# Sophos Connector SIEM
This data pipeline extracts the SIEM events from Sophos technology using the data Integration API.
This Pipeline integrates with API Logs from the Sophos Platform using the[ **HTTP Pull**](https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/broken-reference) Listener, transforming it from JSON to CSV format.
## Listen
The Listener pulls events using the **Configure as YAML** option, using the following YAML:
```
withTemporalWindow: true
temporalWindow:
duration: 1m
offset: 2m
tz: UTC
format: Epoch
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: https://id.sophos.com/api/v2/oauth2/token
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/x-www-form-urlencoded
queryParams: []
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: 'cb7bd836-XXX-XXX-XXXX-XX'
- name: client_secret
value: 'cf23f...b105'
- name: scope
value: token
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: GET
url: https://api.central.sophos.com/whoami/v1
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
queryParams: []
bodyParams: []
output:
select: "."
filter: "."
map: "."
outputMode: element
collectionPhase:
variables:
- source: input
name: tenantId
expression: ".id"
format: ''
- source: input
name: dataRegionURL
expression: ".apiHosts.dataRegion"
format: ''
paginationType: cursor
cursorSelector: ".next_cursor"
initialRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: from_date
value: "${temporalWindow.from}"
bodyParams: []
nextRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: cursor
value: "${pagination.cursor}"
bodyParams: []
output:
select: ".items"
filter: "."
map: "."
outputMode: element
```
{% hint style="info" %}
See the article dedicated to setting up the Sophos connector SIEM [here](https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/sophos-connector-siem).
{% endhint %}
## Transform Sophos data
### Flat JSON
We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.
### Field Transformation
We can transform the incoming flattened JSON string into an escape string using the [**Escape String operation**](https://docs.onum.com/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/control-characters/escape-string)**,** setting the **Escape level** to *minimal* and the **Escape Quote** to *single*.
### Parser
The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, source, Sophos ID, threat level & when, and more.
### Field Transformation
#### When
Now we have gleaned information on *when* a threat took place using the Parser, we can transform this specific field from a string into a [Unix Timestamp](https://docs.onum.com/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/date-time/to-unix-timestamp) value in milliseconds.
#### Where
We can glean where the log on took place using the source string and transforming it into a Regular Expression using the[ Regex operation.](https://docs.onum.com/the-workspace/pipelines/actions/transformation/field-transformation/field-transformation-operations/utils/regex)
### Message Builder
We use the [**Message Builder** ](https://docs.onum.com/the-workspace/pipelines/actions/formatting/message-builder)action to send on the hours timestamp and source information. Transform the fields to CSV format, using a comma as the delimiter.
You can now send on your CSV containing Sophos SIEM logs to your preferred destination using a sink.
.png?alt=media&token=6e5891b1-f685-4ae8-85c6-d090b87c54fe)
.png?alt=media&token=e7f28d5a-f7df-4373-9e2a-af19939c729d)
.png?alt=media&token=2462fa05-e3f4-40f7-b086-91fc1923a478)
.png?alt=media&token=65b3ecac-df93-4cc7-aa15-9ba15683de9c)
.png?alt=media&token=a20c967c-b2f7-489c-8b49-21c8e2d8b534)