Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=integrations

About MDR and XDR integrations

This page tells you about the different integration types and setup methods. If you just want to get started, see Get started.

Looking for help with the Integration Appliances tab? See Integration appliances.

Sophos MDR and XDR integrations let you integrate other security products with Sophos Central. These can be other Sophos products or third-party products.

You can set up two kinds of integration:

  • Data Ingest: The product sends data to the Sophos Data Lake. You can then query that data in our Threat Analysis Center.
  • Response Action: You can resolve detected issues from Sophos Central via a third-party product.

Response Action integrations aren't available for all products yet.

Integration setup methods

There are several types of integration, with different setup methods:

  • REST API
  • Log collector
  • Sophos product (for example, Sophos NDR or Sophos Firewall)

Log collector integrations and Sophos NDR require a virtual machine (VM). REST API integrations don't.

The setup methods you can use depend on the product you want to integrate.

REST API integrations

To integrate a product that uses an API, you must collect authentication information about your account for that product.

The information you need differs from product to product. Our integration assistant prompts you for the information.

API integrations require a credential for access to the third-party product. You can create this during integration setup or you can use our credential manager. See Integration credentials.

Log collector integrations

Log collector integrations use the Sophos log collector to collect data from the third-party product and add it to the Sophos Data Lake.

You install the log collector on a virtual machine. Our assistant helps you configure an image file which you download and deploy on a VM. The image file includes the log collector application.

A Sophos appliance is a virtual machine hosting a log collector.

You then configure your third-party product to send data to the appliance. This uses the third-party product's syslog export function. You give the connection details of your appliance instead of a syslog server.

For more information, see the help for the integration you want to add.

For Sophos appliance requirements, see Appliance requirements.

For help with collecting Sophos appliance logs for troubleshooting, see Appliance logs.

Multiple integrations

You can send data from multiple integrations to the same appliance:

  • If you've already set up Sophos NDR, add third-party integrations and select the same appliance in Sophos Central.
  • If you've already set up a third-party integration, add other third-party integrations and select the same appliance in Sophos Central.

You can also set up multiple integrations of the same product to use a single appliance. Do this as follows:

  1. Set up an integration in Sophos Central.
  2. Configure your third-party product to use your appliance.

  3. Repeat the third-party product configuration for the extra instances of the product.

    Direct these instances to the same appliance.

    You don't have to repeat the Sophos Central part of the setup.