Panther supports ingesting Sophos logs via common options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Sophos logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Sophos to push logs to the Data Transport source.
See the Sophos documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Sophos.Central
Sophos Central events.
schema: Sophos.Central
description: Sophos Central events
referenceURL: https://support.sophos.com/support/s/article/KB-000038307?language=en_US
fields:
- name: endpoint_id
required: true
description: Endpoint ID associated with the event
type: string
- name: endpoint_type
required: true
description: Type of endpoint
type: string
- name: customer_id
description: Customer ID
type: string
- name: severity
description: Severity of the event
type: string
- name: source_info
description: Source IP of the endpoint
type: object
fields:
- name: ip
description: First IPv4 address of the endpoint
type: string
indicators:
- ip
- name: name
description: Name of threat, or other event details
type: string
- name: id
required: true
description: Unique identifier for the event
type: string
- name: type
required: true
description: Type of event
type: string
- name: group
description: Category of event
type: string
- name: end
required: true
description: Time the event occurred on the endpoint
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: rt
description: Time the event was uploaded to Sophos Central
type: timestamp
timeFormats:
- rfc3339
- name: dhost
description: Source host of the event
type: string
- name: suser
description: Logged in user
type: string
indicators:
- username
- name: datastream
description: Alert, or Event, to distinguish between event types
type: string
- name: duid
description: Undocumented field
type: string
- name: threat
description: Name of the threat
type: string
- name: detection_identity_name
description: Name of the detection
type: string
- name: filePath
description: Path to the threat
type: string
- name: user
description: Undocumented field, but should be same as User
type: string
- name: rule
description: DLP rule
type: string
- name: user_action
description: DLP user action
type: string
- name: app_name
description: DLP application name
type: string
- name: action
description: DLP action
type: string
- name: file_type
description: DLP file type
type: string
- name: file_size
description: DLP file size
type: bigint
- name: file_path
description: DLP file path
type: string
- name: appSha256
description: SHA 256 hash of the application associated with the threat, if available
type: string
indicators:
- sha256
- name: appCerts
description: Certificate information for the application associated with the threat, if available
type: array
element:
type: object
fields:
- name: signer
description: PUA app certificate signer
type: string
- name: thumbprint
description: PUA app certificate thumbprint
type: string
- name: origin
description: Originating component of a detection
type: string
- name: core_remedy_items
description: Details of the items cleaned or restored
type: object
fields:
- name: items
description: List of remediations
type: array
element:
type: object
fields:
- name: type
description: Type of item
type: string
- name: result
description: Remedy outcome
type: string
- name: descriptor
description: Path to file
type: string
- name: processPath
description: Undocumented field
type: string
- name: totalItems
description: Remediation count
type: int
