> For the complete documentation index, see [llms.txt](https://docs.onum.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/sophos-connector-siem.md).
# Sophos Connector SIEM
This data pipeline extracts the SIEM events from Sophos technology using the data Integration API.
This Pipeline integrates with API Logs from the Sophos Platform using the[ **HTTP Pull**](broken://pages/bZ07iBY7MKqfhB9A0NAf) Listener, transforming it from JSON to CSV format.
## Listen
The Listener pulls events using the **Configure as YAML** option, using the following YAML:
```
withTemporalWindow: true
temporalWindow:
duration: 1m
offset: 2m
tz: UTC
format: Epoch
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: https://id.sophos.com/api/v2/oauth2/token
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/x-www-form-urlencoded
queryParams: []
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: 'cb7bd836-XXX-XXX-XXXX-XX'
- name: client_secret
value: 'cf23f...b105'
- name: scope
value: token
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: GET
url: https://api.central.sophos.com/whoami/v1
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
queryParams: []
bodyParams: []
output:
select: "."
filter: "."
map: "."
outputMode: element
collectionPhase:
variables:
- source: input
name: tenantId
expression: ".id"
format: ''
- source: input
name: dataRegionURL
expression: ".apiHosts.dataRegion"
format: ''
paginationType: cursor
cursorSelector: ".next_cursor"
initialRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: from_date
value: "${temporalWindow.from}"
bodyParams: []
nextRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: cursor
value: "${pagination.cursor}"
bodyParams: []
output:
select: ".items"
filter: "."
map: "."
outputMode: element
```
{% hint style="info" %}
See the article dedicated to setting up the Sophos connector SIEM [here](/marketplace/falcon-onum-marketplace/pulling-pipelines/sophos-connector-siem.md).
{% endhint %}
## Transform Sophos data
### Flat JSON
We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.
### Field Transformation
We can transform the incoming flattened JSON string into an escape string using the [**Escape String operation**](/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/control-characters/escape-string.md)**,** setting the **Escape level** to *minimal* and the **Escape Quote** to *single*.
### Parser
The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, source, Sophos ID, threat level & when, and more.
### Field Transformation
#### When
Now we have gleaned information on *when* a threat took place using the Parser, we can transform this specific field from a string into a [Unix Timestamp](/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/date-time/to-unix-timestamp.md) value in milliseconds.
#### Where
We can glean where the log on took place using the source string and transforming it into a Regular Expression using the[ Regex operation.](/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/utils/regex.md)
### Message Builder
We use the [**Message Builder** ](/the-workspace/pipelines/actions/formatting/message-builder.md)action to send on the hours timestamp and source information. Transform the fields to CSV format, using a comma as the delimiter.
You can now send on your CSV containing Sophos SIEM logs to your preferred destination using a sink.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/sophos-connector-siem.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.