This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 63%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
I want to integrate Sophos Central with Microsoft Sentinel and since there is no Data Connector for Sophos Central, I am using a Python script published by sophos in Github to fetch the Sophos logs into microsoft Sentinel. I configured the Config file with all the appropriate info but somehow after running the python script, the logs gets only stored in local file but dont get exported to Sentinel. Any suggestions on what might be wrong here?
Have you got the MMA or AMA on the server with the local file, typically an Agent will be required to send it to Sentinel - adding the link to the Sophos docs could help us see what the steps are, and what you have done so far.
@Clive Watson here is the link to the supported article for this integration https://support.sophos.com/support/s/article/KB-000036372?language=en_US
In addition to this, I also tried integrating Sophos Central with microsoft Sentinel by using the Sophos Endpoint Solution published in Microsoft Content hub. I deployed the Function app using ARM template(successfully deployed) and followed the steps to connect the data connector. I saved the parser as a Function but when I try to run the function, I get the following error:
"'extend' operator: Failed to resolve table or column expression named 'SophosEP_CL' "
any idea on what the issue might be here and how can I resolve it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I suspect thats for a product you dont have, if SophosEP_CL is missing (you can just type that name and press run in the Sentinel logs blade - if you get an error it means the table is missing probably as no logs have been sent).
The link above for the Sophos API, might be able to use the codeless connector https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU7%3C/text%3E%3C/svg%3E)
Hello @Moksh Vir ,
Did you manage to get Sophos Central logs to Sentinel?
Yes, I used the python script to ingest the logs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 33%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi Moksh, the script would be storing it in local file, how are you streaming it to sentinel?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 73%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Hello, would you be able to share the script? Thank you.