> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Sophos Endpoint

> Configure Sophos Endpoint integration with RAD Security for comprehensive endpoint protection.

# Sophos Endpoint Integration Setup

This guide walks you through integrating Sophos Endpoint with RAD Security for comprehensive endpoint protection and threat detection, enabling you to correlate endpoint security events with container and cloud runtime activity.

Sophos Endpoint provides advanced threat protection with deep learning malware detection, exploit prevention, and active adversary mitigations.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Access to Sophos Central Dashboard
  * **Super Admin** privileges in Sophos Central
  * Access to RAD Security workspace with integration permissions
</Check>

<Warning>
  **Super Admin Required:** You must have Super Admin privileges in Sophos Central to create API credentials. Lower-level admin roles cannot access the API Credentials Management section.
</Warning>

***

## Step 1: Access Sophos Central Dashboard

<Steps>
  <Step title="Log in to Sophos Central">
    Log in to your Sophos Central Dashboard with Super Admin privileges
  </Step>

  <Step title="Navigate to Settings">
    Click the **Settings** icon (⚙️) in the top right corner
  </Step>
</Steps>

***

## Step 2: Create API Credentials

<Steps>
  <Step title="Access API Credentials Management">
    Click on **API Credentials Management** in the settings menu
  </Step>

  <Step title="Add New Credentials">
    Click the **Add Credentials** button
  </Step>

  <Step title="Configure Credential Details">
    In the credential creation form, enter:

    * **Name:** Enter a descriptive name (e.g., "RAD Security Integration")
    * **Description:** (Optional) Add details about this integration
    * **Access Level:** Select **Service Principal Super Admin**

    <Warning>
      **Service Principal Super Admin** access is required for the integration to function properly. This grants the necessary permissions to query endpoint data and security events.
    </Warning>
  </Step>

  <Step title="Create Credentials">
    Click **Save** or **Create** to generate the credentials
  </Step>

  <Step title="Copy Credentials">
    **Immediately copy and save** the following values:

    * **Client ID**
    * **Client Secret**

    <Warning>
      **Save these values now!** The Client Secret will only be displayed once. If you lose it, you'll need to create new credentials.
    </Warning>
  </Step>
</Steps>

For detailed instructions, see [Sophos API Credentials documentation](https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/GlobalSettings/APICredentials/index.html).

***

## Step 3: Determine Regional API URL

Sophos Central uses different data center regions. You need to determine the correct regional URL for your organization.

<Steps>
  <Step title="Prepare Curl Command">
    Use the following curl command to determine your regional URL. Replace `<client_id>` and `<client_secret>` with your actual credentials:

    <CodeGroup>
      ```bash Curl Command theme={null}
      curl --location 'https://id.sophos.com/api/v2/oauth2/token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'client_id=<client_id>' \
      --data-urlencode 'client_secret=<client_secret>' \
      --data-urlencode 'grant_type=client_credentials' \
      --data-urlencode 'scope=token'
      ```
    </CodeGroup>
  </Step>

  <Step title="Execute Command">
    Run the curl command in your terminal
  </Step>

  <Step title="Extract dataRegion URL">
    The response will include a `dataRegion` field. **This is the URL you need** for the integration configuration.

    **Example Response:**

    ```json theme={null}
    {
      "access_token": "...",
      "token_type": "bearer",
      "expires_in": 3600,
      "dataRegion": "https://api-us01.central.sophos.com"
    }
    ```

    In this example, the URL to use is: `https://api-us01.central.sophos.com`
  </Step>

  <Step title="Save the URL">
    Copy the `dataRegion` value - this is your regional API URL
  </Step>
</Steps>

<Note>
  **Why determine the URL?** Sophos Central has multiple data regions (US, EU, etc.), and your organization's data is hosted in a specific region. The WhoAmI query ensures you're using the correct regional endpoint for API calls.
</Note>

### Common Regional URLs

While you should determine your specific URL using the curl command, here are common Sophos regional endpoints:

| Region | Example URL                           |
| ------ | ------------------------------------- |
| US 01  | `https://api-us01.central.sophos.com` |
| US 02  | `https://api-us02.central.sophos.com` |
| US 03  | `https://api-us03.central.sophos.com` |
| EU 01  | `https://api-eu01.central.sophos.com` |
| EU 02  | `https://api-eu02.central.sophos.com` |

***

## Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Sophos Endpoint integration with the following parameters:

### Required Parameters

| Parameter         | Description                      | Example                               |
| ----------------- | -------------------------------- | ------------------------------------- |
| **Base URL**      | The `dataRegion` URL from Step 3 | `https://api-us01.central.sophos.com` |
| **Client ID**     | Client ID from Step 2            | `abc123-def456-ghi789`                |
| **Client Secret** | Client Secret from Step 2        | `your-client-secret-here`             |

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > EDR** in RAD Security
2. Locate your Sophos Endpoint integration
3. Check the connection status shows as **Connected**
4. Verify endpoint data is being synced

<Check>
  Your Sophos Endpoint integration is now configured! RAD Security can now correlate endpoint security data with container and cloud runtime events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from Sophos Endpoint:

<AccordionGroup>
  <Accordion title="Endpoint Information" icon="computer">
    * Endpoint inventory and status
    * Operating system details
    * Sophos agent version
    * Protection status
    * Last seen timestamps
    * Health indicators
  </Accordion>

  <Accordion title="Threats & Detections" icon="shield-virus">
    * Malware detections
    * Exploit prevention events
    * Suspicious behavior alerts
    * Deep learning detections
    * Ransomware protection events
    * Active adversary mitigations
  </Accordion>

  <Accordion title="Security Events" icon="bell">
    * Real-time protection events
    * Web protection alerts
    * Application control events
    * Device control events
    * Data loss prevention events
  </Accordion>

  <Accordion title="Endpoint Health" icon="heart-pulse">
    * Agent health status
    * Update status
    * Policy compliance
    * Configuration state
    * Service status
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Deep Learning Detection" icon="brain">
    Leverage Sophos's deep learning malware detection with RAD's runtime context for enhanced threat accuracy.
  </Card>

  <Card title="Exploit Prevention" icon="shield-check">
    Correlate Sophos exploit prevention events with container activity to detect sophisticated attacks.
  </Card>

  <Card title="Active Adversary Protection" icon="user-secret">
    Identify active adversary techniques across endpoints and containerized workloads.
  </Card>

  <Card title="Unified Security Posture" icon="shield-halved">
    Maintain comprehensive security visibility across endpoints, containers, and cloud infrastructure.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID or Client Secret is incorrect
    * Credentials were revoked or deleted
    * Insufficient permissions (not Super Admin)
    * Using wrong regional URL

    **Solution:**

    * Verify Client ID and Secret are copied correctly (no extra spaces)
    * Check credentials still exist in Sophos Central
    * Ensure the credentials have Service Principal Super Admin access
    * Re-run the WhoAmI curl command to verify the regional URL
    * Create new credentials if the current ones are invalid
  </Accordion>

  <Accordion title="Wrong Regional URL" icon="globe">
    **Possible causes:**

    * Using hardcoded URL instead of dataRegion from WhoAmI call
    * Organization moved to different data center
    * Typo in URL

    **Solution:**

    * Always use the curl command to determine your dataRegion URL
    * Don't assume your region - verify with the WhoAmI API call
    * Ensure URL format is correct (e.g., `https://api-us01.central.sophos.com`)
    * Re-run the curl command if you suspect the region changed
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * Credentials not created with Service Principal Super Admin access
    * Permissions were downgraded after creation
    * Using user account instead of service principal

    **Solution:**

    * Verify the API credentials have Service Principal Super Admin access level
    * Check in API Credentials Management that access level is correct
    * Delete and recreate credentials with proper Super Admin access
    * Ensure you're not using personal account credentials
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * No endpoints reporting to Sophos Central
    * Initial sync still in progress
    * Network connectivity issues
    * API rate limits reached

    **Solution:**

    * Verify Sophos agents are installed and reporting
    * Check endpoint status in Sophos Central Dashboard
    * Allow up to 15 minutes for initial data sync
    * Review integration logs in RAD Security for errors
    * Monitor API usage to ensure you're within rate limits
  </Accordion>

  <Accordion title="Curl Command Fails" icon="terminal">
    **Possible causes:**

    * Incorrect curl syntax
    * Special characters in credentials not properly encoded
    * Network/firewall blocking access to id.sophos.com
    * Invalid credentials

    **Solution:**

    * Ensure you're using `--data-urlencode` for parameters
    * Verify Client ID and Secret are correctly inserted
    * Check firewall allows outbound HTTPS to id.sophos.com
    * Try from a different network if corporate firewall is blocking
    * Verify credentials are valid by logging into Sophos Central
  </Accordion>

  <Accordion title="Token Expiration Issues" icon="clock">
    **Possible causes:**

    * OAuth token expired
    * Credentials expired or revoked
    * Time synchronization issues

    **Solution:**

    * OAuth tokens are short-lived and automatically refreshed
    * Check that credentials haven't been manually revoked
    * Verify system time is synchronized (NTP)
    * Re-run WhoAmI call to verify credentials are still valid
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use Service Principals" icon="robot">
    Always use Service Principal credentials rather than personal account API keys.
  </Card>

  <Card title="Rotate Credentials Regularly" icon="rotate">
    Periodically create new API credentials and delete old ones to maintain security.
  </Card>

  <Card title="Secure Credential Storage" icon="lock">
    Store Client ID and Secret in a secure password manager or secrets vault.
  </Card>

  <Card title="Monitor API Usage" icon="chart-line">
    Regularly review API credential usage in Sophos Central to detect anomalous activity.
  </Card>

  <Card title="Limit Access" icon="shield-halved">
    Only create the minimum number of API credentials needed for integrations.
  </Card>

  <Card title="Audit Regularly" icon="clipboard-list">
    Periodically review all API credentials and remove unused or outdated ones.
  </Card>
</CardGroup>

## Credential Management

To manage your Sophos API credentials:

<Steps>
  <Step title="View Credentials">
    Navigate to Settings > API Credentials Management to view all active credentials
  </Step>

  <Step title="Rotate Credentials">
    1. Create new API credentials with a different name
    2. Update RAD Security with the new credentials
    3. Verify the integration works
    4. Delete the old credentials
  </Step>

  <Step title="Revoke Compromised Credentials">
    If credentials are compromised, immediately delete them in Sophos Central and create new ones
  </Step>
</Steps>

## Additional Resources

<CardGroup cols={2}>
  <Card title="Sophos API Documentation" icon="book" href="https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/GlobalSettings/APICredentials/index.html">
    Official guide to API credentials in Sophos Central
  </Card>

  <Card title="Sophos Central APIs" icon="code" href="https://developer.sophos.com/">
    Complete API reference documentation
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="EDR Integrations Overview" icon="shield-check" href="/rad-security/integrations/edr/overview">
    Explore other EDR integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn about RAD's container runtime security
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure correlated alerts and incident management
  </Card>

  <Card title="Threat Models" icon="crosshairs" href="/rad-security/security-and-compliance/overview">
    Understand how threats are detected across platforms
  </Card>
</CardGroup>