Integrate with Azure Sentinel

Sophos Cloud Optix can send alert data to your Microsoft Azure Sentinel workspace.

Note This feature isn't yet available for all customers. To use this feature, contact your Sophos account manager.

To integrate with Azure Sentinel, do as follows:

  1. In Azure Sentinel, create a new workspace to receive Sophos Cloud Optix alerts.
  2. Copy and save the Workspace ID and the Primary key for your workspace.

    You can find this information in Azure, in the Agents Management area in Settings.

  3. In Sophos Cloud Optix, go to Settings > Integrations.
  4. Click Azure Sentinel.
  5. Enter the Workspace ID and Primary Key for the workspace you created in Azure Sentinel.

    The Log Type field controls the record type for the data sent to Azure Sentinel. Sophos sets this to SophosCloudOptix_CL, or you can enter your own alternative.

  6. In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Azure Sentinel.
  7. To turn on the integration, select Enable, and then click Save.

When integration is turned on, Sophos Cloud Optix events appear in your Sentinel workspace in Azure. You can query Sophos Cloud Optix data in Azure Sentinel to examine the most relevant events. For more details, see Example Azure Sentinel queries.