Sophos Logs
Connecting Sophos logs to your Panther Console

Overview

Panther supports ingesting Sophos logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Sophos logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure Sophos to push logs to the Data Transport source.
    • See the Sophos documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in the table are in bold.

Sophos.Central

Sophos Central events.
Column
Type
Description
endpoint_id
string
Endpoint ID associated with the event
endpoint_type
string
Type of endpoint
customer_id
string
Customer ID
severity
string
Severity of the event
source_info
{ "ip":string }
Source IP of the endpoint
name
string
Name of threat, or other event details
id
string
Unique identifier for the event
type
string
Type of event
group
string
Category of event
end
timestamp
Time the event occurred on the endpoint
rt
timestamp
Time the event was uploaded to Sophos Central
dhost
string
Source host of the event
suser
string
Logged in user
datastream
string
Alert, or Event, to distinguish between event types
duid
string
Undocumented field
threat
string
Name of the threat
detection_identity_name
string
Name of the detection
filePath
string
Path to the threat
user
string
Undocumented field, but should be same as User