Wazuh SIEM Integrations (I) — Sophos Intercept X

Intro

Sophos Intercept X Advanced is an endpoint protection agent that can be used as part of a full EPDR solution. Organizations can combine Sophos protection solution with Wauh agent’s capabilities to deploy a full EPDR stack.

Sophos Protection Features include:

  • Web Security
  • Application Control
  • Anti-Malware File Scanning
  • Live Protection
  • Potentially Unwanted Application (PUA) Blocking
  • Data Loss Prevention
  • Ransomware File Protection (CryptoGuard)
  • Man-in-the-Browser Protection (Safe Browsing)

As with many other protection solutions the agents don’t register events and alerts in Windows Event Logs, rather the logic to register events locally in the endpoint is based on local files that in most cases are encoded or can’t be read and interpreted by any log collector.

To ingest these events in a 3rd party SIEM platform the Sophos Central API can be leveraged. Sophos Central is used to centrally manage the Sophos agents, deploy protection policies, etc. The Sophos agents will forward events and alerts to Sophos Central and then, via API calls, these events can be extracted.

Sophos Intercept X events and alerts in Sophos Central

The list of alerts and events that the Sophos agents will send to Sophos Central can be found here.

Many of the events will reference additional data arguments/variables that are appended at the time of event generation (for example, depending on the event type, the argument added could be: detection name, URL captured, name of a policy, error number, name, and so on).

Integrating Sophos Central (API) in Wazuh SIEM

Sophos documentation details their SIEM Integration API that can be used to pull out endpoint related alerts and events.

There’s also a python integration that can be directly implemented on the Wazuh manager. The response’s JSON body can be easily decoded using Wazuh’s default JSON decoder and detection rules defined, matching Sophos severity to Wazuh’s rule level; grouping Sophos event types in different detection groups, etc.

Sophos Intercept X Events and Alerts in SOCFortress Platform

Agents health (global status)

Events and Alerts grouped by severity and Type

Events and Alerts table:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store