Sophos Central Splunk

Posted on  by admin

Sophos Antivirus enables Chronicle to pinpoint when attacks happen and on which assets by linking together alerts with telemetry seen across the environment.

Sophos Central Splunk Login

Chronicle Data Types

  • Alert

Requirements

Sophos Reporting Log Writer allows the use of third-party log-monitoring applications, for example, Splunk, which retrieve data from plain text files rather than directly from a database. To enable log-monitoring tools, the Sophos Reporting Log Writer service must be installed in addition to the Sophos Reporting Interface.

Sophos

Intercept X’s endpoint security integrates with Sophos Central so you can access and manage your endpoint security wherever you are, any time. No need to spend more on infrastructure and maintain on-premises servers. Switch to an endpoint security cloud solution for smarter, faster protection. Integrate with Splunk Sophos Cloud Optix can send data to your Splunk Enterprise or Cloud instance using Splunk's HTTP event collector (HEC) interface. Sophos Cloud Optix can send the following data: Security monitoring and compliance alerts. 'We use Sophos because it is highly recommended in the medical community. One of the largest health systems in the area uses it and that is why we went with Sophos for our end-point protection.' Features & Functionality: 4.5 / 5 'All in one solution to collect logs, analysis, diagnose and report.

  • Chronicle Forwarder

Configuration

Sophos Central

Sophos Central offers a secure API for retrieve event and alert data from. When provided with an API credentials, CYDERES can pull this data on behalf of the customer and send to Chronicle. Instructions to acquire the API credentials are outlined in steps 2 through 5 of this guide: https://community.sophos.com/kb/en-us/125169.

Sophos Enterprise Console

Sophos Enterprise Console utilizes an additional tool called Sophos Reporting Log Writer in order to write event and alert data to text files which then can be sent to Chronicle. This must be installed to send data to Chronicle.

Sophos Central Admin

Once installed, CYDERES recommends using NxLog to send data written by the Sophos Log Writer to a CYCLOPS forwarder.

Sophos Central Splunk Software

NxLog Configuration Example: