Sophos Connector SIEM
This data pipeline extracts the SIEM events from Sophos technology using the data Integration API.
This Pipeline integrates with API Logs from the Sophos Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.
Listen
The Listener pulls events using the Configure as YAML option, using the following YAML:
withTemporalWindow: true
temporalWindow:
duration: 1m
offset: 2m
tz: UTC
format: Epoch
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: https://id.sophos.com/api/v2/oauth2/token
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/x-www-form-urlencoded
queryParams: []
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: 'cb7bd836-XXX-XXX-XXXX-XX'
- name: client_secret
value: 'cf23f...b105'
- name: scope
value: token
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: GET
url: https://api.central.sophos.com/whoami/v1
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
queryParams: []
bodyParams: []
output:
select: "."
filter: "."
map: "."
outputMode: element
collectionPhase:
variables:
- source: input
name: tenantId
expression: ".id"
format: ''
- source: input
name: dataRegionURL
expression: ".apiHosts.dataRegion"
format: ''
paginationType: cursor
cursorSelector: ".next_cursor"
initialRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: from_date
value: "${temporalWindow.from}"
bodyParams: []
nextRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: cursor
value: "${pagination.cursor}"
bodyParams: []
output:
select: ".items"
filter: "."
map: "."
outputMode: elementTransform Sophos data
Flat JSON
We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.
Field Transformation
We can transform the incoming flattened JSON string into an escape string using the Escape String operation, setting the Escape level to minimal and the Escape Quote to single.
Parser
The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, source, Sophos ID, threat level & when, and more.
Field Transformation
When
Now we have gleaned information on when a threat took place using the Parser, we can transform this specific field from a string into a Unix Timestamp value in milliseconds.
Where
We can glean where the log on took place using the source string and transforming it into a Regular Expression using the Regex operation.
Message Builder
We use the Message Builder action to send on the hours timestamp and source information. Transform the fields to CSV format, using a comma as the delimiter.
You can now send on your CSV containing Sophos SIEM logs to your preferred destination using a sink.
Last updated
Was this helpful?