> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/sophos/sophos-edr-integration.md).

# Sophos EDR Integration

Step-1 : Download/Clone the sophos packages

`python3 --version`

`git clone -b master https://github.com/sophos/Sophos-Central-SIEM-Integration.git`

`cd Sophos-Central-SIEM-Integration/`

`cp config.ini.sample config.ini`

`vi config.ini`

Add client ID, client\_secret, tenant ID and save it

Run [siem.py](http://siem.py)

`python3 siem.py`

Able to see the traffic

Now go to path and check the output

`cd Sophos-Central-SIEM-Integration/log`

Result.txt

`tail result.txt`

**Step-2** :Create sophos-siem.service

`cd /etc/systemctl/system`

`sudo cp any.service sophos-siem.service`

`vi sophos-siem.service and paste the content in the file`

\[Unit]

Description=SIEM\_Collector

After=network.target

\[Service]

User=blusapphire

WorkingDirectory=/home/blusapphire/Sophos-Central-SIEM-Integration

ExecStart= python3 [siem.py](http://siem.py)

RemainAfterExit=no

Restart=always

RestartSec=3

\[Install]

WantedBy = multi-user.target

`systemctl status sophos-siem.service`

`systemctl enable sophos-siem.service`

`systemctl start sophos-siem.service`

**Step-3 :** Add crontab to sophos

`logrotate`

`cd /etc/logrotate.d`

`nano sophos paste the content in the file, and save it`

/home/blusapphire/Sophos-Central-SIEM-Integration/log/result.txt {

size 10M

rotate 5

compress

delaycompress

missingok

notifempty

}

`sudo logrotate -d /etc/logrotate.d/sophos`

`sudo crontab –e and make changes related to sophos, save it`

10 \* \* \* \* /usr/bin/python3 /opt/bin/threatintel\_cache.py

0 \* \* \* \* logrotate -d /etc/logrotate.d/sophos

`logrotate -d /etc/logrotate.d/sophos`

**Step-4 :** Now create a script for sophos-edr

`cd /opt/gc/scripts/`

`cp –r any_script sophos-edr`

`cd sophos-edr`

`cd config`

Check jvm.options, pipeline.yml, logstash.yml files and do the changes accordingly

`cd pipelines`

Check input & output files and do the changes accordingly

`cd /etc/systemd/system/`

`sudo cp any.service sophos-edr.service`

Make the changes accordingly

`sudo systemctl status sophos-edr.service`

`systemctl enable sophos-edr.service`

`systemctl start sophos-edr.service`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/sophos/sophos-edr-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.