Access Sophos threats on your RocketCyber dashboard and enable the SOC to take action.
The Sophos App is designed to retrieve all threat data from the Sophos dashboard. It is designed to operate across all tenants (organizations) where Sophos malware protection is deployed.
The account that you logon to the Sophos Partner Portal for generating the API Credentials must have access to the threat data. If you are creating a custom role, select: Full for Endpoint and Server Protection, then scroll down to Feature/select Enable access to logs and alerts. If you are using the Partner Super Admin to login and generate the API Token, the default permissions are set and no customization is needed.
How to Set Up
- Find your Sophos API Credentials
- Log in to the Sophos Partner Portal (Sophos Central Admin credentials are not supported).
- Go to the Configure / Settings & Policies / select API Credentials
- Click Add Credentials
Type a Name and Description such as RocketCyber SOC, then click Add
Copy both the Client ID and Client Secret (Note - the client secret is only shown once)
- Then navigate to RocketCyber SOC platform, navigate to Integrations / Antivirus / Sophos Monitor, and past both the Client ID and Client Secret
- Map your Sophos tenants to RocketCyber organizations to align the threat data
Congratulations, your Sophos NGAV threat telemetry is now connected to the RocketCyber SOC.
NOTE: Admin top level credentials must be used for the integration, using credentials from a tenant level is not supported and will produce an error message