Configure Endpoint Security - Sophos

Access Sophos threats on your RocketCyber dashboard and enable the SOC to take action.


The Sophos App is designed to retrieve all threat data from the Sophos dashboard. It is designed to operate across all tenants (organizations) where Sophos malware protection is deployed.

Required Permissions

The account that you logon to the Sophos Partner Portal for generating the API Credentials must have access to the threat data. If you are creating a custom role, select: Full for Endpoint and Server Protection, then scroll down to Feature/select Enable access to logs and alerts. If you are using the Partner Super Admin to login and generate the API Token, the default permissions are set and no customization is needed.   

How to Set Up

  1. Find your Sophos API Credentials
    • Log in to the Sophos Partner Portal (Using Credentials from a Sophos Central Admin type account is Not supported).  
    • Go to the Configure / Settings & Policies / select API Credentials
    • Click Add Credentials
    • Type a Name and Description such as RocketCyber SOC, then click Addname-your-api-creds.png

    • Copy both the Client ID and Client Secret (Note - the client secret is only shown once)clientid-client-secret.png

  2. Then navigate to RocketCyber SOC platform, navigate to Integrations / Antivirus / Sophos Monitor, and past both the Client ID and Client Secretpaste-clientid-secret-authenticate.png

  3. Map your Sophos tenants to RocketCyber organizations to align the threat data 

Congratulations, your Sophos NGAV threat telemetry is now connected to the RocketCyber SOC.


NOTE: Admin top level credentials must be used for the integration, using credentials from a tenant level  is not supported and will produce an error message





Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section