Sophos - SIEM Integration - Events
Last updated
Was this helpful?
Last updated
Was this helpful?
Integrate with API Logs from the Sophos Platform using the HTTP Pull Listener using the data Integration API.
In the HTTP Pull listener, you need to specify how and where to collect the data and how to establish a connection with the Sophos platform. You will need a Sophos YAML.
Enter the basic information for the new Listener.
Name*
Enter a name for the new Listener.
Description
Optionally, enter a description for the Listener.
Tags
Add tags to easily identify your Listener. Hit the Enter key after you define each tag.
Config as YAML
Toggle this ON to enable a free text field where you can paste your Sophos YAML.
An example log would be:
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 5m
tz: UTC
format: Epoch
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: https://id.sophos.com/api/v2/oauth2/token
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/x-www-form-urlencoded
queryParams: []
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.sophosClientId}'
- name: client_secret
value: '${secrets.sophosClientSecret}'
- name: scope
value: token
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: GET
url: https://api.central.sophos.com/whoami/v1
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: Cache-Control
value: no-cache
queryParams: []
bodyParams: []
output:
select: "."
filter: "."
map: "."
outputMode: element
collectionPhase:
variables:
- source: input
name: tenantId
expression: ".id"
format: ''
- source: input
name: dataRegionURL
expression: ".apiHosts.dataRegion"
format: ''
paginationType: cursor
cursorSelector: ".next_cursor"
initialRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: from_date
value: "${temporalWindow.from}"
bodyParams: []
nextRequest:
method: GET
url: "${inputs.dataRegionURL}/siem/v1/events"
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: X-Tenant-ID
value: "${inputs.tenantId}"
queryParams:
- name: cursor
value: "${pagination.cursor}"
bodyParams: []
output:
select: ".items"
filter: "."
map: "."
outputMode: element
This HTTP Pull Listener now uses the data export API to extract events.
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Authentication
Once we get the Bearer token, we need to carry out a second request to a whoami endpoint in order to get,the id and the collection endpoint url.
The result from this whoami request could define yourself as tenant, partner or organization. That would determine the id you need to use in the followings requests. In this template, we are assuming you are a tenant.
Related to the collection endpoint, it seems there are two endpoints, one assuming the collection from a global scope, and other from an specific data region. It would be required to define which kind of information we would like to collect in order to set which corresponds with your needs.
Output
Click Create labels to move on to the next step and define the required Labels if needed.
