Configure the Sophos Monitor

Access Sophos threats on your RocketCyber dashboard and enable the SOC to take action.

Overview

The Sophos App is designed to retrieve all threat data from the Sophos dashboard. It is designed to operate across all tenants (customers) where Sophos malware protection is deployed.

Required Permissions

The account that you logon to the Sophos Partner Portal for generating the API Credentials must have access to the threat data. If you are creating a custom role, select: Full for Endpoint and Server Protection, then scroll down to Feature / select Enable access to logs and alerts. If you are using the Partner Super Admin to login and generate the API Token, the default permissions are set and no customization is needed. 

How to Set Up

  1. Find your Sophos API Credentials
    1. Login to the Sophos Partner Portal (not Sophos Central Admin).  
    2. Go to the Configure / Settings & Policies / select API Credentials
      sophos-settings-policies
    3. Click Add Credentials
    4. Type a Name and Description such as RocketCyber SOC, then click Add
      name-your-api-creds
    5. Copy both the Client ID and Client Secret (Note - the client secret is only shown once)
      clientid-client-secret
  2. Then navigate to RocketCyber SOC platform, navigate to Integrations / Antivirus / Sophos Monitor and past both the Client ID and Client Secret
    paste-clientid-secret-authenticate
  3. Map your Sophos customers to RocketCyber customers to align the threat data 
    sophos-customer-mapping

Congratulations, your Sophos NGAV threat telemetry is now connected to the RocketCyber SOC.