Sophos Central collector
- Juan Tomás Alonso Nieto (Unlicensed)
- Sarah Bigault (Deactivated)
Service description
Sophos is a set of cloud-native and AI-enhanced solutions that are able to adapt and evolve secure endpoints and networks against never-before-seen cybercriminal tactics and techniques. Sophos Central is the unified console for managing Sophos products.
The Sophos Central collector extracts Event and Alerts audit logs and sends them to Devo.
Data source description
The collector processes the Sophos Central API responses and sends them to the Devo platform, which will categorize all the information received on tables in your Devo domain.
The Sophos Central API allows to retrieve account activities for alert and event resources:
Resource type | Definition | Devo data tables |
|---|---|---|
Alerts | Returns a list of alerts. | cloud.sophos.central.alerts |
Events | Returns a list of events. | cloud.sophos.central.events |
The Sophos Central: API Specification and Documentation has some API schemas that you can use. Also, you can load the schemas using this schema editor.
Setup
Getting the required credentials
You can generate and manage the required API token used for secure access to the Security Information and Event Management (SIEM) Integration API. This enables you to pull new event and alert data from Sophos Central.
You must be a Super Admin to manage and generate API tokens.
To add a new token:
- Go to Settings and open the API Token Management page.
- Click Add Token.
- Give the token a name and click Save. This generates the API token valid for a year.
- Save your API Access URL, x-api-key, Authentication Basic, and Expires. You will need them in the config file later on.
Run the collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for use when running the Sophos Central collector:
<any_directory>
└── devo-collectors/
└── sophos-central/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
└── config/
└── config-sophos-central.yaml
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <any directory>/devo-collectors/sophos-central/certs. Learn more about security credentials in Devo here.
Editing the config-sophos-central.yaml file
In the config-sophos-central.yaml file, replace <url>, <x_api_key>, <authentication_basic>, and <token_expire_at_ts> with the values that you got in the previous steps. The <short_unique_identifier> can have any value you choose.
globals:
debug: false # Setup as True or False for debugging mode
id: not_used
name: sophos
persistence: # Persistence setup filesystem
type: filesystem
config:
directory_name: state # Persistence directory
outputs:
devo_1:
type: devo_platform
config:
address: collector-us.devo.io # Devo platform address EU (for US use: collector-us.devo.io)
port: 443
type: SSL
chain: chain.crt
cert: your_domain.crt
key: your_domain.key
inputs:
sophos_central:
id: <short_unique_identifier> # The value of this field will be used internally for having independent persistence areas
enabled: true
requests_per_second: 5 # Setting up requests per second. 5 recommended.
autoconfig:
enabled: true
refresh_interval_in_seconds: 600
credentials: # Sophos Central API access URL. i.e. api3.central.sophos.com/gateway
url: <url> # Sophos Central API key
x_api_key: <x_api_key> # Sophos Central Authentication Basic
authentication_basic: <authentication_basic> # Sophos Central token expire at. Accepted format YYYY-MM-DDTHH:MM:SS.ssssssZ or Mon DD, YYYY
token_expire_at_ts: <token_expire_at_ts>
services:
alerts:
request_period_in_seconds: 60 # Setting up request period in seconds.
events:
request_period_in_seconds: 60
Download the Docker image
The collector should be deployed as a Docker container. Click here to download the Docker image of the collector as a .tgz file.
Use the following command to add the Docker image to the system:
$ gunzip -c collector-sophos-docker-image-<version>.tgz | docker load
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version>" with the proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/sophos-central/
docker run \ --name collector-sophos-central \ --volume $PWD/certs:/devo-collector/certs \ --volume $PWD/config:/devo-collector/config \ --volume $PWD/state:/devo-collector/state \ --env CONFIG_FILE=config-sophos-central.yaml \ --rm -it docker.devo.internal/collector/sophos-central:<version>
Replace <version> with the proper value.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/sophos-central/ directory.
version: '3'
services:
collector-sophos-central:
build:
context: .
dockerfile: Dockerfile
image: docker.devo.internal/collector/sophos-central:${IMAGE_VERSION:-latest}
container_name: sophos-central-collector
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config-sophos-central.yaml}
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/sophos-central directory:
IMAGE_VERSION=<version> docker-compose up -d
Replace <version> with the proper value.
Activeboards
Click here to download a preconfigured Activeboard that makes use of this collector and try in your Devo domain.
To start working with it, follow these instructions:
Create a new Activeboard in your domain. Learn how to do it here.
In Edit mode, click the ellipsis button and select Edit raw configuration.
Open the downloaded file, select all the text, and copy it into the clipboard.
Paste the contents of the file in the raw editor. Make sure you replace the existing configuration completely.
Click Save changes. The Activeboard should show up immediately.
Service description
Sophos is a set of cloud-native and AI-enhanced solutions that are able to adapt and evolve secure endpoints and networks against never-before-seen cybercriminal tactics and techniques. Sophos Central is the unified console for managing Sophos products.
The Sophos Central collector extracts Event and Alerts audit logs and sends them to Devo.
Data source description
The collector processes the Sophos Central API responses and sends them to the Devo platform, which will categorize all the information received on tables in your Devo domain.
The Sophos Central API allows to retrieve account activities for alert and event resources:
Resource type | Definition | Devo data tables |
|---|---|---|
Alerts | Returns a list of alerts. | cloud.sophos.central.alerts |
Events | Returns a list of events. | cloud.sophos.central.events |
The Sophos Central: API Specification and Documentation has some API schemas that you can use. Also, you can load the schemas using this schema editor.
Setup
Getting the required credentials
You can generate and manage the required API token used for secure access to the Security Information and Event Management (SIEM) Integration API. This enables you to pull new event and alert data from Sophos Central.
You must be a Super Admin to manage and generate API tokens.
To add a new token:
- Go to Settings and open the API Token Management page.
- Click Add Token.
- Give the token a name and click Save. This generates the API token valid for a year.
- Save your API Access URL, x-api-key, Authentication Basic, and Expires. You will need them in the config file later on.
Run the collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for use when running the Sophos Central collector:
<any_directory>
└── devo-collectors/
└── sophos-central/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
└── config/
└── config-sophos-central.yaml
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <any directory>/devo-collectors/sophos-central/certs. Learn more about security credentials in Devo here.
Editing the config-sophos-central.yaml file
In the config-sophos-central.yaml file, replace <url>, <x_api_key>, <authentication_basic>, and <token_expire_at_ts> with the values that you got in the previous steps. The <short_unique_identifier> can have any value you choose.
globals:
debug: false # Setup as True or False for debugging mode
id: not_used
name: sophos
persistence: # Persistence setup filesystem
type: filesystem
config:
directory_name: state # Persistence directory
outputs:
devo_1:
type: devo_platform
config:
address: collector-us.devo.io # Devo platform address EU (for US use: collector-us.devo.io)
port: 443
type: SSL
chain: chain.crt
cert: your_domain.crt
key: your_domain.key
inputs:
sophos_central:
id: <short_unique_identifier> # The value of this field will be used internally for having independent persistence areas
enabled: true
requests_per_second: 5 # Setting up requests per second. 5 recommended.
autoconfig:
enabled: true
refresh_interval_in_seconds: 600
credentials: # Sophos Central API access URL. i.e. api3.central.sophos.com/gateway
url: <url> # Sophos Central API key
x_api_key: <x_api_key> # Sophos Central Authentication Basic
authentication_basic: <authentication_basic> # Sophos Central token expire at. Accepted format YYYY-MM-DDTHH:MM:SS.ssssssZ or Mon DD, YYYY
token_expire_at_ts: <token_expire_at_ts>
services:
alerts:
request_period_in_seconds: 60 # Setting up request period in seconds.
events:
request_period_in_seconds: 60
Download the Docker image
The collector should be deployed as a Docker container. Click here to download the Docker image of the collector as a .tgz file.
Use the following command to add the Docker image to the system:
$ gunzip -c collector-sophos-docker-image-<version>.tgz | docker load
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version>" with the proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/sophos-central/
docker run \ --name collector-sophos-central \ --volume $PWD/certs:/devo-collector/certs \ --volume $PWD/config:/devo-collector/config \ --volume $PWD/state:/devo-collector/state \ --env CONFIG_FILE=config-sophos-central.yaml \ --rm -it docker.devo.internal/collector/sophos-central:<version>
Replace <version> with the proper value.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/sophos-central/ directory.
version: '3'
services:
collector-sophos-central:
build:
context: .
dockerfile: Dockerfile
image: docker.devo.internal/collector/sophos-central:${IMAGE_VERSION:-latest}
container_name: sophos-central-collector
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config-sophos-central.yaml}
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/sophos-central directory:
IMAGE_VERSION=<version> docker-compose up -d
Replace <version> with the proper value.