Sophos Central

Sophos Central provides a SIEM integration script to connect to their secure API for event and alert data. The integration script must be run on a scheduled basis using a scheduled task (Windows) or a Cronjob (Linux). The script pulls down log data from the Sophos Central API and forwards them to your InsightIDR Collector.

InsightIDR parses the following alert types as Virus Alert events:

  • eventendpointcoreclean
  • eventendpointcorehmpacleannothingfound
  • eventendpointthreat::cleanedup
  • eventendpointthreat::cleanupfailed
  • eventendpointcoredetection
  • eventendpointthreat::detected

Configure Sophos Logs

You must configure Sophos Central to send alert and event data to a SIEM. Follow the instructions provided by Sophos here: https://community.sophos.com/kb/en-us/125169

After downloading the SIEM integration script to your local environment, you will need to edit the config.ini file to your local configuration with the following changes:

  • Configure the syslog address to point to your InsightIDR collector. Take note of the port you use during this step.
  • Change the <collectorip> to the IP address of the server hosting the Collector.
  • Change the filename = result.txt to filename = syslog.

InsightIDR also supports JSON formats.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Sophos Central in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Sophos Central event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. If necessary, configure your default domain and any Advanced Event Source Settings.
  8. Select Listen on Network Port as your Collection method. Enter the port you documented earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.