Skip to main content

Sophos Endpoint Integration Setup

This guide walks you through integrating Sophos Endpoint with RAD Security for comprehensive endpoint protection and threat detection, enabling you to correlate endpoint security events with container and cloud runtime activity. Sophos Endpoint provides advanced threat protection with deep learning malware detection, exploit prevention, and active adversary mitigations.

Prerequisites

Before you begin, ensure you have:
  • Access to Sophos Central Dashboard
  • Super Admin privileges in Sophos Central
  • Access to RAD Security workspace with integration permissions
Super Admin Required: You must have Super Admin privileges in Sophos Central to create API credentials. Lower-level admin roles cannot access the API Credentials Management section.

Step 1: Access Sophos Central Dashboard

1

Log in to Sophos Central

Log in to your Sophos Central Dashboard with Super Admin privileges
2

Navigate to Settings

Click the Settings icon (⚙️) in the top right corner

Step 2: Create API Credentials

1

Access API Credentials Management

Click on API Credentials Management in the settings menu
2

Add New Credentials

Click the Add Credentials button
3

Configure Credential Details

In the credential creation form, enter:
  • Name: Enter a descriptive name (e.g., “RAD Security Integration”)
  • Description: (Optional) Add details about this integration
  • Access Level: Select Service Principal Super Admin
Service Principal Super Admin access is required for the integration to function properly. This grants the necessary permissions to query endpoint data and security events.
4

Create Credentials

Click Save or Create to generate the credentials
5

Copy Credentials

Immediately copy and save the following values:
  • Client ID
  • Client Secret
Save these values now! The Client Secret will only be displayed once. If you lose it, you’ll need to create new credentials.
For detailed instructions, see Sophos API Credentials documentation.

Step 3: Determine Regional API URL

Sophos Central uses different data center regions. You need to determine the correct regional URL for your organization.
1

Prepare Curl Command

Use the following curl command to determine your regional URL. Replace <client_id> and <client_secret> with your actual credentials:
curl --location 'https://id.sophos.com/api/v2/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=token'
2

Execute Command

Run the curl command in your terminal
3

Extract dataRegion URL

The response will include a dataRegion field. This is the URL you need for the integration configuration.Example Response:
{
  "access_token": "...",
  "token_type": "bearer",
  "expires_in": 3600,
  "dataRegion": "https://api-us01.central.sophos.com"
}
In this example, the URL to use is: https://api-us01.central.sophos.com
4

Save the URL

Copy the dataRegion value - this is your regional API URL
Why determine the URL? Sophos Central has multiple data regions (US, EU, etc.), and your organization’s data is hosted in a specific region. The WhoAmI query ensures you’re using the correct regional endpoint for API calls.

Common Regional URLs

While you should determine your specific URL using the curl command, here are common Sophos regional endpoints:
RegionExample URL
US 01https://api-us01.central.sophos.com
US 02https://api-us02.central.sophos.com
US 03https://api-us03.central.sophos.com
EU 01https://api-eu01.central.sophos.com
EU 02https://api-eu02.central.sophos.com

Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Sophos Endpoint integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Base URLThe dataRegion URL from Step 3https://api-us01.central.sophos.com
Client IDClient ID from Step 2abc123-def456-ghi789
Client SecretClient Secret from Step 2your-client-secret-here

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Data Sources > Integrations > EDR in RAD Security
  2. Locate your Sophos Endpoint integration
  3. Check the connection status shows as Connected
  4. Verify endpoint data is being synced
Your Sophos Endpoint integration is now configured! RAD Security can now correlate endpoint security data with container and cloud runtime events.

What Data is Synced

Once configured, RAD Security will sync the following data from Sophos Endpoint:
  • Endpoint inventory and status
  • Operating system details
  • Sophos agent version
  • Protection status
  • Last seen timestamps
  • Health indicators
  • Malware detections
  • Exploit prevention events
  • Suspicious behavior alerts
  • Deep learning detections
  • Ransomware protection events
  • Active adversary mitigations
  • Real-time protection events
  • Web protection alerts
  • Application control events
  • Device control events
  • Data loss prevention events
  • Agent health status
  • Update status
  • Policy compliance
  • Configuration state
  • Service status

Use Cases

Deep Learning Detection

Leverage Sophos’s deep learning malware detection with RAD’s runtime context for enhanced threat accuracy.

Exploit Prevention

Correlate Sophos exploit prevention events with container activity to detect sophisticated attacks.

Active Adversary Protection

Identify active adversary techniques across endpoints and containerized workloads.

Unified Security Posture

Maintain comprehensive security visibility across endpoints, containers, and cloud infrastructure.

Troubleshooting

Possible causes:
  • Client ID or Client Secret is incorrect
  • Credentials were revoked or deleted
  • Insufficient permissions (not Super Admin)
  • Using wrong regional URL
Solution:
  • Verify Client ID and Secret are copied correctly (no extra spaces)
  • Check credentials still exist in Sophos Central
  • Ensure the credentials have Service Principal Super Admin access
  • Re-run the WhoAmI curl command to verify the regional URL
  • Create new credentials if the current ones are invalid
Possible causes:
  • Using hardcoded URL instead of dataRegion from WhoAmI call
  • Organization moved to different data center
  • Typo in URL
Solution:
  • Always use the curl command to determine your dataRegion URL
  • Don’t assume your region - verify with the WhoAmI API call
  • Ensure URL format is correct (e.g., https://api-us01.central.sophos.com)
  • Re-run the curl command if you suspect the region changed
Possible causes:
  • Credentials not created with Service Principal Super Admin access
  • Permissions were downgraded after creation
  • Using user account instead of service principal
Solution:
  • Verify the API credentials have Service Principal Super Admin access level
  • Check in API Credentials Management that access level is correct
  • Delete and recreate credentials with proper Super Admin access
  • Ensure you’re not using personal account credentials
Possible causes:
  • No endpoints reporting to Sophos Central
  • Initial sync still in progress
  • Network connectivity issues
  • API rate limits reached
Solution:
  • Verify Sophos agents are installed and reporting
  • Check endpoint status in Sophos Central Dashboard
  • Allow up to 15 minutes for initial data sync
  • Review integration logs in RAD Security for errors
  • Monitor API usage to ensure you’re within rate limits
Possible causes:
  • Incorrect curl syntax
  • Special characters in credentials not properly encoded
  • Network/firewall blocking access to id.sophos.com
  • Invalid credentials
Solution:
  • Ensure you’re using --data-urlencode for parameters
  • Verify Client ID and Secret are correctly inserted
  • Check firewall allows outbound HTTPS to id.sophos.com
  • Try from a different network if corporate firewall is blocking
  • Verify credentials are valid by logging into Sophos Central
Possible causes:
  • OAuth token expired
  • Credentials expired or revoked
  • Time synchronization issues
Solution:
  • OAuth tokens are short-lived and automatically refreshed
  • Check that credentials haven’t been manually revoked
  • Verify system time is synchronized (NTP)
  • Re-run WhoAmI call to verify credentials are still valid

Security Best Practices

Use Service Principals

Always use Service Principal credentials rather than personal account API keys.

Rotate Credentials Regularly

Periodically create new API credentials and delete old ones to maintain security.

Secure Credential Storage

Store Client ID and Secret in a secure password manager or secrets vault.

Monitor API Usage

Regularly review API credential usage in Sophos Central to detect anomalous activity.

Limit Access

Only create the minimum number of API credentials needed for integrations.

Audit Regularly

Periodically review all API credentials and remove unused or outdated ones.

Credential Management

To manage your Sophos API credentials:
1

View Credentials

Navigate to Settings > API Credentials Management to view all active credentials
2

Rotate Credentials

  1. Create new API credentials with a different name
  2. Update RAD Security with the new credentials
  3. Verify the integration works
  4. Delete the old credentials
3

Revoke Compromised Credentials

If credentials are compromised, immediately delete them in Sophos Central and create new ones

Additional Resources

Sophos API Documentation

Official guide to API credentials in Sophos Central

Sophos Central APIs

Complete API reference documentation

Next Steps

EDR Integrations Overview

Explore other EDR integration options

Runtime Security

Learn about RAD’s container runtime security

Alerts & Incidents

Configure correlated alerts and incident management

Threat Models

Understand how threats are detected across platforms