Skip to content

Sophos

Sophos Antivirus enables Chronicle to pinpoint when attacks happen and on which assets by linking together alerts with telemetry seen across the environment.

Chronicle Data Types

  • Alert

Requirements

  • Chronicle Forwarder

Configuration

Sophos Central

Sophos Central offers a secure API for retrieve event and alert data from. When provided with an API credentials, CYDERES can pull this data on behalf of the customer and send to Chronicle. Instructions to acquire the API credentials are outlined in steps 2 through 5 of this guide: https://community.sophos.com/kb/en-us/125169.

Sophos Enterprise Console

Sophos Enterprise Console utilizes an additional tool called Sophos Reporting Log Writer in order to write event and alert data to text files which then can be sent to Chronicle. This must be installed to send data to Chronicle.

Once installed, CYDERES recommends using NxLog to send data written by the Sophos Log Writer to a CYCLOPS forwarder.

NxLog Configuration Example:

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension kvp>
    Module          xm_kvp
    KVPDelimiter    ;
    KVDelimiter     =
</Extension>

<Extension syslog>
    Module  xm_syslog
</Extension>

##Sophosec logs assumed they are located in default location
<Input sophos_in>

    Module      im_file
    File        "C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DefaultCommonEvents.txt"
    SavePos     TRUE
    InputType   LineBased
    Exec if $raw_event =~ /^#/ drop();\
    else\
    {\
       kvp->parse_kvp();\
       $Message = $raw_event;\
    }
</Input>

<Output sophos_out>
    Module      om_tcp
    Host        %OUTPUT_DESTINATION_ADDRESS%
    Port        %OUTPUT_DESTINATION_PORT%
    Exec        $Hostname = hostname_fqdn();
    Exec        to_syslog_bsd();
    Exec        $raw_event = '<13>' + $Hostname + ' SOPHOSEC-NXLOG: ' + 'InsertedAt="' +$InsertedAt + '"; ' + 'EventID="' +$EventID + '"; ' + 'EventTime="' +$EventTime + '"; ' + 'EventTypeID="' +$EventTypeID + '"; ' + 'EventType="' +$EventType + '"; ' + 'Name="' +$Name + '"; ' + 'ReportingName="' +$ReportingName + '"; ' + 'UserName="' +$UserName + '"; ' + 'ActionID="' +$ActionID + '"; ' + 'Action="' +$Action + '"; ' + 'ScanType="' +$ScanType + '"; ' + 'SubTypeID="' +$SubTypeID + '"; ' + 'SubType="' +$SubType + '"; ' + 'ComputerName="' +$ComputerName + '"; ' + 'ComputerDomain="' +$ComputerDomain + '"; ' + 'ComputerIPAddress="' + $ComputerIPAddress + '"';
</Output>

<Route Sophos>
    Path sophos_in => sophos_out
</Route>