Sophos Integration

Overview

This integration collects logs from both Sophos XGS Firewall and Intercept X Endpoint via Sophos Central. A single API covers firewall and endpoint events.

Supported products: Sophos XGS Firewall, Intercept X (Endpoint), Sophos Central

Prerequisites

A KYRA MDR Collector installed and running (Installation Guide)
Sophos Central admin account with API access
For syslog: network connectivity from XGS Firewall to the collector on port 514

Configuration

Option 1: Sophos Central API (Recommended)

The Sophos Central SIEM API provides unified access to firewall and endpoint events.

Log in to Sophos Central
Navigate to Settings > API Credentials
Create API credentials and note the Client ID and Client Secret
Provide these credentials to KYRA MDR during integration setup

GET https://api.central.sophos.com/siem/v1/alerts
Authorization: Bearer <token>

Option 2: Syslog (XGS Firewall Only)

Log in to the XGS Firewall console
Navigate to System Services > Log Settings
Add a syslog server pointing to your KYRA Collector IP on port 514

device="SFW" date=2026-03-20 time=10:30:00 log_type="Firewall" log_component="Firewall Rule"

Collected Log Types

Log Type	Security Use	Priority
Firewall traffic	Network flow and policy monitoring	High
IPS events	Intrusion detection	Critical
VPN	Remote access monitoring	High
Web Filter	Web access policy enforcement	Medium
Application Control	Application visibility	Medium
Endpoint AV (Intercept X)	Malware detection on endpoints	Critical
EDR/XDR alerts	Advanced threat detection	Critical
Admin activity	Configuration change auditing	High

Troubleshooting

API Connection Issues

Verify the Client ID and Client Secret are correct
Ensure the API credentials have SIEM permissions enabled
Check that outbound HTTPS access to api.central.sophos.com is not blocked

No Syslog Logs

Verify the syslog server IP and port in XGS settings
Ensure port 514 is open between the firewall and collector

For additional help, contact kyra@seekerslab.com.