# NG SIEM - Sophos Central Integration

##### **Sophos Central Integration**

The Sophos Central integration allows you to monitor Alerts and Events logs. Sophos Central is a cloud-native application with high availability. It is a cybersecurity management platform hosted on public cloud platforms. Each Sophos Central account is hosted in a named region. Sophos Central uses well-known, widely used, and industry-standard software libraries to mitigate common vulnerabilities.

Use the Sophos Central integration to collect logs across Sophos Central managed by your Sophos account. Visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue.

##### **Step-by-Step: How to Get Your Sophos Central API Credentials (Client ID, Client Secret, Tenant ID, Request URL)**

1. 1. **Log in to Sophos Central Admin** Open your browser and go to: [https://central.sophos.com](https://central.sophos.com) Log in with your admin account.
    2. **Go to API Credentials Manager** On the left sidebar, click **Global Settings** (gear icon at the bottom). Then click **API Credentials Manager**.
    3. **Create a new credential** Click the blue button **+ Add Credential** (top right).
    4. **Fill in the details**
        
        
        - **Name**: Give it a clear name (e.g., “PowerShell Automation”, “SIEM Integration”, “My Script 2025”)
        - **Role**: Choose the role that matches what you need (usually “Admin” or “Read-Only” is fine)
        - Click **Save** (or **Add**)
    5. **Copy the four pieces of information immediately** A new window/pop-up will appear showing:
        
        <div><div><div>  
        </div></div><div dir="auto"><div>  
        </div><table dir="auto"><thead><tr><th data-col-size="md">What you need</th><th data-col-size="lg">Value shown in the portal</th><th data-col-size="sm">Action</th></tr></thead><tbody><tr><td data-col-size="md">Client ID</td><td data-col-size="lg">Long string (e.g., 12345678-abcd-1234-efgh-1234567890ab)</td><td data-col-size="sm">Copy it</td></tr><tr><td data-col-size="md">Client Secret</td><td data-col-size="lg">Long secret key</td><td data-col-size="sm">COPY THIS NOW – it will never be shown again!</td></tr><tr><td data-col-size="md">Tenant ID (Customer ID)</td><td data-col-size="lg">GUID like a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8</td><td data-col-size="sm">Copy it</td></tr><tr><td data-col-size="md">Request URL</td><td data-col-size="lg">Use the Whoami endpoint first:</td><td data-col-size="sm">Always use this URL first:</td></tr><tr><td data-col-size="md"> </td><td data-col-size="lg">[https://api.central.sophos.com/whoami/v1](https://api.central.sophos.com/whoami/v1)</td><td data-col-size="sm"> </td></tr></tbody></table>
        
        <div>  
        </div></div></div>→ Click **Copy** buttons or select + Ctrl+C for each field. → Paste everything into a secure password manager or your script immediately.
    6. **Close the window** Once you’ve copied everything, click **Done** or close the pop-up.

<p class="callout info">**<span class="TextRun SCXW161465391 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Please provide the following information to </span><span class="NormalTextRun SpellingErrorV2Themed SCXW161465391 BCX8" data-ccp-charstyle="eop">CyTech</span><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">:</span></span><span class="EOP SCXW161465391 BCX8" data-ccp-props="{"201341983":0,"335559685":720,"335559739":160,"335559740":259}"> </span>**</p>

- **Client ID:**
- **Client Secret:**
- **Tenant ID:**
- **Request URL:**