Sophos Logs

Connecting Sophos logs to your Panther Console

Overview

Panther supports ingesting Sophos logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Sophos logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure Sophos to push logs to the Data Transport source.

    • See the Sophos documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Sophos.Central

Sophos Central events.

Reference: Sophos Documentation on Central API Events.

schema: Sophos.Central
description: Sophos Central events
referenceURL: https://support.sophos.com/support/s/article/KB-000038307?language=en_US
fields:
    - name: endpoint_id
      required: true
      description: Endpoint ID associated with the event
      type: string
    - name: endpoint_type
      required: true
      description: Type of endpoint
      type: string
    - name: customer_id
      description: Customer ID
      type: string
    - name: severity
      description: Severity of the event
      type: string
    - name: source_info
      description: Source IP of the endpoint
      type: object
      fields:
        - name: ip
          description: First IPv4 address of the endpoint
          type: string
          indicators:
            - ip
    - name: name
      description: Name of threat, or other event details
      type: string
    - name: id
      required: true
      description: Unique identifier for the event
      type: string
    - name: type
      required: true
      description: Type of event
      type: string
    - name: group
      description: Category of event
      type: string
    - name: end
      required: true
      description: Time the event occurred on the endpoint
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: rt
      description: Time the event was uploaded to Sophos Central
      type: timestamp
      timeFormats:
        - rfc3339
    - name: dhost
      description: Source host of the event
      type: string
    - name: suser
      description: Logged in user
      type: string
      indicators:
        - username
    - name: datastream
      description: Alert, or Event, to distinguish between event types
      type: string
    - name: duid
      description: Undocumented field
      type: string
    - name: threat
      description: Name of the threat
      type: string
    - name: detection_identity_name
      description: Name of the detection
      type: string
    - name: filePath
      description: Path to the threat
      type: string
    - name: user
      description: Undocumented field, but should be same as User
      type: string
    - name: rule
      description: DLP rule
      type: string
    - name: user_action
      description: DLP user action
      type: string
    - name: app_name
      description: DLP application name
      type: string
    - name: action
      description: DLP action
      type: string
    - name: file_type
      description: DLP file type
      type: string
    - name: file_size
      description: DLP file size
      type: bigint
    - name: file_path
      description: DLP file path
      type: string
    - name: appSha256
      description: SHA 256 hash of the application associated with the threat, if available
      type: string
      indicators:
        - sha256
    - name: appCerts
      description: Certificate information for the application associated with the threat, if available
      type: array
      element:
        type: object
        fields:
            - name: signer
              description: PUA app certificate signer
              type: string
            - name: thumbprint
              description: PUA app certificate thumbprint
              type: string
    - name: origin
      description: Originating component of a detection
      type: string
    - name: core_remedy_items
      description: Details of the items cleaned or restored
      type: object
      fields:
        - name: items
          description: List of remediations
          type: array
          element:
            type: object
            fields:
                - name: type
                  description: Type of item
                  type: string
                - name: result
                  description: Remedy outcome
                  type: string
                - name: descriptor
                  description: Path to file
                  type: string
                - name: processPath
                  description: Undocumented field
                  type: string
        - name: totalItems
          description: Remediation count
          type: int

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated