Add integrations on AWS
You can integrate third-party products with Sophos Central by deploying a Sophos integration appliance on AWS.
The appliance hosts a log collector that uses syslog to receive alerts from the third-party product and forward them to Sophos.
This page tells you how to configure and deploy an appliance on AWS. The steps apply for any third-party product you want to integrate, provided that the product is hosted on AWS.
Note
Syslog data sent to the appliance isn't secure. Don't send it via the public internet.
Note
You can also integrate Sophos Network Detection and Response (NDR) using AWS. See NDR on AWS.
Requirements
To deploy an appliance in AWS, you must meet the following requirements:
- An AWS account. Your third-party product must be hosted on AWS and you must deploy the appliance on the same AWS account.
- A Sophos Central account with an XDR or MDR license.
- A Sophos integrations license pack for the product type you want to integrate, for example Firewall.
- EC2 instances. The supported types are c5n.2xlarge, c6i.4xlarge, c7i.16xlarge (Nitro virtualization).
- VPCs, subnets and Availability Zones. You can use the ones you already have.
- A security group for SSH.
- At least one allocated elastic IP address for the management interface.
Note
If you're not sure which license pack you need, go to Threat Analysis Center > Integrations > Marketplace. The tile for your product shows the required license type.
You must also do as follows:
- Create and save your
ssh
private key for the AWS account.
Key steps
The key steps are as follows:
- Create a CloudFormation template for your appliance.
- Download the CloudFormation template.
- Subscribe to "Sophos Integration Appliance" in AWS.
- Create a stack.
- Edit AWS security groups.
- Set a password for Appliance Manager.
Create a CloudFormation template
Create a CloudFormation template (CFT) for your appliance as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
- Find the third-party product you want to integrate and click it.
-
On the integrations page, in Data Ingest (Security Alerts), click Add Configuration.
-
In Integration setup steps, enter a name and description for the integration.
- Click Create new appliance.
- Enter a name and description for the appliance.
-
In Virtual platform, select AWS.
-
In Protocol, select a protocol.
-
Click Save. A CloudFormation (CF) JSON file (
ndr_<product-name>_cf_latest.json
) is created.
Download the CloudFormation template
- In Sophos Central, go to Threat Analysis Center > Integrations > Configured.
- Select the Integration Appliances tab and find your appliance.
-
In the rightmost column, click the three dots, and select Download image.
Now you're ready to subscribe in AWS and deploy the Sophos appliance.
Subscribe to Sophos Integration Appliance
You must subscribe to Sophos Integration Appliance in the AWS Marketplace. This ensures that AWS will recognize your CloudFormation template and let you install its resources in your AWS account.
To subscribe, do as follows:
- Go to the AWS Marketplace page and find "Sophos Integration Appliance".
-
On the Product Overview page, click Continue to Subscribe.
-
On the Subscribe to this software page, accept the terms and conditions and click Continue to Configuration.
-
On the Configure this software page, check the version and region, and click Continue to Launch.
-
On the Launch this software page, click Usage instructions to see how to access Sophos Appliance Manager.
-
Click Launch.
AWS opens the Create stack page.
Create a stack
Now you use the downloaded CloudFormation template to deploy the Sophos appliance for your AWS Account. To do this, you create a stack as follows:
-
On the Create stack page, do as follows:
- Leave Template is ready selected.
- In Specify template, select Upload a template file.
-
Click Choose file and select
ndr_<appliance-name>_cf_latest.json
.The
appliance-name
is the name you gave the appliance when you created the CFT in Sophos Central. -
Click Next.
-
On the Specify stack details page, enter a name and the following Network Configuration details:
- An existing VPC that you want to use for the appliance.
- A subnet for the Management Interface. This is a public subnet.
- A subnet for the syslog interface.
- The security group that gives admins SSH access to the Sophos Integration Appliance instance.
The completed network configuration details look like this example:
-
Under EC2 Instance Configuration, enter the SSH key needed to access the Sophos Integration Appliance EC2 instance, then click Next.
Note
You created and saved this SSH key pair earlier.
-
On the Configure Stack options page, accept the default AWS settings or make changes if you want to. Click Submit.
The CloudFormation template automatically chooses the right regions and AMIs based on the AWS region of the account you used to upload the template.
Wait for the Sophos Integration Appliance to be created. This can take five or six minutes.
Edit the security groups
You need to edit the AWS security groups. This lets you make these changes:
- Allow syslog traffic to go to the appliance.
- Give access to Sophos Appliance Manager.
To edit security groups, do as follows:
-
In AWS, go to the Sophos Integration appliance's security details.
To do this, enter the appliance name in the AWS console search bar. When you find it, select the EC2 tab, and click the Sophos Integration Appliance instance.
-
On the Instance Summary page, scroll down to the tabbed pages, and select the Security tab.
-
Find the
InternalSyslogSG
group and enter the source from which you want to allow traffic for log collection. -
Find the
InternalMgmtSG
security group. The CloudFormation template created this for you. Add your admins to the group and give them access to port 8443 in Inbound rule.
Before you can use Sophos Appliance Manager, you also need to set a password.
Set password for Sophos Appliance Manager
The username for Sophos Appliance Manager is zadmin
. To set the password, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Configured.
-
Go to the Integration Appliances tab.
-
Find your appliance. In the rightmost column, click the three dots and select Open Appliance Manager.
-
In the confirmation dialog, click reset it.
Any other admins who want to use Appliance Manager must also set a password.
You've finished deploying the appliance.
Your integration is now complete. You can monitor appliance status and activity in Sophos Appliance Manager.