Integrate with Microsoft Azure Sentinel

Sophos Cloud Optix can send alert data to your Microsoft Azure Sentinel workspace.

To integrate with Microsoft Azure Sentinel, do as follows:

  1. In Microsoft Azure Sentinel, create a new workspace to receive Sophos Cloud Optix alerts.
  2. Copy and save the Workspace ID and the Primary key for your workspace.

    You can find this information in Microsoft Azure, in the Agents Management area in Settings.

  3. In Sophos Cloud Optix, go to Settings and click Integrations.
  4. Click Azure Sentinel.
  5. Click Enable.
  6. Enter the Workspace ID and Primary Key for the workspace you created in Microsoft Azure Sentinel.

    The Log Type field controls the record type for the data sent to Microsoft Azure Sentinel. Sophos sets this to SophosCloudOptix_CL, or you can enter your own alternative.

  7. In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Microsoft Azure Sentinel.
  8. Click Save.

When integration is turned on, Sophos Cloud Optix events appear in your Sentinel workspace in Microsoft Azure. You can query Sophos Cloud Optix data in Microsoft Azure Sentinel to examine the most relevant events. For more details, see Example Microsoft Azure Sentinel queries.