Sophos Intercept X

Sophos Intercept X is an endpoint protection tool used to detect malware and viruses in your environment. InsightIDR features a Sophos Intercept X event source that you can configure to parse alert types as Virus Alert events.

Configure Sophos Intercept X Logs

Sophos Intercept X logs are supported through Sophos Central. To configure Sophos Intercept X to send alert and event data to InsightIDR with a secure API, you can follow the instructions provided by Sophos:

https://support.sophos.com/support/s/article/KB-000036372?language=en_US

To configure Sophos Intercept X for InsightIDR:

  1. Download the SIEM integration script to your local environment.
  2. Edit the config.ini file to your local configuration with the following changes:
    • Configure the syslog address to point to your InsightIDR collector. Take note of the port you use during this step.
    • Change the <collectorip> to the IP address of the server hosting the Collector.
    • Change the filename = result.txt to filename = syslog.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally, you can choose to send unfiltered logs.
  7. If necessary, configure your default domain and any Advanced Event Source Settings.
  8. Select Listen for Syslog as your Collection method. Enter the port you documented earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector.
  2. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or Sophos if you didn’t name the event source. Sophos logs flow into the Virus Log set.
  3. Perform a Log Search to make sure Sophos events are coming through.

Sample input logs:

1
<30>{
2
\"endpoint_type\": \"computer\",
3
\"threat\": \"CXmail/ODl-V29\",
4
\"endpoint_id\": \"be94d0d2-3298-47c3-89f0-5dcd9618c3ec\",
5
\"customer_id\": \"abc31ff2-af24-e4f6-1b62-9a7871cd657c\",
6
\"severity\": \"medium\",
7
\"source_info\":
8
{
9
\"ip\": \"172.31.121.241\"
10
},
11
\"type\": \"Event::Endpoint::Threat::Detected\",
12
\"name\": \"CXmail/ODl-V29\",
13
\"id\": \"55b2768f-61db-4b41-a047-78fadbdad544\",
14
\"group\": \"MALWARE\",
15
\"datastream\": \"event\",
16
\"duid\": \"123fbac2e55ffb132e829ebc\",
17
\"rt\": \"2020-05-07T11:24:29.232Z\",
18
\"end\": \"2020-05-07T11:24:27.000Z\",
19
\"suser\": \"Username, Jimmy\",
20
\"dhost\": \"host123\",
21
\"detection_identity_name\": \"CXmail/ODl-V29\",
22
\"filePath\": \"C:\\\\Users\\\\jimmy.username\\\\AppData\\\\Local\\\\Packages\\\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\\\LocalState\\\\Files\\\\S0\\\\17\\\\Attachments\\\\SIA2024_Gebaeude-Tool_dfi_20180901_V-1-3[7024].xlsm\"
23
}