cloud.sophos
Introduction
The tags beginning with cloud.sophos
identify events generated by Sophos.
Valid tags and data tablesÂ
The full tag must have 4 levels. The first two are fixed as cloud.sophos
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Sophos Central |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
cloud.sophos.central.alerts
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
info |
| Â |
threatCleanable |
| Â |
threat |
| Â |
eventServiceEventId |
| Â |
customerId |
| Â |
severity |
| Â |
createdAt |
| Â |
when |
| Â |
description |
| Â |
location |
| Â |
id |
| Â |
type |
| Â |
source |
| Â |
dataCreatedAt |
| Â |
dataEndpointId |
| Â |
dataEndpointJavaId |
| Â |
dataEndpointPlatform |
| Â |
dataEndpointType |
| Â |
dataEventServiceId |
| Â |
dataEventServiceId_type |
| Â |
dataEventServiceId_data |
| Â |
dataInsertedAt |
| Â |
dataMakeActionableAt |
| Â |
dataSourceAppId |
| Â |
dataSourceInfoIp |
| Â |
dataUserMatchId |
| Â |
dataUserMatchUuid |
| Â |
dataUserMatchUuid_type |
| Â |
dataUserMatchUuid_data |
| Â |
dataThreatId |
| Â |
dataThreatStatus |
| Â |
hostchain |
| ✓ |
tag |
|  ✓ |
rawMessage |
| Â |
cloud.sophos.central.events
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
appSha256 |
| Â |
appCerts |
| Â |
userId |
| Â |
threat |
| Â |
endpointId |
| Â |
endpointType |
| Â |
createdAt |
| Â |
customerId |
| Â |
severity |
| Â |
sourceInfoIp |
| Â |
origin |
| Â |
when |
| Â |
coreRemedyItems |
| Â |
name |
| Â |
location |
| Â |
id |
| Â |
type |
| Â |
source |
| Â |
group2 |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Â