Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Sophos Central Events | ✅ | ✅ | sophos_central_events | NDJSON | API | ||
Sophos Central Alerts | ✅ | ✅ | sophos_central_alerts | NDJSON | API |
Overview
Sophos Central Endpoint (Sophos CE) is a cloud-based security solution that provides advanced protection for endpoints against malware, ransomware, and other cyber threats. It uses artificial intelligence, behavioral analysis, and real-time threat intelligence to detect and prevent attacks before they can cause damage. Sophos CE includes features like web filtering, application control, and automated threat response, allowing security teams to monitor and manage endpoint security from a centralized dashboard. It is designed to provide comprehensive protection for businesses by securing devices across various environments, including on-premises and cloud-based infrastructures.
Supported data types
Sophos Central Events
Table name: sophos_central_events
Details about a virus or spyware is detected or cleaned up, suspicious behavior or file is detected and on.
Sophos Central Alerts
Table name: sophos_central_alerts
Alerts in Sophos Central are crucial for maintaining the security and performance of your IT environment. They notify administrators of potential threats, system health issues, and compliance status changes in real-time.
📘Learn more
Sophos Central gathers information from all Sophos products, such as Sophos XG Firewall, Sophos UTM, and more.
Send data to Hunters
Hunters supports the collection of logs from Sophos using API. To complete the process you'll have to collect the following information from Sophos:
Client ID
Client Secret
Tenant ID
Region
⚠️ Note
To allow fetching Sophos logs, the configured user must have Super-Admin permissions as detailed here.
To connect Sophos logs:
Retrieve your Sophos Client ID and Secret:
Log into Sophos Central Admin and go to Global Settings > API Credentials Management.
To create a new token, click Add Credential from the top-right corner of the screen.
Assign the appropriate role for the credential and add a description.
Click Add.
The API credential Summary for this credential is displayed.Click on Show Client Secret to display Client Secret.
Copy and save the Client ID and Client Secret in a safe place.
To retrieve your tenant ID, go to Account name > Account Details > Sophos Support and locate the unique ID for your Sophos Central account. This is your tenant ID.
Follow this guide to retrieve your region.
📘 About the Region field
From the table in the above mentioned guide, locate your API Host value based on your Data Region. For instance, if you are in US (East), your API Host value is https://api-us03.central.sophos.com.
.png?sv=2022-11-02&spr=https&st=2025-05-16T08%3A12%3A19Z&se=2025-05-16T08%3A24%3A19Z&sr=c&sp=r&sig=3QrHjQ9K5%2BN6WUyNaXNvaXpvg1IGCzShQbeBvv9jF4c%3D)
From this value, isolate the value after api- and paste it into the Region field on Hunters.
.png?sv=2022-11-02&spr=https&st=2025-05-16T08%3A12%3A19Z&se=2025-05-16T08%3A24%3A19Z&sr=c&sp=r&sig=3QrHjQ9K5%2BN6WUyNaXNvaXpvg1IGCzShQbeBvv9jF4c%3D)
In this example, you should enter us03 into the Region field.
Complete the process on the Hunters platform, following this guide.
Expected Format
Logs are expected in JSON format.
Sophos Central Events
{"type": "Event::Endpoint::UpdateSuccess", "source": "Person", "severity": "low", "name": "Update succeeded", "location": "LDDD12985", "id": "11111-0526-493f-96fb-bef6976f5797", "source_info": {"ip": "10.101.246.70"}, "customer_id": "bb84e9d3-877e-4b58-a8a0-b35e0370f06a", "endpoint_id": "111111-2118-491e-8e92-343f099ecbdc", "endpoint_type": "computer", "created_at": "2021-03-11T09:07:15.836Z", "user_id": "59111111069cc714ddf5fd60", "when": "2021-03-11T09:07:15.821Z", "group": "UPDATING"}
Sophos Central Alerts
{"description": "Policy non-compliance: Network Threat Protection", "type": "Event::Endpoint::NonCompliant", "source": "CMRE\\Tthree", "data": {"app_id": "NTP", "created_at": 1678540511141, "endpoint_id": "7d4111e-6fcc-4b57-8878-3d8a6eaf6d44", "endpoint_java_id": "7d4f111-6fcc-4b57-8878-3d8a6eaf6d44", "endpoint_platform": "windows", "endpoint_type": "computer", "event_service_id": {"type": 3, "data": "Uw21111DTKOIz16sJIdYnw=="}, "inserted_at": 1678540578041, "make_actionable_at": 1678549578039, "policy_type": 24, "source_info": {"ip": "172.10.10.10"}, "user_match_id": {"timestamp": 1116878171, "date": 1616111171000}, "user_match_uuid": {"type": 3, "data": "7+Fo611HHC2RMlBp9NqVg=="}}, "severity": "medium", "location": "CMRE-TR-3", "id": "5311115f-cf18-4ca3-88cf-5eac2487589f", "customer_id": "bb111113-877e-4b58-a8a0-b35e0370f06a", "event_service_event_id": "111111-cf18-4ca3-88cf-5eac2487589f", "created_at": "2021-03-11T13:16:18.042Z", "when": "2021-03-11T15:46:18.039Z"}