> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sophos Central

> Connect Sophos Central to import security alerts, events, and endpoint data.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="Sophos Central" recommendDelegated={true} />

## What Living Security needs

| Credential        | Description                                                             |
| ----------------- | ----------------------------------------------------------------------- |
| **Client ID**     | The identifier for the API credential generated in Sophos Central Admin |
| **Client secret** | The secret for the API credential (displayed only once at creation)     |

**Scopes:** Read access to alerts, events, and endpoints

**Required role:** **Super Admin** (to create API credentials); credential role should be **Service Principal Read-Only**

<Note>
  Sophos Central uses OAuth2 client credentials. After you connect, Living Security calls the Sophos `whoami` endpoint to automatically resolve your **tenant ID** and **data region URL** — you do not need to look these up manually.
</Note>

### Prerequisites

* You must be signed in to Sophos Central Admin as a **Super Admin**. Only Super Admins can create and manage API credentials.

***

## Part A — In Sophos Central

*Your Sophos administrator completes these steps.*

<Steps>
  <Step title="Open API Credentials">
    1. Sign in to [Sophos Central Admin](https://central.sophos.com).
    2. Click the **Global Settings** icon (gear icon) in the left navigation.
    3. Under **Access Control**, select **API Credentials**.
  </Step>

  <Step title="Add a new credential">
    1. Click **Add Credential**.
    2. Enter a **Name** for the credential (e.g., `Living Security Platform`).
    3. Enter an optional **Description** (e.g., `Read access for Living Security platform integration`).
  </Step>

  <Step title="Select a role">
    Select a role for the credential, then click **Add**.

    | Role                            | Access level                                                                    |
    | ------------------------------- | ------------------------------------------------------------------------------- |
    | **Service Principal Read-Only** | View-only access to account data — sufficient for alerts, events, and endpoints |

    <Note>
      **Service Principal Read-Only** grants the least privilege needed for this integration. It allows Living Security to read security alerts, SIEM events, and endpoint inventory without the ability to modify settings or take remediation actions.
    </Note>
  </Step>

  <Step title="Copy your client ID and client secret">
    After clicking **Add**, Sophos Central displays the generated **Client ID** and **Client Secret**. **Copy both values immediately** and store them securely.

    <Warning>
      Sophos Central displays the **client secret only once**. If you navigate away without copying it, you must delete the credential and create a new one.
    </Warning>
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="Sophos Central">
    | Field               | Value                                       |
    | ------------------- | ------------------------------------------- |
    | **API Key**         | The client secret from Part A, Step 4       |
    | **Data region URL** | Pre-filled automatically — leave at default |
    | **Tenant ID**       | Pre-filled automatically — leave at default |

    <Note>
      The **Data region URL** and **Tenant ID** fields are resolved automatically after authentication via the Sophos `whoami` endpoint. Leave them at their pre-filled defaults unless instructed otherwise.
    </Note>

    <img src="https://mintcdn.com/livingsecurity/oVkrOMkYmNevekTI/integrations/images/sophos-central/connect-dialog.png?fit=max&auto=format&n=oVkrOMkYmNevekTI&q=85&s=0fb94d41ece4396eea6ca25149c045c2" alt="Living Security connect dialog for Sophos Central" style={{maxWidth: "450px"}} width="576" height="546" data-path="integrations/images/sophos-central/connect-dialog.png" />
  </ConnectInPlatform>
</Steps>

You are now connected to Sophos Central.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The API credential may be invalid, expired, or automatically removed by Sophos. Return to **Global Settings → Access Control → API Credentials** in Sophos Central Admin to verify the credential exists, and create a new one if needed.

    <Note>
      Sophos Central does not send alerts before credential expiration. Set a calendar reminder to rotate credentials according to your security policy.
    </Note>
  </Accordion>

  <Accordion title="403 Forbidden">
    The credential role does not grant read access to the required resources. Role cannot be changed after credential creation — create a new credential with **Service Principal Read-Only** role and remove the old one.
  </Accordion>

  <Accordion title="Missing Client ID field">
    The connection dialog's **API Key** field accepts the client secret. The Client ID is handled separately during OAuth2 token exchange. If prompted for Client ID, enter it in the designated field or contact support.
  </Accordion>
</AccordionGroup>
