Sophos Connector SIEM

This data pipeline extracts the SIEM events from Sophos technology using the data Integration API.

This Pipeline integrates with API Logs from the Sophos Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.

Listen

The Listener pulls events using the Configure as YAML option, using the following YAML:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 2m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://id.sophos.com/api/v2/oauth2/token
      headers:
        - name: Accept
          value: application/json
        - name: Content-Type
          value: application/x-www-form-urlencoded
      queryParams: []
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: 'cb7bd836-XXX-XXX-XXXX-XX'
        - name: client_secret
          value: 'cf23f...b105'
        - name: scope
          value: token
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: none
  request:
    responseType: json
    method: GET
    url: https://api.central.sophos.com/whoami/v1
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
    queryParams: []
    bodyParams: []
  output:
    select: "."
    filter: "."
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: tenantId
      expression: ".id"
      format: ''
    - source: input
      name: dataRegionURL
      expression: ".apiHosts.dataRegion"
      format: ''
  paginationType: cursor
  cursorSelector: ".next_cursor"
  initialRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: from_date
        value: "${temporalWindow.from}"
    bodyParams: []
  nextRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: cursor
        value: "${pagination.cursor}"
    bodyParams: []
  output:
    select: ".items"
    filter: "."
    map: "."
    outputMode: element

Transform Sophos data

Flat JSON

We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.

Field Transformation

We can transform the incoming flattened JSON string into an escape string using the Escape String operation, setting the Escape level to minimal and the Escape Quote to single.

Parser

The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, source, Sophos ID, threat level & when, and more.

Field Transformation

When

Now we have gleaned information on when a threat took place using the Parser, we can transform this specific field from a string into a Unix Timestamp value in milliseconds.

Where

We can glean where the log on took place using the source string and transforming it into a Regular Expression using the Regex operation.

Message Builder

We use the Message Builder action to send on the hours timestamp and source information. Transform the fields to CSV format, using a comma as the delimiter.

You can now send on your CSV containing Sophos SIEM logs to your preferred destination using a sink.

Last updated

Was this helpful?