Summary
In order for the Check Point MDR team to monitor your logs from your Sophos environment, we will require a Client ID and API Key with the proper permissions defined.
If you need any assistance with this procedure, please open a ticket in the MDR Customer portal under "MDR Support" or if you are currently onboarding reply to your welcome email, and we will schedule a time to assist.
Note: We will need this item filled in on the MDR customer portal profile page when adding the integration also ensure the procedure outlined below is completed before adding:
- Client ID
- Client Secret
Procedure
Creating the API Key.
1. You will require API Credentials for MDR service to access events and alert data via the API. In Sophos Central Admin, go to My Products > General Settings > API Credentials Management.
2. Click Add credential on the right of the screen.
3. Enter a Credential name like CP MDR, select the role Service Principal Read-Only, add an optional description, and click Add.
4. On the API credential summary page, use the Copy buttons to make copies of the Client ID and Client Secret. These will be used when adding the integration on the MDR profile page.
When adding the information on the MDR profile page after its entered and saved you can hit verify to ensure the connection succeeds.
If you have multiple tenants all will be enabled by default but you can click on manage tenants button to disable a specific tenant from pulling logs to MDR.