Sophos Central

Sophos Central provides a SIEM integration script to connect to their secure API for event and alert data. The integration script must be run on a scheduled basis using a scheduled task (Windows) or a Cronjob (Linux). The script pulls down log data from the Sophos Central API and forwards them to your InsightIDR Collector.

InsightIDR parses the following alert types as Virus Alert events:

  • eventendpointcoreclean
  • eventendpointcorehmpacleannothingfound
  • eventendpointthreat::cleanedup
  • eventendpointthreat::cleanupfailed
  • eventendpointcoredetection
  • eventendpointthreat::detected

Configure Sophos Logs

You must configure Sophos Central to send alert and event data to a SIEM. Follow the instructions provided by Sophos here: https://community.sophos.com/kb/en-us/125169

After downloading the SIEM integration script to your local environment, you will need to edit the config.ini file to your local configuration with the following changes:

  • Configure the syslog address to point to your InsightIDR collector. Take note of the port you use during this step.
  • Change the <collectorip> to the IP address of the server hosting the Collector.
  • Change the filename = result.txt to filename = syslog.

InsightIDR also supports JSON formats.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. If necessary, configure your default domain and any Advanced Event Source Settings.
  8. Select Listen on Network Port as your Collection method. Enter the port you documented earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.