With a configured connection between the AlienApp for Sophos Central on a deployed USM Anywhere Sensor and your Sophos Central environment, the predefined log collection jobs perform scheduled API queries for Sophos events or alerts. When USM Anywhere collects and analyzes the first of these, the normalized events are available on the Events page.
Configuration for the Sophos Central Connection
To enable AlienApp for Sophos Central functionality within USM Anywhere, you must configure the AlienApp by providing a valid Sophos Central API token. With a successful connection to your Sophos Central environment, the AlienApp for Sophos Central log collection jobs query the API every 20 minutes for events, alerts, or both. It parses all collected data and displays it as events and alarms in USM Anywhere.
Generate the API Token
As a Sophos Central administrator, you must create the API token to be used by the AlienApp for the connection to your Sophos Central data through the Sophos Central APIs. The token is valid for one year. To maintain the USM Anywhere connection, you will need to renew the token to extend its validity.
To add an API token for Sophos Central
- Log in to your Sophos Central environment.
- Follow the instructions for API Token Management in the Sophos guide.
Click Save to generate the token.
Sophos Central displays a summary page for the generated token, including the URL and header information used to access the APIs with the token.
Configure the AlienApp for Sophos Central Connection
After you create the API token in Sophos Central, you can configure the connection within USM Anywhere.
To enable the AlienApp for Sophos Central connection
- In USM Anywhere, go to Data Sources > AlienApps.
- Click the Available Apps tab.
- Search for the AlienApp, and then click the tile.
- Click Configure API.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.
- Click Change Sophos Central API Access URL + Headers.
- Enter the API token you copied from Sophos Central.
(Optional.) Modify the data options for log collection.
- Select Collect Sophos Central events or Collect Sophos Central alerts to limit the data collection from your Sophos Central environment.
- Click Save.
Verify the connection.
After USM Anywhere completes a successful connection to the Sophos Central APIs, a icon displays in the Health column.
If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Sophos Central connection.