Help
FortiSIEM Discussions
victorthai
New Contributor

Created on ‎02-08-2025 11:50 AM

Central Sophos For FortiSIEM

How do I integrate Sophos Central with my FortiSIEM? The manual says I need an API Key, but in Sophos, I only have a Client ID and Client Secret?

Labels:
1599
0 Kudos
10 REPLIES 10
funkylicious
SuperUser
SuperUser

Created on ‎02-08-2025 12:11 PM

  1. Login to Sophos Central Website.
  2. Go to Global Settings > API Token Management. Click Add Token.
    The Token will display.

Get API Key from Headers (part between x-api-key: and Authorization Basic).

 

https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/750644/sopho... 

"jack of all trades, master of none"
"jack of all trades, master of none"
1508
victorthai
New Contributor
In response to funkylicious

Created on ‎02-08-2025 06:49 PM

As you can see in the screenshot, only the Client ID and Secret ID appear, which is not the API Key.Screenshot_22.png

1451
0 Kudos
funkylicious
SuperUser
SuperUser
In response to victorthai

Created on ‎02-08-2025 10:31 PM

try this command in order to the get the token/api key and see if it works

 

curl -XPOST -H "Content-Type:application/x-www-form-urlencoded" \
            -d "grant_type=client_credentials&client_id=<client-id>&client_secret=<client-secret>&scope=token" \
            https://id.sophos.com/api/v2/oauth2/token

 

"jack of all trades, master of none"
"jack of all trades, master of none"
1428
victorthai
New Contributor

Created on ‎02-08-2025 06:46 PM

As you can see in the screenshot, only the Client ID and Secret ID appear, which is not the API Key.

 

Screenshot_22.png

1455
0 Kudos
M1kemclain247
New Contributor

Created on ‎03-13-2025 01:09 PM

Also struggling with this - it seems Sophos are no longer allowing you to create - API Tokens , and are now enforcing use of API Credentials with Client ID , Secret Key , 
api_token.png
I'm suspecting fortinet might need to review/update the Integration for Sophos Central API to cater for this change? 

also need this working ASAP and ive tried different combinations but cannot get this working. 

 

 

 

M1kes
M1kes
1293
0 Kudos
M1kemclain247
New Contributor
In response to novastellaris2

Created on ‎03-14-2025 02:07 AM

they no longer use API tokens in their system , u can obtain an "access token" once u authenticate using the Client Secret & Client ID but that access token just allows u to then interact with their API. 

M1kes
M1kes
1256
0 Kudos
emoran46
New Contributor

Created on ‎05-20-2025 03:10 PM

Hi @victorthai 

FSM has been patched to support latest Sophos Central changes

You need to use the latest versions
v7.2.5 FortiSIEM works OK
v7.3.2 FortiSIEM works OK

 

Regards,

 

825
0 Kudos
M1kemclain247
New Contributor
In response to emoran46

Created on ‎05-23-2025 11:50 PM Edited on ‎05-24-2025 12:16 AM

Hi can u show a working example that this worked for u? 

right now the current documentation for v 7.3.2 is still outdated and pointing u to setting up API Tokens. 

http://docs.fortinet.com/index.php/document/fortisiem/7.3.2/external-systems-configuration-guide/750...

i am running latest build of FortiSIEM upgraded it to - 7.3.2.0374

failed (Sophos Central API Failed with http response code 404)

API IP Assosications.png
Creds.png
 
version.png
 
 
this Sophos guide will describe and give a sample script of how to connect to the API , for example we are a sophos partner and need to specify a tenant ID 

but in fortisiem dont see options for these. 

https://support.sophos.com/support/s/article/KBA-000004400?language=en_US
https://github.com/sophos/Sophos-Central-SIEM-Integration

for example running script will give me below info: 

Whoami response: b'{"id":"8565f549-ed06-4164-90bf-b127a88c7661","idType":"tenant","apiHosts":{"global":"https://api.central.sophos.com","dataRegion":"https://api-eu01.central.sophos.com"}}'
URL: https://api-eu01.central.sophos.com/siem/v1/events?limit=1000&cursor=VjJfQ1VSU09SfDIwMjUtMDMtMTNUMTk6NDk6NTAuNjM5Wg==​
 
The furtherest i've gotten is this error below. when i use the URLs that are in the sophos provided script not the URLS from fortisiem documentation. 
 
step 1.pngstep 2.png
M1kes
M1kes
793
0 Kudos
M1kemclain247
New Contributor
In response to M1kemclain247

Created on ‎05-24-2025 01:04 AM Edited on ‎05-24-2025 01:06 AM

here is a sample CURL query that works to pull events from sophos API. the following works to show that u can do it , but within FortiSIEM i  have no idea where the parameters need to be set as the documentation doesn't specify this.  

We need x4 items 

  1. ClientId 
  2. ClientSecret
  3. AccessToken - handled by fortisiem? when logging in. 
  4. Tenant ID - handled by fortisiem? 

1. Access Token

Obtain this by authenticating with your Client ID and Client Secret (from Sophos Central API credentials):

curl -X POST "https://id.sophos.com/api/v2/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID_HERE&client_secret=YOUR_CLIENT_SECRET_HERE&scope=token"

Response will include:

"access_token": "YOUR_ACCESS_TOKEN"



2. Tenant ID

Once you have the token, use it to get your Tenant ID:

curl -X GET "https://api.central.sophos.com/whoami/v1" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE"

Response will include:

"id": "YOUR_TENANT_ID",
"apiHosts": {
  "dataRegion": "https://api-eu01.central.sophos.com"
}

 

3. Pull Events

Now query for SIEM events using the Access Token, Tenant ID, and the correct regional endpoint:

curl -X GET "https://api-eu01.central.sophos.com/siem/v1/events?limit=200" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE" \
-H "X-Tenant-ID: YOUR_TENANT_ID_HERE" | \
jq -r '.items[] | [.type, .name, .severity, .location, .when] | @csv' > events.csv


Sample final output from Sophos API Events:

Event::Endpoint::UpdateSuccess	Update succeeded	low	IGNATIUS-LAP	2025-05-23T08:06:54.083Z
Event::Endpoint::Device::AlertedOnly	Peripheral allowed: SAMSUNG Mobile USB Modem	low	DESKTOP-QBECLHU	2025-05-23T08:07:48.596Z
Event::Endpoint::Device::AlertedOnly	Peripheral allowed: Galaxy A06	low	DESKTOP-QBECLHU	2025-05-23T08:07:48.605Z
Event::Endpoint::UpdateSuccess	Update succeeded	low	NITS-NDEGE-VM	2025-05-23T08:09:58.298Z



M1kes
M1kes
783
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.