USM Anywhere™

Configuring the AlienApp for Sophos Central

Role Availability Read-Only Analyst Manager

With a configured connection between the AlienApp for Sophos Central on a deployed USM Anywhere Sensor and your Sophos Central environment, the predefined log collection jobs perform scheduled API queries for Sophos events or alerts. When USM Anywhere collects and analyzes the first of these, the normalized events are available on the Events page.

Required Connectivity on the USM Anywhere Sensor

An AlienApp operates through a deployed USM Anywhere Sensor. To use the AlienApp for Sophos Central, you must open the following ports on the sensor to support its functions.

Port Endpoint Function
443 api1.central.sophos.com/gateway/siem/v1/events Collect event data from Sophos Central
443 api1.central.sophos.com/gateway/siem/v1/alerts Collect alert data from Sophos Central

Configuration for the Sophos Central Connection

To enable AlienApp for Sophos Central functionality within USM Anywhere, you must configure the AlienApp by providing a valid Sophos Central API token. With a successful connection to your Sophos Central environment, the AlienApp for Sophos Central log collection jobs query the API every 20 minutes for events, alerts, or both. It parses all collected data and displays it as events and alarms in USM Anywhere.

Generate the API Token

As a Sophos Central administrator, you must create the API token to be used by the AlienApp for the connection to your Sophos Central data through the Sophos Central APIs. The token is valid for one year. To maintain the USM Anywhere connection, you will need to renew the token to extend its validity.

To add an API token for Sophos Central

  1. Log in to your Sophos Central environment and select Global Settings.
  2. In the Administration section of the page, click API Token Management.
  3. On the top-right corner of the page, click Add Token.
  4. Enter a name for the token, such as usm-anywhere.

    Add a new API token for Sophos Central integration

  5. Click Save.

    Sophos Central displays a summary page for the generated token, including the URL and header information used to access the APIs with the token.

  6. On the right of the API Access URL + Headers box, click Copy.

    Copy the API Access URL + Headers value

  7. (Optional.) If needed, store the value in a secure location so that it is available for configuring the AlienApp for Sophos Central connection.

    If you plan to immediately configure the AlienApp for Sophos Central connection on the same system, you can simply leave the value in your clipboard.

Configure the AlienApp for Sophos Central Connection

After you create the API token in Sophos Central, you can configure the connection within USM Anywhere.

To enable the AlienApp for Sophos Central connection

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Click Change Sophos Central API Access URL + Headers.
  7. Enter the API token you copied from Sophos Central.
  8. (Optional.) Modify the data options for log collection.

    Enter your Sophos Central the API token and set the collection options

  9. Select Collect Sophos Central events or Collect Sophos Central alerts to limit the data collection from your Sophos Central environment.
  10. Click Save.
  11. Verify the connection.

    After USM Anywhere completes a successful connection to the Sophos Central APIs, a icon displays in the Health column.

    If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Sophos Central connection.