Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

Sophos Central is currently in beta
To integrate Sophos Central, you will need to create API credentials in the Sophos Central console and provide the resulting Client ID and Client Secret to Wirespeed.

Prerequisites

  • Sophos Central admin access with the ability to manage API Credentials
  • An API credential with the Service Principal Management role.
  • Sophos Intercept X / Sophos Central with SIEM Integration enabled (required for alerts and events APIs)

Create API Credentials

  1. Log in to the Sophos Central Admin console
  2. Open Settings & Policies > API Credentials Management
  3. Click Add Credential
  4. Name the credential and assign the Service Principal Management role
  5. Click Add
  6. Copy the Client ID and Client Secret that are displayed
The Client Secret is shown only once at credential creation time. If you lose it, regenerate the credential in Sophos Central.

Add the Integration in Wirespeed

  1. In Wirespeed, navigate to Integrations > Add Integration > Sophos Central
  2. Paste in your Client ID and Client Secret
  3. Submit the integration
On connect, Wirespeed exchanges the credentials for a bearer token at https://id.sophos.com/api/v2/oauth2/token, then calls https://api.central.sophos.com/whoami/v1 to discover and cache:

What Wirespeed Ingests

SourceSophos APIPurpose
AlertsGET /siem/v1/alertsThreat detections (malware, ransomware, exploit, behavioral)
EventsGET /siem/v1/eventsEndpoint telemetry (IPS, AMSI, application control)
EndpointsGET /endpoint/v1/endpointsManaged endpoint inventory for asset correlation and isolation targeting

Response Actions

Wirespeed can isolate and unisolate Sophos-managed endpoints.
The Sophos SIEM API only returns data from the last 24 hours.