Configuring the BlueApp for Sophos Central

Role Availability Read-Only Investigator Analyst Manager

With a configured connection between the BlueApp for Sophos Central on a deployed USM Anywhere Sensor and your Sophos Central environment, the predefined log collection jobs perform scheduled API queries for Sophos events or alerts. When USM Anywhere collects and analyzes the first of these, the normalized events are available on the Events page.

Configuration for the Sophos Central Connection

To enable BlueApp for Sophos Central functionality within USM Anywhere, you must configure the BlueApp by providing a valid Sophos Central API client ID and client secret. With a successful connection to your Sophos Central environment, the BlueApp for Sophos Central log collection jobs query the API every 20 minutes for events, alerts, or both. It parses all collected data and displays it as events and alarms in USM Anywhere.

Note: The Computer Isolation feature is only available for customers with a Sophos Intercept X Advanced with XDR license. See Sophos Central: Computer Isolation for more information.

Generate the Client ID and Client Secret

As a Sophos Central administrator, you must create the API client ID and secret to be used by the BlueApp for the connection to your Sophos Central data through the Sophos Central APIs. These API credentials are valid for one year. To maintain the USM Anywhere connection, you will need to renew these API credentials to extend their validity.

To generate API credentials for Sophos Central

  1. Log in to your Sophos Central environment and navigate to Global Settings > API Credentials Management.
  2. Click Add Credentials.
  3. Enter the required information to configure new credentials.
    • Credential Name: Enter an identifiable credential name.
    • (Optional.) Description: Enter a description of the credentials you are generating.
    • Role: Use this dropdown to select the appropriate role for these credentials.
  4. Click Add to generate your credentials.
    You will be shown your newly generated client ID.

  5. Click show Client Secret to view your client secret.

Warning: For security reasons, you will only be able to view your client secret one time. When you click show Client Secret, you must save the client secret for future use or you will have to generate new credentials.

Configure the BlueApp for Sophos Central Connection

After you create the client ID and client secret in Sophos Central, you can configure the connection within USM Anywhere.

To enable the BlueApp for Sophos Central connection

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the client ID and client secret you generated from your Sophos Central environment.

    Use the drop-down to select the appropriate account type.

  7. Enter your Sophos Central API credentials and set the collection options

  8. Select Collect Sophos Central events or Collect Sophos Central alerts to limit the data collection from your Sophos Central environment.
  9. Click Save.
  10. Verify the connection.

    After USM Anywhere completes a successful connection to the Sophos Central APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Sophos Central connection.