Sophos MDR/XDR Integration
Enhance the visibility of your network perimeter
Sophos XDR and MDR integrate seamlessly with Sophos and third-party firewall solutions to analyze security events, monitor incoming and outgoing traffic for signs of malicious behavior, and proactively counter threats early in the attack cycle to safeguard your critical assets from compromise.
Threat actors continuously target external attack surfaces, probing and exploiting vulnerabilities in cyber defenses.
Use Cases
1 | Extend Attack Surface Visibility
Desired outcome: Capture firewall security events to analyze potential exposure or breaches on the network edge.
Solution: The Sophos XDR and MDR Firewall integrations ingest and analyze edge security events caused by external threats, requiring no tuning or training. Detected events undergo a meticulous five-step process to filter noisy alerts, normalize complex telemetry, enrich data with threat intelligence, correlate with data from other security tools, and score to determine the risk.
2 | Enhance Incident Response
Desired outcome: Identify suspicious activities, such as data exfiltration and malware beaconing, to shorten response time.
Solution: Firewall telemetry empowers you and the Sophos MDR service to accelerate incident prioritization and response. Correlate suspicious network traffic patterns, such as initial access, Command and Control communications, and contextual data from other tools, to automatically generate cases for investigation. Analysts can apply host-based IP blocking and additional actions to neutralize threats.
3 | Reduce Alert Fatigue
Desired outcome: Offload high-volume alert inspection to Sophos threat experts.
Solution: Network security tools can generate huge volumes of telemetry data. Allocating time to analyze and verify threat activity can be time-consuming, and many organizations lack the resources needed to do so. The Sophos XDR and MDR Firewall integrations ensure security events generated by your firewalls are inspected and reviewed for malicious intent, enabling your team to focus on business enablement.
4 | Address Cyber Insurance and Compliance Goals
Desired outcome: Incorporate security controls that help meet mandated security posture requirements.
Solution: Storing and inspecting security events is critical to many cyber insurance and compliance frameworks, which encourage using security information and event management (SIEM) tools. The Sophos XDR and MDR Firewall integrations help you address regulatory requirements with comprehensive logging, monitoring, effective threat response against cyberattacks, and validating security posture efforts.
Integrate Cisco Meraki (Log Collector)
You can integrate Cisco Meraki with Sophos Central so that it sends data to Sophos for analysis. This integration uses a log collector hosted on a virtual machine (VM). Together, they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.
Key Steps
The key steps in an integration are as follows:
- Add an integration for this product. In this step, you create an image of your appliance.
- Download and deploy the image on your VM. This becomes your appliance.
- Configure Meraki to send data to the appliance.
Add an Integration
To add the integration, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
- Click Cisco Meraki.
- The Cisco Meraki page opens. You can add integrations here and see a list of any you've already added.
- In Data Ingest (Security Alerts), click Add Configuration.
Configure the Appliance
In the integration setup steps, you can configure a new appliance or use an existing one. The example below assumes you are creating a new appliance.
- Enter an integration name and description.
- Click Create new appliance.
- Enter a name and description for the appliance.
- Select the virtual platform:
- VMware ESXi 6.7 Update 3 or later
- Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later
- Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.
- Select DHCP to assign the IP address automatically. If you select DHCP, you must reserve the IP address.
- Select Manual to specify network settings.
- Select the Syslog IP version and enter the Syslog IP address. You’ll need this IP later when configuring Meraki.
- Select a Protocol. You must use the same protocol when you configure Meraki to send data to your appliance.
- Click Save.
Once created, the integration appears in your list. In the integration details, you can view the port number for the appliance — required later when configuring Meraki. It may take a few minutes for the appliance image to be ready.
Configure Cisco Meraki
Now configure Cisco Meraki to send data to your appliance.
Note: You can configure multiple instances of Cisco Meraki to send data to Sophos via the same appliance. After finishing the integration, repeat the steps in this section for other Meraki instances. You don’t need to repeat steps in Sophos Central.
- Sign in to the Meraki Dashboard.
- Go to Network-wide > Configure > General.
- Scroll down to Reporting and click Add a syslog server.
- Enter the following connection details for your appliance:
- IP address: The syslog IP address you set in Sophos Central.
- Port number: Use the same port number specified in Sophos Central.
- Add the following roles to configure the data sent to your appliance:
- Event Logs — Security events and appliance logs.
- Flows — Traffic flow messages (source, destination, ports).
- IDS Alerts — Intrusion detection system alerts.
- Click Save when prompted with “You have unsaved changes.”
Note: If the Flows role is enabled on an MX security appliance, individual firewall rule logging can be toggled on or off at Security appliance > Configure > Firewall in the Logging column.