# Collect data from Sophos ## Overview Get SIEM Integration events from Sophos. ## Configuration ### Secrets * `secrets.Sophos.client_ID` will reference the Client ID * `secrets.Sophos_Client_Secret` will reference the Client Secret.

To add a Secret, open the **Secret** fields and click **New secret**: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value** and paste the secret corresponding to the value. * Click **Save**.

{% hint style="info" %} Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md). {% endhint %} You can now select the secret you just created in the corresponding fields. After entering the required secrets, you can choose to manually enter the Sophos SIEM integration event fields, or simply paste the given YAML: {% tabs %} {% tab title="Config as YAML" %} Toggle this **ON** to enable a free text field where you can paste your **Cortex XDR multi alerts** YAML. ```yaml withTemporalWindow: true temporalWindow: duration: 5m offset: 5m tz: UTC format: Epoch withAuthentication: true authentication: type: token token: request: method: POST url: https://id.sophos.com/api/v2/oauth2/token headers: - name: Accept value: application/json - name: Content-Type value: application/x-www-form-urlencoded queryParams: [] bodyType: urlEncoded bodyParams: - name: grant_type value: client_credentials - name: client_id value: '${secrets.sophosClientId}' - name: client_secret value: '${secrets.sophosClientSecret}' - name: scope value: token tokenPath: ".access_token" authInjection: in: header name: Authorization prefix: 'Bearer ' suffix: '' withEnumerationPhase: true enumerationPhase: paginationType: none request: responseType: json method: GET url: https://api.central.sophos.com/whoami/v1 headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: Content-Type value: application/json - name: Cache-Control value: no-cache queryParams: [] bodyParams: [] output: select: "." filter: "." map: "." outputMode: element collectionPhase: variables: - source: input name: tenantId expression: ".id" format: '' - source: input name: dataRegionURL expression: ".apiHosts.dataRegion" format: '' paginationType: cursor cursorSelector: ".next_cursor" initialRequest: method: GET url: "${inputs.dataRegionURL}/siem/v1/events" headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: X-Tenant-ID value: "${inputs.tenantId}" queryParams: - name: from_date value: "${temporalWindow.from}" bodyParams: [] nextRequest: method: GET url: "${inputs.dataRegionURL}/siem/v1/events" headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: X-Tenant-ID value: "${inputs.tenantId}" queryParams: - name: cursor value: "${pagination.cursor}" bodyParams: [] output: select: ".items" filter: "." map: "." outputMode: element ``` {% endtab %} {% tab title="Manually configure" %} **Temporal Window** Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected. * **Duration -** 5 minutes (`5m`) as default, adjust based on your needs. * **Offset -** `5m` * **Format** - `Epoch` **Authentication Phase** Toggle **ON** to set the Authentication settings. * **Type****\***** -** `token` * **Request Method****\***** -** `POST` * **URL****\***** -** `https://id.sophos.com/api/v2/oauth2/token` * **Headers** * **Name** - `Content-type` * **Value** - `application/x-www-form-urlencoded` * **BodyType****\*** - `UrlEncoded` * **Body params** * **Name -** `grant_type` * **Value -** `client_credentials` * **Name -** `client_id` * **Value -**`${secrets.Sophos_Client_ID}` * **Name -** `client_secret` * **Value -** `${secrets.Sophos_Client_Secret}` * **Name -** `scope` * **Value -** `token` * **Token Path****\*** - `.access_token` * **Auth Injection** * **In****\*** - `header` * **Name****\*** - `authorization` * **Prefix** - `Bearer` * **Suffix** - `''` #### **Enumeration Phase** Toggle **ON** to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details. * **Pagination Type****\***** -** `none` * **Request** * **Response Type****\***** -** JSON * **Method****\***** -** `GET` * **URL****\***** -** `https://api.central.sophos.com/whoami/v1` * **Headers** * **Name** - Accept * **Value** - application/json * **Name** - Accept-Encoding * **Value** - gzip, deflate * **Name** - Content-Type * **Value** - application/json * **Name** - Cache-Control * **Value** - no-cache * **Output** * **Select -** `.` * **Filter -** `.` * **Map -** `.` * **Output Mode** - `element` #### **Collection Phase** * **Inputs** * **Source** - input * Name - tenantId * **Expression** - `.id` * **Format -** `''` * **Source** - input * Name - dataRegionURL * **Expression** - `.apiHosts.dataRegion` * **Format -** `''` * **Pagination Type****\***** -** `cursor` * **Cursor Selector****\***** -** `.next_cursor` * **Initial Request** * **Method****\***** -** `GET` * **URL****\***** -** `${inputs.dataRegionURL}/siem/v1/events` * **Headers -** * **Name** - Accept * **Value -** `application/json` * **Name** - Accept-Encoding * **Value -** `gzip, deflate` * **Name** - X-Tenant-ID * **Value -** `${inputs.tenantId}` * **Query Params** * **Name** - from\_date * **Value -** `${temporalWindow.from}` * **Next Request** * **Method****\***** -** `GET` * **URL****\***** -** `${inputs.dataRegionURL}/siem/v1/events` * **Headers -** * **Name** - `Accept` * **Value -** `application/json` * **Name** - Accept-Encoding * **Value -** `gzip, deflate` * **Name** - X-Tenant-ID * **Value -** `${inputs.tenantId}` * **Body type****\***** -** there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select `raw` and enter the `{}` placeholder. * **Output** * **Select -** `.items` * **Filter -** `.` * **Map -** `.` * **Output Mode** - `element` {% endtab %} {% endtabs %} This HTTP Pull Listener now uses the data export API to extract events. Click **Create labels** to move on to the next step and define the required [Labels](/the-workspace/listeners/labels.md) if needed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onum.com/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-sophos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.