Sophos integration

PreviousOKTA integration NextCrowdStrike integration

Last updated 2 days ago

Was this helpful?

Sophos integration

Overview

Integrate with API Logs from the Sophos Platform using the Listener using the data Integration API.

Configuration

In the HTTP Pull listener, you need to specify how and where to collect the data and how to establish a connection with the Sophos platform. You will need a Sophos YAML.

Metadata

Enter the basic information for the new Listener.

Parameter

Description

Name*

Enter a name for the new Listener.

Description

Optionally, enter a description for the Listener.

Tags

Add tags to easily identify your Listener. Hit the Enter key after you define each tag.

Configuration

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${name}.

Value

Secrets

Config as YAML

Toggle this ON to enable a free text field where you can paste your Sophos YAML.

An example log would be:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 2m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://id.sophos.com/api/v2/oauth2/token
      headers:
        - name: Accept
          value: application/json
        - name: Content-Type
          value: application/x-www-form-urlencoded
      queryParams: []
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: 'cb7bd836-XXX-XXX-XXXX-XX'
        - name: client_secret
          value: 'cf23f...b105'
        - name: scope
          value: token
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: none
  request:
    responseType: json
    method: GET
    url: https://api.central.sophos.com/whoami/v1
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
    queryParams: []
    bodyParams: []
  output:
    select: "."
    filter: "."
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: tenantId
      expression: ".id"
      format: ''
    - source: input
      name: dataRegionURL
      expression: ".apiHosts.dataRegion"
      format: ''
  paginationType: cursor
  cursorSelector: ".next_cursor"
  initialRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: from_date
        value: "${temporalWindow.from}"
    bodyParams: []
  nextRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: cursor
        value: "${pagination.cursor}"
    bodyParams: []
  output:
    select: ".items"
    filter: "."
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract events.

PreviousOKTA integration NextCrowdStrike integration

Last updated 2 days ago

Was this helpful?

Overview

Integrate with API Logs from the Sophos Platform using the Listener using the data Integration API.

Configuration

In the HTTP Pull listener, you need to specify how and where to collect the data and how to establish a connection with the Sophos platform. You will need a Sophos YAML.

Metadata

Enter the basic information for the new Listener.

Parameter

Description

Name*

Enter a name for the new Listener.

Description

Optionally, enter a description for the Listener.

Tags

Add tags to easily identify your Listener. Hit the Enter key after you define each tag.

Configuration

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${name}.

Value

Select the containing the connection credentials if you have added them previously, or select New Secret to add it. This will add this value as the variable when the field name is found in the YAML. Add as many as required.

Secrets

Config as YAML

Toggle this ON to enable a free text field where you can paste your Sophos YAML.

An example log would be:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 2m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://id.sophos.com/api/v2/oauth2/token
      headers:
        - name: Accept
          value: application/json
        - name: Content-Type
          value: application/x-www-form-urlencoded
      queryParams: []
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: 'cb7bd836-XXX-XXX-XXXX-XX'
        - name: client_secret
          value: 'cf23f...b105'
        - name: scope
          value: token
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: none
  request:
    responseType: json
    method: GET
    url: https://api.central.sophos.com/whoami/v1
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
    queryParams: []
    bodyParams: []
  output:
    select: "."
    filter: "."
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: tenantId
      expression: ".id"
      format: ''
    - source: input
      name: dataRegionURL
      expression: ".apiHosts.dataRegion"
      format: ''
  paginationType: cursor
  cursorSelector: ".next_cursor"
  initialRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: from_date
        value: "${temporalWindow.from}"
    bodyParams: []
  nextRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: cursor
        value: "${pagination.cursor}"
    bodyParams: []
  output:
    select: ".items"
    filter: "."
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract events.

Click Create labels to move on to the next step and define the required if needed.