You must have the Network integrations license pack to use this feature.
You can integrate Darktrace Detect with Sophos Central so that it sends alerts to Sophos.
This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.
You can add multiple instances of Darktrace Detect to the same appliance.
To do this, set up your Darktrace Detect integration in Sophos Central, then configure one Darktrace Detect instance to send logs to it. Then configure your other Darktrace Detect instances to send logs to the same Sophos appliance.
You don't have to repeat the Sophos Central part of the setup.
The key steps are as follows:
- Configure an integration for this product. This configures an image to use on a VM.
- Download and deploy the image on your VM. This becomes your appliance.
- Configure Darktrace Detect to send data to the appliance.
Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.
Configure an integration
To configure the integration, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
Click Darktrace Detect.
The Darktrace Detect page opens. You can configure integrations here and see a list of any you've already configured.
In Data Ingest (Security Alerts), click Add Configuration.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
Integration setup steps appears.
Configure the VM
In Integration setup steps you configure your VM as an appliance to receive data from Darktrace Detect. You can use an existing VM, or create a new one.
To configure the VM, do as follows:
- Enter an integration name and description.
Enter a name and description for the appliance.
If you've already set up a Sophos appliance, you can choose it from a list.
Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.
Select DHCP to assign the IP address automatically.
If you select DHCP, you must reserve the IP address.
Select Manual to specify network settings.
Select the Syslog IP version and enter the Syslog IP address.
You'll need this syslog IP address later, when you configure Darktrace Detect to send data to your appliance.
Select a Protocol.
You must use the same protocol when you configure Darktrace Detect to send data to your appliance.
We create the integration and it appears in your list.
In the integration details, you can see the port number for the appliance. You'll need this later when you configure Darktrace Detect to send data to it.
It might take a few minutes for the VM image to be ready.
Deploy the VM
If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.
Use the VM image to deploy the VM. To do this, do as follows:
- In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
- When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.
Configure Darktrace Detect
You now configure Darktrace Detect to send alerts to us, using syslog forwarding.
To configure alert forwarding, do as follows:
- In Darktrace Detect, go to System Config > Alerting.
- Set Advanced Options to True.
- Set CEF Syslog Alerts to True.
- Use the Enter key to make extra fields appear. If that doesn't work, put your cursor in a field and use Enter again.
- In CEF Syslog Server, enter the IP address of your appliance, and use the Enter key.
In CEF Syslog Server Port, enter the Port on which your data colector listens, and use the Enter key again.
You must enter the same settings you entered in Sophos Central when you added the integration.
Darktrace Detect alerts depend on how events are scored. To maximize the alerts forwarded to Sophos, make sure Minimum Alert Priority and Score are both set to 1.
Darktrace Detect alerts should appear in the Sophos Data Lake after validation.