Skip to content
Find out how we support MDR.

Troubleshooting MDR Integrations

This lists the errors you can see and issues you can have with third-party integrations you've added to Sophos Central.

Where possible we tell you how to fix common issues.

The list has the following sections:

To find out which type of integration you're troubleshooting, go to Threat Analysis Center > Integrations and look at the card.

We'll add more to this page as the number of third-party integrations increases.

API integrations

These integrations use an API to connect to the third-party product or service. Issues often happen when Sophos Central can't connect to the third-party.

Each third-party product or service needs different credentials to make a connection. If you're having problems, check these first.

We've listed general errors, which can occur to any API-based integration, then errors and solutions that apply to specific integrations.

You need to check the general errors before you check the errors for specific integrations.

General errors

Synchronization failed at finish time due to invalid credentials.

Check your authentication credentials for the third-party service and try again. If the API requires a secret, make sure you've created it correctly and given it the correct permissions.

For example you see this error if the MS Graph API returns the error code 401.

Synchronization failed at finish time due to insufficient permission.

Check all the credentials and permissions you provided when adding the integration and make sure they're correct.

Synchronization failed at finish time due to network not reachable.

If you don't have any network issues in your environment, or with your internet connection, this can mean problems with the third-party service. Check that the service is available.

Synchronization failed at finish time due to request throttling.

Requests from Sophos have been throttled by the third-party service. The following are some examples of why throttling happens, taken from the MS Graph Security integration:

  • Microsoft has throttled your connection (Microsoft error code 429 - Client application has been throttled and should not attempt to repeat the request until an amount of time has elapsed.).

  • Microsoft has throttled your connection for exceeding the maximum bandwidth cap (Microsoft error 509 - Your app can retry the request again after more time has elapsed).

Synchronization failed at finish time due to error in source.

There's a problem with reaching the third-party service. Try again later.

Synchronization failed at finish time due to unknown error.

There's an internal problem, please try again later.

Synchronization failed at finish time due to expired credentials.

The credentials for the integration have expired. For example, an API token that has been created in the third-party product may only be valid for 30 days.

Synchronization failed at finish time due to invalid certificate.

The certificate used to set up a custom domain for an integration isn't valid. You need to create a new certificate or use a different one.

Synchronization failed at finish time due to invalid domain.

The domain for the third-party service is wrong or couldn't be reached. Check the domain and try again.

Synchronization failed at finish time due to invalid configuration.

There's an error with the configuration that doesn't fall into any specific category. You need to review the whole configuration to find the issue.

Blackberry Cylance

Synchronization failed at finish time due to insufficient permission.

When you create the application secret for a Cylance integration, you must select the access privilege for Detection.

For more information read the Generate an application secret section of the Cylance help page. See Blackberry CylanceOPTICS.

Cisco Duo

Synchronization failed at finish time due to invalid credentials.

The integration doesn't have sufficient permissions to get logs from the Duo API. Make sure you've set Permission in Duo to Grant read log.

For more information read the Get details from Duo section of the Duo help page. See Cisco Duo.

Synchronization failed at finish time due to invalid domain.

The hostname is invalid. Make sure you've entered a hostname in the form: api-xxxxxxxx.duosecurity.com. You must not use https://.

For more information read the Add an integration section of the Duo help page. See Cisco Duo.

Fortinet FortiAnalyzer

Synchronization failed at finish time due to network not reachable.

You can see this error if there are connection issues, but also if the base URL entered is invalid. This can happen if the base URL you entered doesn't have a publicly resolvable DNS record. The integration only works if the base URL is publicly resolvable.

Synchronization failed at finish time due to invalid domain.

This error can occur if you entered a base URL that is invalid or private, i.e. isn't publicly resolvable. The integration doesn't work unless the base URL is publicly resolvable.

Synchronization failed at finish time due to invalid certificate.

A self-signed certificate is being used, or some parts of the chain are missing or incomplete. Check that the certificate is valid and isn't self-signed.

Mimecast

Synchronization failed at finish time due to insufficient permission.

The integration doesn't have the required permissions to get data from Mimecast. Check that you've correctly created the Mimecast service user with the following permissions:

  • Monitoring | URL Protection | Read
  • Monitoring | Impersonation Protection | Read
  • Monitoring | Impersonation Protection | Read

For more information read the Create service user section in the Mimecast help page. See Mimecast Email Security, Cloud Gateway.

Synchronization failed at finish time due to expired credentials.

The credentials used for the Mimecast API have expired. Make sure the Mimecast service user you created has Authentication Cache TTL set to Never Expire as described in the Create service user section in the Mimecast help page. See Mimecast Email Security, Cloud Gateway.

Synchronization failed at finish time due to invalid configuration.

If all the other credentials you've provided are correct, this can mean the application ID is incorrect. Check that it's valid.

Okta

Synchronization failed at finish time due to invalid certificate

The certificate for the Okta base URL is invalid. Check that it's valid.

Log collector integrations

These integrations use the Sophos log collector to collect data from the third-party product and add it to the Sophos Data Lake. This includes the Sophos NDR integration.

The Sophos log collector is hosted on a virtual machine. This is referred to as a data collector.

The data collector connects to a third-party product or service to forward network packets to the Sophos Data Lake. The data can then be analyzed in the Threat Analysis Center.

You have to take different steps to connect to each third-party product or service. Refer to the help page for the integration to make sure you've followed all the steps. See Integrations.

We've listed general errors, which can occur to any log collector integration, then errors and advice for some specific integrations.

General log collector errors

These issues can happen with any log collector integration.

The log collector won't run on the virtual machine platform we use.

Currently the VA only runs on VMWare ESXi 6.7 or later. We will add more platforms in the future.

The status of my integration in Data Collectors shows there are issues.

The integration can't connect to the relevant third-party product or service. Make sure there are no network issues preventing connection.

My data isn't being forwarded by the log collector

There can be many reasons for this. The best approach is to go through the documentation for the integration and check that you've set up everything on the third-party to allow the log collector to connect.

Sophos NDR virtual appliance (VA)

The Sophos NDR VA isn't forwarding all the relevant information to the Sophos Data Lake.

The virtual machine hosting the VA may be under-powered. Check the sizing guide for the ESXi server and change the settings of the VM. See Sophos NDR VM size guide.