Sophos Logs

Connecting Sophos logs to your Panther Console

Overview

Panther supports ingesting Sophos logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Sophos logs to Panther

To connect these logs into Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- AWS SQS
- AWS S3 bucket
Configure Sophos to push logs to the Data Transport source.
- See the Sophos documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Sophos.Central

Sophos Central events.

Reference: Sophos Documentation on Central API Events.

schema: Sophos.Central
description: Sophos Central events
referenceURL: https://support.sophos.com/support/s/article/KB-000038307?language=en_US
fields:
    - name: endpoint_id
      required: true
      description: Endpoint ID associated with the event
      type: string
    - name: endpoint_type
      required: true
      description: Type of endpoint
      type: string
    - name: customer_id
      description: Customer ID
      type: string
    - name: severity
      description: Severity of the event
      type: string
    - name: source_info
      description: Source IP of the endpoint
      type: object
      fields:
        - name: ip
          description: First IPv4 address of the endpoint
          type: string
          indicators:
            - ip
    - name: name
      description: Name of threat, or other event details
      type: string
    - name: id
      required: true
      description: Unique identifier for the event
      type: string
    - name: type
      required: true
      description: Type of event
      type: string
    - name: group
      description: Category of event
      type: string
    - name: end
      required: true
      description: Time the event occurred on the endpoint
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: rt
      description: Time the event was uploaded to Sophos Central
      type: timestamp
      timeFormats:
        - rfc3339
    - name: dhost
      description: Source host of the event
      type: string
    - name: suser
      description: Logged in user
      type: string
      indicators:
        - username
    - name: datastream
      description: Alert, or Event, to distinguish between event types
      type: string
    - name: duid
      description: Undocumented field
      type: string
    - name: threat
      description: Name of the threat
      type: string
    - name: detection_identity_name
      description: Name of the detection
      type: string
    - name: filePath
      description: Path to the threat
      type: string
    - name: user
      description: Undocumented field, but should be same as User
      type: string
    - name: rule
      description: DLP rule
      type: string
    - name: user_action
      description: DLP user action
      type: string
    - name: app_name
      description: DLP application name
      type: string
    - name: action
      description: DLP action
      type: string
    - name: file_type
      description: DLP file type
      type: string
    - name: file_size
      description: DLP file size
      type: bigint
    - name: file_path
      description: DLP file path
      type: string
    - name: appSha256
      description: SHA 256 hash of the application associated with the threat, if available
      type: string
      indicators:
        - sha256
    - name: appCerts
      description: Certificate information for the application associated with the threat, if available
      type: array
      element:
        type: object
        fields:
            - name: signer
              description: PUA app certificate signer
              type: string
            - name: thumbprint
              description: PUA app certificate thumbprint
              type: string
    - name: origin
      description: Originating component of a detection
      type: string
    - name: core_remedy_items
      description: Details of the items cleaned or restored
      type: object
      fields:
        - name: items
          description: List of remediations
          type: array
          element:
            type: object
            fields:
                - name: type
                  description: Type of item
                  type: string
                - name: result
                  description: Remedy outcome
                  type: string
                - name: descriptor
                  description: Path to file
                  type: string
                - name: processPath
                  description: Undocumented field
                  type: string
        - name: totalItems
          description: Remediation count
          type: int

PreviousSnyk Logs NextSublime Security Logs

Last updated 2 years ago

Was this helpful?

schema: Sophos.Central description: Sophos Central events referenceURL: https://support.sophos.com/support/s/article/KB-000038307?language=en_US fields: - name: endpoint_id required: true description: Endpoint ID associated with the event type: string - name: endpoint_type required: true description: Type of endpoint type: string - name: customer_id description: Customer ID type: string - name: severity description: Severity of the event type: string - name: source_info description: Source IP of the endpoint type: object fields: - name: ip description: First IPv4 address of the endpoint type: string indicators: - ip - name: name description: Name of threat, or other event details type: string - name: id required: true description: Unique identifier for the event type: string - name: type required: true description: Type of event type: string - name: group description: Category of event type: string - name: end required: true description: Time the event occurred on the endpoint type: timestamp timeFormats: - rfc3339 isEventTime: true - name: rt description: Time the event was uploaded to Sophos Central type: timestamp timeFormats: - rfc3339 - name: dhost description: Source host of the event type: string - name: suser description: Logged in user type: string indicators: - username - name: datastream description: Alert, or Event, to distinguish between event types type: string - name: duid description: Undocumented field type: string - name: threat description: Name of the threat type: string - name: detection_identity_name description: Name of the detection type: string - name: filePath description: Path to the threat type: string - name: user description: Undocumented field, but should be same as User type: string - name: rule description: DLP rule type: string - name: user_action description: DLP user action type: string - name: app_name description: DLP application name type: string - name: action description: DLP action type: string - name: file_type description: DLP file type type: string - name: file_size description: DLP file size type: bigint - name: file_path description: DLP file path type: string - name: appSha256 description: SHA 256 hash of the application associated with the threat, if available type: string indicators: - sha256 - name: appCerts description: Certificate information for the application associated with the threat, if available type: array element: type: object fields: - name: signer description: PUA app certificate signer type: string - name: thumbprint description: PUA app certificate thumbprint type: string - name: origin description: Originating component of a detection type: string - name: core_remedy_items description: Details of the items cleaned or restored type: object fields: - name: items description: List of remediations type: array element: type: object fields: - name: type description: Type of item type: string - name: result description: Remedy outcome type: string - name: descriptor description: Path to file type: string - name: processPath description: Undocumented field type: string - name: totalItems description: Remediation count type: int