Skip to content
Find out how we support MDR.

Integrations

You must be an Admin or Super Admin to use this feature.

You can integrate other security products with Sophos Central. These can be other Sophos products or third-party products.

You can set up two kinds of integration:

  • Data Ingest: The product sends data to the Sophos Data Lake. You can then query that data in our Threat Analysis Center.
  • Response Action: You can resolve detected issues from Sophos Central via a third-party product.

Response Action integrations aren't available for all products yet.

This page tells you about the different setup methods for integrations, the different categories of integrations, and more. When you're ready to start, see Add integrations.

About integrations

There are several types of integration, with different setup methods:

  • REST API
  • Log collector
  • Sophos product (for example, Sophos NDR or Sophos Firewall)

Log collector integrations and Sophos NDR require a virtual machine (VM). REST API integrations don't.

The type of integration you use depends on which product you're integrating.

REST API integrations

To integrate a product that uses an API, you must collect authentication information about your account for that product.

The information you need differs from product to product. Our integration assistant prompts you for the information.

Log collector integrations

Log collector integrations use the Sophos log collector to collect data from the third-party product and add it to the Sophos Data Lake.

You install the log collector on a virtual machine. Our assistant helps you configure an image file which you download and deploy on a VM. The image file includes the log collector application.

A Sophos appliance is a virtual machine hosting a log collector.

You then configure your third-party product to send data to the appliance. This uses the third-party product's syslog export function. You give the connection details of your appliance instead of a syslog server.

For more information, see the help for the integration you want to add.

For Sophos appliance requirements, see Appliance requirements.

For help with collecting Sophos appliance logs for troubleshooting, see Appliance logs.

Multiple integrations

You can send data from multiple integrations to the same appliance:

  • If you've already set up Sophos NDR, add third-party integrations and select the same appliance in Sophos Central.
  • If you've already set up a third-party integration, add other third-party integrations and select the same appliance in Sophos Central.

You can also set up multiple integrations of the same product to use a single appliance. Do this as follows:

  1. Set up an integration in Sophos Central.
  2. Configure your third-party product to use your appliance.
  3. Repeat the third-party product configuration for the extra instances of the product.

    Direct these instances to the same appliance.

    You don't have to repeat the Sophos Central part of the setup.

Integration categories

We put integrations into categories, depending on the type of product they're for. On the Integrations page, we label each integration with its category , for example Firewall.

To find integrations in particular categories, click Show filters, select categories under Integration category, and click Apply.

The categories are shown below.

Category Description
Sophos XDR Products available with an XDR license: Sophos NDR, Sophos Cloud Optix, Microsoft Graph Security, and Microsoft 365 audit appliance.
Identity Products that monitor sign-in attempts and other security-related activity.
Endpoint Products that detect threats on devices or monitor device usage.
Network Products that detect breaches or threats on a network.
Email Products that detect threats that target email.
Public cloud Products that monitor security and compliance on public cloud accounts.
Firewall Products that control incoming and outgoing network traffic.

Beta integrations

If you're an MDR customer, you can try out beta integrations.

Beta integrations are ones that are still under development. They don't generate detections for the MDR team, but they do report detections on the Detections page.

Look for integrations labeled BETA or, to see them all, click Show filters > Availability > BETA.

When an integration is fully released, you can only use it if you have the license pack for that integration category, for example Firewall.

  • Important


    As Sophos continues to develop new integrations, we occasionally offer customers early access to certain integrations that are still in their beta phase to evaluate, free of charge.

    Please note that since these integrations are still in beta, they are offered “AS IS” without any warranties or guarantees that we monitor alerts or generate detections for analysis. All use of beta integrations is at your sole discretion. We may reach out to discuss or request changes to your integration configuration.

    Once we transition these integrations from beta to generally availability, an applicable license pack purchase will be required for continued use.

    Any use is subject to Sophos End User Terms of Use.

Add integrations

To add integrations, do as follows:

  1. Go to Threat Analysis Center > Integrations > Marketplace.

    This shows all the product integrations available to you.

  2. Find the integration you want and click it.

  3. On the next page, find the integration type you want, for example Data Ingest. Click Add Configuration.
  4. The Integration setup steps guide you through configuration.

For details of these steps and the steps you take in the third-party product, see the following instructions:

To monitor or edit your integration later, go to Integrations > Configured.