Sophos Central Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Sophos Central input supports collecting Sophos events and alerts from the Sophos Central SIEM Integration API.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

A Sophos Central subscription is required.

Required Sophos Setup

To retrieve logs from the Sophos SIEM Integration API, this input requires Sophos API authentication credentials. Follow the official Sophos API Credentials Management documentation for setup instructions. When configuring the credentials, select Service Principal Read-Only to grant the necessary access to SIEM Integration logs.

Once the API credentials are generated, enter the Client ID and Secret ID into the Graylog input configuration.

Graylog Input Configuration

Warning: The Sophos SIEM Integration API only retains log data for 24 hours. We recommend that you avoid keeping this input stopped for longer periods, to avoid gaps in the logs due to this limitation.

When launching this input from the Graylog Inputs tab, the following options are available:

Input Name: Provide a unique name for your new input.
Client ID: Enter the Client ID provided during the Sophos API Credential setup.
Client Secret: Enter the Client Secret provided during the Sophos API Credential setup.
Ingest Alerts: This input automatically ingests Sophos Events. Select this checkbox to also ingest Sophos alerts. See Sophos documentation for additional details.
Polling Interval: Determines how often (in minutes) the input checks for new logs to read. The shortest allowable interval is 5 minute.
Enable Throttling: If enabled, no new messages are read from this input until Graylog catches up with its message load.