Sophos Central provides a SIEM integration script to connect to their secure API for event and alert data. The integration script must be run on a scheduled basis using a scheduled task (Windows) or a Cronjob (Linux). The script pulls down log data from the Sophos Central API and forwards them to your InsightIDR Collector.
InsightIDR parses the following alert types as Virus Alert events:
Configure Sophos Logs
You must configure Sophos Central to send alert and event data to a SIEM. Follow the instructions provided by Sophos here: https://community.sophos.com/kb/en-us/125169
After downloading the SIEM integration script to your local environment, you will need to edit the
config.ini file to your local configuration with the following changes:
- Configure the syslog address to point to your InsightIDR collector. Take note of the port you use during this step.
- Change the
<collectorip>to the IP address of the server hosting the Collector.
- Change the
filename = result.txtto
filename = syslog.
InsightIDR also supports JSON formats.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- If necessary, configure your default domain and any Advanced Event Source Settings.
- Select Listen for Syslog as your Collection method. Enter the port you documented earlier.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Not seeing log data?
InsightIDR only parses an event from your Virus Scan event source when a virus is found.