Collect data from Sophos

Overview

Get SIEM Integration events from Sophos.

Configuration

Secrets

secrets.Sophos.client_ID will reference the Client ID
secrets.Sophos_Client_Secret will reference the Client Secret.

To add a Secret, open the Secret fields and click New secret:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required secrets, you can choose to manually enter the Sophos SIEM integration event fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your Cortex XDR multi alerts YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://id.sophos.com/api/v2/oauth2/token
      headers:
        - name: Accept
          value: application/json
        - name: Content-Type
          value: application/x-www-form-urlencoded
      queryParams: []
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.sophosClientId}'
        - name: client_secret
          value: '${secrets.sophosClientSecret}'
        - name: scope
          value: token
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: none
  request:
    responseType: json
    method: GET
    url: https://api.central.sophos.com/whoami/v1
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: Content-Type
        value: application/json
      - name: Cache-Control
        value: no-cache
    queryParams: []
    bodyParams: []
  output:
    select: "."
    filter: "."
    map: "."
    outputMode: element

collectionPhase:
  variables:
    - source: input
      name: tenantId
      expression: ".id"
      format: ''
    - source: input
      name: dataRegionURL
      expression: ".apiHosts.dataRegion"
      format: ''
  paginationType: cursor
  cursorSelector: ".next_cursor"
  initialRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: from_date
        value: "${temporalWindow.from}"
    bodyParams: []
  nextRequest:
    method: GET
    url: "${inputs.dataRegionURL}/siem/v1/events"
    headers:
      - name: Accept
        value: application/json
      - name: Accept-Encoding
        value: gzip, deflate
      - name: X-Tenant-ID
        value: "${inputs.tenantId}"
    queryParams:
      - name: cursor
        value: "${pagination.cursor}"
    bodyParams: []
  output:
    select: ".items"
    filter: "."
    map: "."
    outputMode: element

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - 5m
Format - Epoch

Authentication Phase

Toggle ON to set the Authentication settings.

Type* - token
Request Method* - POST
URL* - https://id.sophos.com/api/v2/oauth2/token
Headers
- Name - Content-type
- Value - application/x-www-form-urlencoded
BodyType* - UrlEncoded
- Body params
  - Name - grant_type
  - Value - client_credentials
  - Name - client_id
  - Value -${secrets.Sophos_Client_ID}
  - Name - client_secret
  - Value - ${secrets.Sophos_Client_Secret}
  - Name - scope
  - Value - token
Token Path* - .access_token
Auth Injection
- In* - header
- Name* - authorization
- Prefix - Bearer
- Suffix - ''

Enumeration Phase

Toggle ON to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.

Pagination Type* - none
Request
- Response Type* - JSON
- Method* - GET
- URL* - https://api.central.sophos.com/whoami/v1
- Headers
  - Name - Accept
  - Value - application/json
  - Name - Accept-Encoding
  - Value - gzip, deflate
  - Name - Content-Type
  - Value - application/json
  - Name - Cache-Control
  - Value - no-cache
Output
- Select - .
- Filter - .
- Map - .
- Output Mode - element

Collection Phase

Inputs
- Source - input
- Name - tenantId
- Expression - .id
- Format - ''
- Source - input
- Name - dataRegionURL
- Expression - .apiHosts.dataRegion
- Format - ''
Pagination Type* - cursor
Cursor Selector* - .next_cursor
Initial Request
- Method* - GET
- URL* - ${inputs.dataRegionURL}/siem/v1/events
- Headers -
  - Name - Accept
  - Value - application/json
  - Name - Accept-Encoding
  - Value - gzip, deflate
  - Name - X-Tenant-ID
  - Value - ${inputs.tenantId}
- Query Params
  - Name - from_date
  - Value - ${temporalWindow.from}
Next Request
- Method* - GET
- URL* - ${inputs.dataRegionURL}/siem/v1/events
- Headers -
  - Name - Accept
  - Value - application/json
  - Name - Accept-Encoding
  - Value - gzip, deflate
  - Name - X-Tenant-ID
  - Value - ${inputs.tenantId}
- Body type* - there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select raw and enter the {} placeholder.
Output
- Select - .items
- Filter - .
- Map - .
- Output Mode - element

This HTTP Pull Listener now uses the data export API to extract events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousIncidents NextCollect data from Trend Vision One

Last updated 24 days ago

Was this helpful?

withTemporalWindow: true temporalWindow: duration: 5m offset: 5m tz: UTC format: Epoch withAuthentication: true authentication: type: token token: request: method: POST url: https://id.sophos.com/api/v2/oauth2/token headers: - name: Accept value: application/json - name: Content-Type value: application/x-www-form-urlencoded queryParams: [] bodyType: urlEncoded bodyParams: - name: grant_type value: client_credentials - name: client_id value: '${secrets.sophosClientId}' - name: client_secret value: '${secrets.sophosClientSecret}' - name: scope value: token tokenPath: ".access_token" authInjection: in: header name: Authorization prefix: 'Bearer ' suffix: '' withEnumerationPhase: true enumerationPhase: paginationType: none request: responseType: json method: GET url: https://api.central.sophos.com/whoami/v1 headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: Content-Type value: application/json - name: Cache-Control value: no-cache queryParams: [] bodyParams: [] output: select: "." filter: "." map: "." outputMode: element collectionPhase: variables: - source: input name: tenantId expression: ".id" format: '' - source: input name: dataRegionURL expression: ".apiHosts.dataRegion" format: '' paginationType: cursor cursorSelector: ".next_cursor" initialRequest: method: GET url: "${inputs.dataRegionURL}/siem/v1/events" headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: X-Tenant-ID value: "${inputs.tenantId}" queryParams: - name: from_date value: "${temporalWindow.from}" bodyParams: [] nextRequest: method: GET url: "${inputs.dataRegionURL}/siem/v1/events" headers: - name: Accept value: application/json - name: Accept-Encoding value: gzip, deflate - name: X-Tenant-ID value: "${inputs.tenantId}" queryParams: - name: cursor value: "${pagination.cursor}" bodyParams: [] output: select: ".items" filter: "." map: "." outputMode: element

Good morning

Overview

Configuration

Secrets

Enumeration Phase

Collection Phase