With a configured connection between the AlienApp for Sophos Central on a deployed USM Anywhere Sensor and your Sophos Central environment, the predefined log collection jobs perform scheduled API queries for Sophos events or alerts. When USM Anywhere collects and analyzes the first of these, the normalized events are available on the Events page.
Required Connectivity on the USM Anywhere Sensor
An AlienApp operates through a deployed USM Anywhere Sensor. In order to use the AlienApp for Sophos Central, there is an additional port that you must open on the sensor to support its functions.
|443||api1.central.sophos.com/gateway/siem/v1/events||Collect event data from Sophos Central|
|443||api1.central.sophos.com/gateway/siem/v1/alerts||Collect alert data from Sophos Central|
Configuration for the Sophos Central Connection
To enable AlienApp for Sophos Central functionality within USM Anywhere, you must configure the AlienApp by providing a valid Sophos Central API token. With a successful connection to your Sophos Central environment, the AlienApp for Sophos Central log collection jobs query the API every 20 minutes for event and/or alert information. It parses all collected data and displays it as Events and Alarms in USM Anywhere.
As a Sophos Central administrator, you must create the API token to be used by the AlienApp for the connection to your Sophos Central data through the Sophos Central APIs. The token is valid for one year. To maintain the USM Anywhere connection, you will need to renew the token to extend its validity.
To add a Sophos Central API token
- Log in to your Sophos Central environment and select Global Settings.
- In the Administration section of the page, click API Token Management.
- Click Add Token at the top-right corner of the page.
Enter a Token Name, such as usm-anywhere.
The Sophos Central UI displays a summary page for the generated token, including the URL and header information used to access the APIs with the token.
On the right of the API Access URL + Headers box, click Copy.
(Optional) If needed, store the value in a secure location so that it is available for configuring the AlienApp for Sophos Central connection.
If you plan to immediately configure the AlienApp for Sophos Central connection on the same system, you can simply leave the value in your clipboard.
After you create the API token in Sophos Central, you can configure the connection within USM Anywhere.
To enable the AlienApp for Sophos Central connection
- In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
Click the AlienApps tab.
In the AlienApps page, click the Sophos Central tile.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
USM Anywhere AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Choose the sensor that can access the integration endpoint.
- Select the Settings tab.
Click Change Sophos Central API Access URL + Headers.
- Enter the API token value you copied in the API Access URL + Headers field.
(Optional) Modify the data options for log collection.
The Collect Sophos Central events and Collect Sophos Central alerts options are selected by default. You can clear either of these selections to limit the data collection from your Sophos Central environment.
- Click Save.
Select the Status tab to verify the connection.
After USM Anywhere completes a successful connection to the Sophos Central APIs, this tab displays the icon in the HEALTH column for the AlienApp.
If you see the icon, there is a problem with the connection. The MESSAGE column provides information about the issue. If this is the case, repeat the steps to fix the configuration or troubleshoot your Sophos Central connection.