Sophos Enduser Protection

Overview

The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, InsightOps uses this data to produce some notable behaviors and alerts.

Before You Begin

Sophos EndUser Protection events are antivirus (A/V) logs written to a SQL Server database, rather than to a file. Therefore, you must connect to the server via a SQL Server client connection in order to gather the logs for InsightOps.

Before you do so, ensure you have the following information:

  • a domain and username/password, as with other Microsoft connections (LDAP, AD)
  • The server hosting the Sophos A/V system.
  • The port the SQL Server is "listening" on for connections. This is typically 1433 or 1434.

Next, complete the following:

  • Ensure the database follows the naming convention SOPHOS52 or SOPHOS\SOPHOS52, depending on the details of the database filenames (e.g. SOPHOS52.mdf) and the configuration of the instance in SQL Server.
  • Turn on shared memory, named pipes, and TCP/IP under SQL Server Configuration Manager

Enabling Remote Connections on SQL Server Database

SQL servers for 2012/2014/2016 can be found here.

SQL server(s) for 2008 can be found here.

Make sure that the server is listening on a specific port and the local firewall is not blocking it.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Virus Scan icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Sophos Enduser Protection
  6. Optionally choose to send unfiltered logs.
  7. Configure any advanced event source settings.
  8. Enter the server database name in the Database field.
  9. Configure the port to the SQL Database; this is 1434 by default.
  10. Enter the database information, or the database IP address.
  11. Enter the User Domain information, or the domain of your credentials.
  12. Select existing credentials or configure new credentials.
  13. Select Save.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.