When you configure Sophos Central to send log data to USM Appliance, you can use the sophos-central plugin to translate the raw log data into normalized events for analysis.
|Device Type||Endpoint Security|
|Data Source Name||sophos-central|
|Data Source ID||1847|
Integrating Sophos Central
Before you configure the Sophos Central integration, you must have the IP Address of the USM Appliance Sensor.
To configure Sophos Central to send syslog messages (alert and event data) to USM Appliance.
Sophos Central has secure APIs available that allow the retrieval of event and alert data from Sophos Central for use in other systems. The primary goal for these APIs is to allow integration with SIEM (Security Information and Event Management) solutions, including USM Appliance. A Sophos Central SIEM Integration script is used to accomplish this.
Note: Sophos Support is available only for the APIs and the unmodified script provided by Sophos. Sophos does not provide advice and troubleshooting for other custom integrations. Your Sophos partner may provide such services, so you may arrange to involve Sophos’ own Professional Services team if you need assistance beyond the services that Sophos Support provides.
The following procedure describes how to create an API token, modify the config.ini file to include token data, and launch the script to import data into your SIEM solution, in this case, USM Appliance.
- From the Sophos web site, select the Clone or Download option to download the zip file containing all components of the Sophos Central SIEM Integration script.
- Run the script from a machine (Windows or Linux) running Python 2.7.9 or later. (An update of the SIEM scripts on 6/26/17 now supports Python 3 as well.)
Important: You must also have a token to access event data through the API. Running the script from a Linux machine has the added benefit of supporting syslog out-of-the-box, to extract the logs from Sophos Central, and then send them to USM Appliance using Syslog. The USM Appliance plugin expects the logs to be sent in CEF format.
- In the Sophos Central Admin program, select Global Settings > API Token Management.
- To create a new token, click Add token in the top-right corner of the screen.
- Select a token name and click Save.
The API Token Summary for this token is displayed.
- Click Copy to copy the API Access URL and Headers from the API Token Summary section into your clipboard.
- Open the config.ini file in a text editor.
- Copy and paste the API Access URL and Headers block from the API Token Management page in Sophos Central.
- (Optional Step.) By default, the script outputs JSON data to a results.txt file in a subdirectory called logs. You can the output file and location in the config.ini file, but don't make any further changes to the file.
- Run the python siem.py script and review the results.txt output file.
Important: The USM Appliance plugin expects the logs to be sent in CEF format. Also, you will need at least one alert or event generated in your Sophos Central account within the last 12 hours to return any data. Subsequent script execution will then pull down any new data generated from within the last 24 hours.
- You can configure your environment to run the script on a regular basis, such as every hour, using a scheduled task or cronjob. The script will automatically only retrieve new data generated since it was last run, to avoid duplicate data being exported.
Note: For more options and help on running the script, you can run the command python siem.py -h.
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: