Sophos Endpoint Protection Out-of-the-Box Response Integration

Sophos Endpoint Protection Out-of-the-Box Response Integration

To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Requirements

  • Sophos Central
  • Lumu License
    • An active Lumu Defender subscription

Configure Sophos Central

1. Log in on the Sophos Central UI

2. Click on the Global Settings option.



3. Click on the API Management credentials option to create the credentials for API use.

4. Click on Add Credential .

5. Create a personal Credential with the Service Principal Super Admin Role.

6. You will see something like the following. Save your Client Secret in a secure place.

Lumu encrypts this information both in transit and at rest to ensure token confidentiality is maintained.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen.

2. Locate the Sophos Endpoint Protection integration in the available apps area, then click Add to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

Do not modify the “Lumu IOCs” tag name under Website Management or the Blocked Item list records.

4. Add a Name, and select the Threat Types that you want to push to your Sophos Control cloud. If you want to include IP indicators, you should select the option “ Include IP indicators “. Finally, click on the Next button.


The integration adds URLs, domains, and file hashes by default.
5. Fill in the Client ID, and the Client Secret for that account. Finally, click on the Next button.

Lumu will validate if the credentials provided are correct.

Configuration for Single Tenant accounts

6a. Here you will see your Tenant ID and the corresponding base URL of your Tenant.


Configuration for Partner or Organization accounts

6b. You will need to select the Tenant Name that you want to work with.

Make sure you select the tenant that corresponds to the configured Lumu account.

7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:


Once the integration is activated, the Sophos Central Tag Name in Website Management and the Blocked Items List will be updated with confirmed compromises found by Lumu within the preceding 3 days.

Configure Threat Blocking

The final step to set up this automated response integration is to configure Sophos to block the threats detected by Lumu. To do so, follow these steps in your Sophos Central  Web console to configure your Sophos policies to block navigation to the Lumu tag. 

  1. Click on the Endpoint Protection link in the left navigation bar.
  2. Under the CONFIGURE section in the Endpoint Protection navigation bar, click on Policies .
  3. Select and modify your Web Control policies to block traffic to the Lumu  tag. Click on the policy, and go to the Settings tab.
  4. Under the Settings window, enable the Control sites tagged in Website Management . Add a new tag, select the Lumu tag, and set the action to Block . Save the policy.
Remember to enable the SSL/TLS decryption of HTTPS websites feature under the Threat Protection Policy
        • Related Articles

        • Harmony Endpoint Out-of-the-Box Response Integration

          Requirements An active Harmony Endpoint Basic or above subscription An account with administrative privileges that allows you to access the Infinity Portal and manage API keys for the Endpoint service. An active Lumu Defender subscription Create API ...
        • Sophos Antivirus Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category . This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Trend Vision One Out-of-the-Box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements Trend Vision One Make sure you read the Suspicious Object Management article on the Trend Micro documentation thoroughly to ensure a smooth ...
        • Symantec Endpoint Protection Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Microsoft Defender Out-of-the-Box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Microsoft Azure is now called Entra ID Requirements One of the following Microsoft plans: Microsoft 365 Business Premium Microsoft 365 E3/E5 Microsoft ...