Viewing Your Sophos Central Events and Alarms

Role Availability Read-Only Investigator Analyst Manager

BlueApp for Sophos Central translates the Sophos event and alert data collected through the USM Anywhere Sensor into normalized Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. events for analysis. These normalized events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. are accessible from the Events page.

Note: A correlation rule automatically identifies Sophos Central alerts where there is a threat detected for malware on an endpoint, and it generates a USM Anywhere alarm Alarms provide notification of an event or sequence of events that require attention or investigation.. If you want to generate an alarm for other types of Sophos Central events or alerts, you can create your own custom alarm rules and define the matching conditions to fit your criteria.

To view Sophos Central events

  1. Select Activity > Events to open the events page.
  2. If the Search & Filters panel is not displayed, click the icon to expand it.

    USM Anywhere includes several filters displayed by default.

  3. Scroll down to the Data Source filter and select Sophos Central JSON to display only those events on the page.

    Select the Sophos Central JSON data source to filter the Sophos Central events

    If this filter is not displayed, click the Configure filters link, which is in the upper left corner of the page, to configure filters for the page. See Managing Filters for more information about configuring filters for pages.

  4. Select an event in the list to view detailed information.

    Review the details for the Sophos Central event