Sophos Connector SIEM

Last updated 8 days ago

Was this helpful?

Sophos Connector SIEM

This data pipeline extracts the SIEM events from Sophos technology using the data Integration API.

This Pipeline integrates with API Logs from the Sophos Platform using the Listener, transforming it from JSON to CSV format.

Listen

The Listener pulls events using the Configure as YAML option, using the following YAML:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 2m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://id.sophos.com/api/v2/oauth2/token
      headers:
        - name: Accept
          value: application/json
        - name: Content-Type
          value: application/x-www-form-urlencoded
      queryParams: []
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: 'cb7bd836-XXX-XXX-XXXX-XX'
        - name: client_secret
          value: 'cf23f...b105'
        - name: scope
          value: token
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: none
  request:
    responseType: json
    method: GET
    url: https://api.central.sophos.com/whoami/v1
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
    queryParams: []
    bodyParams: []
  output:
    select: "."
    filter: "."
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: tenantId
      expression: ".id"
      format: ''
    - source: input
      name: dataRegionURL
      expression: ".apiHosts.dataRegion"
      format: ''
  paginationType: cursor
  cursorSelector: ".next_cursor"
  initialRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: from_date
        value: "${temporalWindow.from}"
    bodyParams: []
  nextRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: cursor
        value: "${pagination.cursor}"
    bodyParams: []
  output:
    select: ".items"
    filter: "."
    map: "."
    outputMode: element

Transform Sophos data

Flat JSON

We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.

Field Transformation

Parser

The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, source, Sophos ID, threat level & when, and more.

Field Transformation

When

Where

Message Builder

You can now send on your CSV containing Sophos SIEM logs to your preferred destination using a sink.

PreviousOKTA System Log API

Last updated 8 days ago

Was this helpful?