When you configure Sophos Central to send log data to USM Appliance, you can use the sophos-central plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Device Type||Endpoint Security|
|Data Source Name||sophos-central|
|Data Source ID||1847|
Integrating Sophos Central
Sophos Central has secure APIs available that allow the retrieval of event and alert data from Sophos Central for use in other systems. The primary goal for these APIs is to allow integration with Security Information and Event Management (SIEM) solutions, including USM Appliance. A Sophos Central SIEM Integration script is used to accomplish this.
The following procedure describes how to create an API token, modify the config.ini file to include token data, and launch the script to import data into your SIEM solution, in this case, USM Appliance. Before you configure the Sophos Central integration, you must have the IP Address of the USM Appliance Sensor.
To configure Sophos Central to send syslog messages (alert and event data) to USM Appliance
- From the Sophos website, select the Clone or Download option to download the zip file containing all components of the Sophos Central SIEM Integration script.
Place the script on a Windows or Linux machine running Python 2.7.9 or later.
- This machine is separate from USM Appliance.
- Running the script from a Linux machine has the added benefit of supporting syslog out-of-the-box. The script extracts the logs from Sophos Central and then send them to USM Appliance using Syslog.
- In the Sophos Central Admin program, select Global Settings > API Token Management.
- To create a new token, click Add token in the top-right corner of the screen.
- Select a token name and click Save.
The API Token Summary for this token is displayed.
- Click Copy to copy the API Access URL and Headers from the API Token Summary section into your clipboard.
- Open the config.ini file in a text editor.
- Copy and paste the API Access URL and Headers block from the API Token Management page in Sophos Central.
- (Optional) By default, the script outputs JSON data to results.txt in a subdirectory called logs. You can change the output file and location in the config.ini file, but don't make any further changes to the file.
- Run the python siem.py script and review the results.txt output file.
Important: The USM Appliance plugin expects the logs to be sent in CEF format. Also, you will need at least one alert or event generated in your Sophos Central account within the last 12 hours to return any data. Subsequent script execution will pull down any new data generated from within the last 24 hours.
- You can configure your environment to run the script on a regular basis, such as every hour, using a scheduled task or cronjob. The script will automatically only retrieve new data generated since it was last run, to avoid duplicate data being exported.
Note: For more options and help on running the script, run the command python siem.py ‑h.
You must add the machine that runs the Sophos Central SIEM Integration script as an asset in USM Appliance, and you must enable the Sophos Central plugin on this asset. For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: