Sophos Central has secured APIs available for customers. These allow the retrieval of event and alert data from Sophos Central, for use in other systems.
The primary goal for these APIs is to allow integration with SIEM (Security Information and Event Management) solutions; the Sophos Central SIEM Integration script achieves this.
If you wish to write your own integration for SIEM or other purposes, we have documentation on the APIs and you may find our existing SIEM integration script a useful starting point.
NOTE: Sophos Support is available only for the two SIEM APIs (Events + Alerts) and our unmodified script. We do not provide advice and troubleshooting for customer created integrations. Your Sophos partner may provide such services, and arrange to involve Sophos’ own Professional Services team if you need assistance beyond Sophos Support’s remit.
This article describes the procedure to create an API token, modify config.ini to include token data, and launch the script to import data into your SIEM solution.
Applies to the following Sophos products Sophos Central Admin
python siem.py -h
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.