Document toolboxDocument toolbox

cloud.sophos

Introduction

The tags beginning with cloud.sophos identify events generated by Sophos.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as cloud.sophos. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Sophos Central

cloud.sophos.central.alerts

cloud.sophos.central.alerts

cloud.sophos.central.events

cloud.sophos.central.events

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.sophos.central.alerts

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

info

str

 

threatCleanable

str

 

threat

str

 

eventServiceEventId

str

 

customerId

str

 

severity

str

 

createdAt

timestamp

 

when

timestamp

 

description

str

 

location

str

 

id

str

 

type

str

 

source

str

 

dataCreatedAt

timestamp

 

dataEndpointId

str

 

dataEndpointJavaId

str

 

dataEndpointPlatform

str

 

dataEndpointType

str

 

dataEventServiceId

str

 

dataEventServiceId_type

str

 

dataEventServiceId_data

str

 

dataInsertedAt

timestamp

 

dataMakeActionableAt

timestamp

 

dataSourceAppId

str

 

dataSourceInfoIp

ip4

 

dataUserMatchId

str

 

dataUserMatchUuid

str

 

dataUserMatchUuid_type

str

 

dataUserMatchUuid_data

str

 

dataThreatId

str

 

dataThreatStatus

str

 

hostchain

str

✓ 

tag

str

 ✓

rawMessage

str

 

cloud.sophos.central.events

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

appSha256

str

 

appCerts

str

 

userId

str

 

threat

str

 

endpointId

str

 

endpointType

str

 

createdAt

timestamp

 

customerId

str

 

severity

str

 

sourceInfoIp

ip4

 

origin

str

 

when

timestamp

 

coreRemedyItems

str

 

name

str

 

location

str

 

id

str

 

type

str

 

source

str

 

group2

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Â