Sophos
Sophos Antivirus enables Chronicle to pinpoint when attacks happen and on which assets by linking together alerts with telemetry seen across the environment.
Chronicle Data Types
- Alert
Requirements
- Chronicle Forwarder
Configuration
Sophos Central
Sophos Central offers a secure API for retrieve event and alert data from. When provided with an API credentials, CYDERES can pull this data on behalf of the customer and send to Chronicle. Instructions to acquire the API credentials are outlined in steps 2 through 5 of this guide: https://community.sophos.com/kb/en-us/125169.
Sophos Enterprise Console
Sophos Enterprise Console utilizes an additional tool called Sophos Reporting Log Writer in order to write event and alert data to text files which then can be sent to Chronicle. This must be installed to send data to Chronicle.
Once installed, CYDERES recommends using NxLog to send data written by the Sophos Log Writer to a CYCLOPS forwarder.
NxLog Configuration Example:
define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension kvp>
Module xm_kvp
KVPDelimiter ;
KVDelimiter =
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
##Sophosec logs assumed they are located in default location
<Input sophos_in>
Module im_file
File "C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DefaultCommonEvents.txt"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();\
else\
{\
kvp->parse_kvp();\
$Message = $raw_event;\
}
</Input>
<Output sophos_out>
Module om_tcp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $Hostname = hostname_fqdn();
Exec to_syslog_bsd();
Exec $raw_event = '<13>' + $Hostname + ' SOPHOSEC-NXLOG: ' + 'InsertedAt="' +$InsertedAt + '"; ' + 'EventID="' +$EventID + '"; ' + 'EventTime="' +$EventTime + '"; ' + 'EventTypeID="' +$EventTypeID + '"; ' + 'EventType="' +$EventType + '"; ' + 'Name="' +$Name + '"; ' + 'ReportingName="' +$ReportingName + '"; ' + 'UserName="' +$UserName + '"; ' + 'ActionID="' +$ActionID + '"; ' + 'Action="' +$Action + '"; ' + 'ScanType="' +$ScanType + '"; ' + 'SubTypeID="' +$SubTypeID + '"; ' + 'SubType="' +$SubType + '"; ' + 'ComputerName="' +$ComputerName + '"; ' + 'ComputerDomain="' +$ComputerDomain + '"; ' + 'ComputerIPAddress="' + $ComputerIPAddress + '"';
</Output>
<Route Sophos>
Path sophos_in => sophos_out
</Route>