Skip to main content
victorthai
victorthai
New Member
February 8, 2025
Question

Central Sophos For FortiSIEM

  • February 8, 2025
  • 6 replies
  • 3497 views

How do I integrate Sophos Central with my FortiSIEM? The manual says I need an API Key, but in Sophos, I only have a Client ID and Client Secret?

6 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 8, 2025
  1. Login to Sophos Central Website.
  2. Go to Global Settings > API Token Management. Click Add Token.
    The Token will display.

Get API Key from Headers (part between x-api-key: and Authorization Basic).

 

https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/750644/sophos-central#Integrat 

"jack of all trades, master of none"
    victorthai
    victorthaiAuthor
    New Member
    February 9, 2025

    As you can see in the screenshot, only the Client ID and Secret ID appear, which is not the API Key.Screenshot_22.png

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 9, 2025

    try this command in order to the get the token/api key and see if it works

     

    curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" \             -d "grant_type=client_credentials&client_id=<client-id>&client_secret=<client-secret>&scope=token" \             https://id.sophos.com/api/v2/oauth2/token

     

    "jack of all trades, master of none"
      victorthai
      victorthaiAuthor
      New Member
      February 9, 2025

      As you can see in the screenshot, only the Client ID and Secret ID appear, which is not the API Key.

       

      Screenshot_22.png

      M1kemclain247
      M1kemclain247
      Visitor III
      March 13, 2025

      Also struggling with this - it seems Sophos are no longer allowing you to create - API Tokens , and are now enforcing use of API Credentials with Client ID , Secret Key , 
      api_token.png
      I'm suspecting fortinet might need to review/update the Integration for Sophos Central API to cater for this change? 

      also need this working ASAP and ive tried different combinations but cannot get this working. 

       

       

       

      M1kemclain247
      M1kemclain247
      Visitor III
      March 14, 2025

      they no longer use API tokens in their system , u can obtain an "access token" once u authenticate using the Client Secret & Client ID but that access token just allows u to then interact with their API. 

      emoran46
      emoran46
      New Member
      May 20, 2025

      Hi @victorthai 

      FSM has been patched to support latest Sophos Central changes

      You need to use the latest versions
      v7.2.5 FortiSIEM works OK
      v7.3.2 FortiSIEM works OK

       

      Regards,

       

      M1kemclain247
      M1kemclain247
      Visitor III
      May 24, 2025

      Hi can u show a working example that this worked for u? 

      right now the current documentation for v 7.3.2 is still outdated and pointing u to setting up API Tokens. 

      http://docs.fortinet.com/index.php/document/fortisiem/7.3.2/external-systems-configuration-guide/750644#Configur2

      i am running latest build of FortiSIEM upgraded it to - 7.3.2.0374

      failed (Sophos Central API Failed with http response code 404)

      API IP Assosications.png
      Creds.png
       
      version.png
       
       
      this Sophos guide will describe and give a sample script of how to connect to the API , for example we are a sophos partner and need to specify a tenant ID 

      but in fortisiem dont see options for these. 

      https://support.sophos.com/support/s/article/KBA-000004400?language=en_US
      https://github.com/sophos/Sophos-Central-SIEM-Integration

      for example running script will give me below info: 

      Whoami response: b'{"id":"8565f549-ed06-4164-90bf-b127a88c7661","idType":"tenant","apiHosts":{"global":"https://api.central.sophos.com","dataRegion":"https://api-eu01.central.sophos.com"}}' URL: https://api-eu01.central.sophos.com/siem/v1/events?limit=1000&cursor=VjJfQ1VSU09SfDIwMjUtMDMtMTNUMTk6NDk6NTAuNjM5Wg==​
       
      The furtherest i've gotten is this error below. when i use the URLs that are in the sophos provided script not the URLS from fortisiem documentation. 
       
      step 1.pngstep 2.png
      M1kemclain247
      M1kemclain247
      Visitor III
      May 24, 2025

      here is a sample CURL query that works to pull events from sophos API. the following works to show that u can do it , but within FortiSIEM i  have no idea where the parameters need to be set as the documentation doesn't specify this.  

      We need x4 items 

      1. ClientId 
      2. ClientSecret
      3. AccessToken - handled by fortisiem? when logging in. 
      4. Tenant ID - handled by fortisiem? 

      1. Access Token

      Obtain this by authenticating with your Client ID and Client Secret (from Sophos Central API credentials):

      curl -X POST "https://id.sophos.com/api/v2/oauth2/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID_HERE&client_secret=YOUR_CLIENT_SECRET_HERE&scope=token"

      Response will include:

      "access_token": "YOUR_ACCESS_TOKEN"



      2. Tenant ID

      Once you have the token, use it to get your Tenant ID:

      curl -X GET "https://api.central.sophos.com/whoami/v1" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE"

      Response will include:

      "id": "YOUR_TENANT_ID", "apiHosts": {   "dataRegion": "https://api-eu01.central.sophos.com" }

       

      3. Pull Events

      Now query for SIEM events using the Access Token, Tenant ID, and the correct regional endpoint:

      curl -X GET "https://api-eu01.central.sophos.com/siem/v1/events?limit=200" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE" \ -H "X-Tenant-ID: YOUR_TENANT_ID_HERE" | \ jq -r '.items[] | [.type, .name, .severity, .location, .when] | @csv' > events.csv


      Sample final output from Sophos API Events:

      Event::Endpoint::UpdateSuccess	Update succeeded	low	IGNATIUS-LAP	2025-05-23T08:06:54.083Z Event::Endpoint::Device::AlertedOnly	Peripheral allowed: SAMSUNG Mobile USB Modem	low	DESKTOP-QBECLHU	2025-05-23T08:07:48.596Z Event::Endpoint::Device::AlertedOnly	Peripheral allowed: Galaxy A06	low	DESKTOP-QBECLHU	2025-05-23T08:07:48.605Z Event::Endpoint::UpdateSuccess	Update succeeded	low	NITS-NDEGE-VM	2025-05-23T08:09:58.298Z



      M1kemclain247
      M1kemclain247
      Visitor III
      June 22, 2025

      Good day i have updated to FortiSIEM 7.4.0.0435 which includes support for latest Sophos Central API- however it doesn't seem to be working. 

       

      https://docs.fortinet.com/document/fortisiem/7.4.0/external-systems-configuration-guide/750644/sophos-central 

       

      i followed the documentation as per in the guide. but its not pulling events i can see a heartbeat log but its not puling any info from the dashboard.  Raw Message 

      [PH_DEV_MON_CLOUD_SERVICE_HEARTBEAT]:[eventSeverity]=PHL_INFO,[fileName]=phBaseAgentManager.cpp,[lineNumber]=167,[phCustId]=2000,[reptVendor]=Sophos,[reptModel]=Central,[reptDevIpAddr]=3.73.86.161,[reptDevName]=api.central.sophos.com,[version]=ANY,[domain]=,[phLogDetail]=

       

      img1.png

      Picture1.png

       

       

       

      Cardi
      Cardi
      New Member
      January 17, 2026

      Hi M1kemclain, I'm facing this issue too on the pull events where it's showing Execution Failed: Failed to fetch alerts from server. Are you able to share how did you resolve this? For context, no issue with API credentials as I'm able to perform fetch alerts from log collector.

      Terms & ConditionsAccessibility statement