USM Anywhere includes a Sophos Central pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities., which translates the Sophos event and alert data collected through the AlienApp for Sophos Central into normalizedNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. events for analysis. This plugin is automatically enabled and these normalized eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. are accessible from the Events page and Overview dashboard.
Note: A correlation rule automatically identifies Sophos Central alerts where there is a threat detected for malware on an endpoint, and it generates a USM Anywhere alarmAlarms provide notification of an event or sequence of events that require attention or investigation.. If you want to generate an alarm for other types of Sophos Central events or alerts, you can create your own custom alarm rules and define the matching conditions to fit your criteria.
To view Sophos Central events
- Select Activity > Events to open the Events page.
If the Search & Filters panel is not displayed, click the icon to expand it.
USM Anywhere includes several filters displayed by default.
Scroll down to the Data Source Plugin filter and select Sophos Central JSON to display only those events on the page.
If this filter is not displayed, click the Configure filters link, which is in the upper left corner of the page, to configure filters for the page. (See Managing Filters for more information about configuring filters for pages.)
Select an event in the list to view detailed information.