Sophos Intercept X

Sophos Intercept X is an endpoint protection tool used to detect malware and viruses in your environment. InsightIDR features a Sophos Intercept X event source that you can configure to parse alert types as Virus Alert events.

Configure Sophos Intercept X Logs

Sophos Intercept X logs are supported through Sophos Central. To configure Sophos Intercept X to send alert and event data to InsightIDR with a secure API, you can follow the instructions provided by Sophos:

https://support.sophos.com/support/s/article/KB-000036372?language=en_US

To configure Sophos Intercept X for InsightIDR:

  1. Download the SIEM integration script to your local environment.
  2. Edit the config.ini file to your local configuration with the following changes:
    • Configure the syslog address to point to your InsightIDR collector. Take note of the port you use during this step.
    • Change the <collectorip> to the IP address of the server hosting the Collector.
    • Change the filename = result.txt to filename = syslog.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Sophos Intercept X in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Sophos Intercept X event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally, you can choose to send unparsed logs.
  7. If necessary, configure your default domain and any Advanced Event Source Settings.
  8. Select Listen on Network Port as your Collection method. Enter the port you documented earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector.
  2. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or Sophos if you didn’t name the event source. Sophos logs flow into the Virus Log set.
  3. Perform a Log Search to make sure Sophos events are coming through.

Sample input logs:

1
<30>{
2
\"endpoint_type\": \"computer\",
3
\"threat\": \"CXmail/ODl-V29\",
4
\"endpoint_id\": \"be94d0d2-3298-47c3-89f0-5dcd9618c3ec\",
5
\"customer_id\": \"abc31ff2-af24-e4f6-1b62-9a7871cd657c\",
6
\"severity\": \"medium\",
7
\"source_info\":
8
{
9
\"ip\": \"172.31.121.241\"
10
},
11
\"type\": \"Event::Endpoint::Threat::Detected\",
12
\"name\": \"CXmail/ODl-V29\",
13
\"id\": \"55b2768f-61db-4b41-a047-78fadbdad544\",
14
\"group\": \"MALWARE\",
15
\"datastream\": \"event\",
16
\"duid\": \"123fbac2e55ffb132e829ebc\",
17
\"rt\": \"2020-05-07T11:24:29.232Z\",
18
\"end\": \"2020-05-07T11:24:27.000Z\",
19
\"suser\": \"Username, Jimmy\",
20
\"dhost\": \"host123\",
21
\"detection_identity_name\": \"CXmail/ODl-V29\",
22
\"filePath\": \"C:\\\\Users\\\\jimmy.username\\\\AppData\\\\Local\\\\Packages\\\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\\\LocalState\\\\Files\\\\S0\\\\17\\\\Attachments\\\\SIA2024_Gebaeude-Tool_dfi_20180901_V-1-3[7024].xlsm\"
23
}