (InsightIDR).

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After preparing the Sophos credentials, you must add the event source in SIEM (InsightIDR).

Task 1: Select Sophos Central
Copy link

  1. In the Command Platform, go to Data Connectors > Data Collectors.
  2. Go to the Event Sources tab, then click Add Event Source.
  3. Do one of the following:
    • Search for Sophos Central in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  4. Select the Sophos Central event source tile.

Task 2: Set up the cloud connection
Copy link

  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will become the name of the log that contains the event data in Log Search.
  3. Click Add a New Connection.
  4. In the Create a Cloud Connection screen:
    1. Enter a name for the new connection.
    2. In the Customer ID field, enter the Customer ID that you obtained in Task 1: Retrieve the Sophos Customer ID.
    3. In the Client ID field, enter the Client ID that you obtained in the Task 2: Create the Service Principal Read Only credential.
    4. In the Client Secret field, enter the Secret that you obtained in the Task 2: Create the Service Principal Read Only credential.
    5. Click Save & Test Connection.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally, select the option to send unparsed data.
  7. Click Save.

Example Alert
Copy link

{
  "customer_id": "6ba044f5-793f-4c97-866c-0c0250a7bff6",
  "created_at": "2025-11-24T16:46:26.302Z",
  "severity": "medium",
  "source_info": {
    "ip": "172.31.25.212"
  },
  "endpoint_id": "b8498e8e-ffb4-4c6a-a10f-35890a0bd1c9",
  "endpoint_type": "server",
  "threat": "ML/PE-A",
  "origin": "ML",
  "when": "2025-11-24T16:46:23.409Z",
  "appSha256": "c9bce42abded22ed3cb108f0dbbd1ce0ed99554d9bb4f0a1bbc2505ece40ce4f",
  "name": "Malware detected: 'ML/PE-A' at 'C:\\Users\\Administrator\\Downloads\\sophostest_executable_ml_malware.exe'",
  "location": "EC2AMAZ-0B6K8L4",
  "id": "b5de0d2b-d035-4271-9f88-8f8a9101fbda",
  "type": "Event::Endpoint::CoreDetection",
  "source": "n/a",
  "group": "MALWARE"
}

Use the Collector method

Sophos Central provides a SIEM integration script  to connect to their secure API for event and alert data. The integration script must be run on a scheduled basis using a scheduled task (Windows) or a Cronjob (Linux). The script pulls down log data from the Sophos Central API and forwards them to your SIEM (InsightIDR) Collector.

To set up Sophos Central via the collector method:

Configure Sophos Logs
Copy link

You must configure Sophos Central to send alert and event data to a SIEM. Follow the instructions provided by Sophos here: https://community.sophos.com/kb/en-us/125169 

After downloading the SIEM integration script to your local environment, you will need to edit the config.ini file to your local configuration with the following changes:

  • Configure the syslog address to point to your SIEM (InsightIDR) collector. Take note of the port you use during this step.
  • Change the <collectorip> to the IP address of the server hosting the Collector.
  • Change the filename = result.txt to filename = syslog.

SIEM (InsightIDR) also supports JSON formats.

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

Task 1: Select Sophos Central
Copy link

  1. In the Command Platform, go to Data Connectors > Data Collectors.
  2. Go to the Event Sources tab, then click Add Event Source.
  3. Do one of the following:
    • Search for Sophos Central in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  4. Select the Sophos Central event source tile.

Task 2: Set up the collector
Copy link

  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source and choose your collector.
  3. Select Listen on Network Port as your Collection method. Enter the port you documented earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  4. Choose the timezone that matches the location of your event source logs.
  5. Optionally choose to send unparsed logs.
  6. Optionally, provide a Java-style regex expression to filter out unwanted data.
  7. If necessary, configure your default domain and any Advanced Event Source Settings.
  8. Click Save.
ℹ️

Not seeing log data?

SIEM (InsightIDR) only parses an event from your Virus Scan event source when a virus is found.

Test the Configuration
Copy link

Parsed Event Types
Copy link

SIEM (InsightIDR) currently parses key endpoint protection events, including:

  • Malware detections
  • Behavioral detections
  • Core endpoint threat events

Not all Sophos event types are parsed. To reduce noise, some events are ingested as unparsed logs; parsing rates may appear lower than expected.

Alerts that may be generated
Copy link

Based on parsed event types, SIEM (InsightIDR) may generate alerts such as:

  • Malware Detected
  • Suspicious Endpoint Behavior
  • Threat Detection Notable Events

Verify data flow
Copy link

  1. In SIEM (InsightIDR), go to Data Collection Management > Event Sources.
  2. Find your Sophos Central event source.
  3. Click View Raw Log.
    • If logs appear, data is flowing to the collector or cloud connection.
  4. Go to Log Search.
  5. Filter by your event source name.
    • Logs appear under the log set:
      • Sophos Central
  6. Set the time range to Last 10 minutes and click Run.

Review keys and values to validate that events are populating as expected.

Troubleshoot Common Issues
Copy link

Invalid credentials or authentication failure
Copy link

Error message example:

Authentication failed: Client ID or Client Secret invalid.

This indicates that the client ID, client secret, or customer ID entered in the connection configuration is incorrect.

To resolve:

  1. In Sophos Central, click the Global Settings icon.
  2. Go to Access Control > API Credentials.
  3. Click Credentials.
  4. Confirm the credential is assigned the Service Principal Read Only role.
  5. Regenerate and replace the Client Secret in SIEM (InsightIDR) if needed.
  6. Save and test the event source again.

To test whether the issue is resolved, open View Raw Log after saving the updated configuration.