Wazuh SIEM Integrations (I) — Sophos Intercept X
Sophos Intercept X Advanced is an endpoint protection agent that can be used as part of a full EPDR solution. Organizations can combine Sophos protection solution with Wauh agent’s capabilities to deploy a full EPDR stack.
Sophos Protection Features include:
- Web Security
- Application Control
- Anti-Malware File Scanning
- Live Protection
- Potentially Unwanted Application (PUA) Blocking
- Data Loss Prevention
- Ransomware File Protection (CryptoGuard)
- Man-in-the-Browser Protection (Safe Browsing)
As with many other protection solutions the agents don’t register events and alerts in Windows Event Logs, rather the logic to register events locally in the endpoint is based on local files that in most cases are encoded or can’t be read and interpreted by any log collector.
To ingest these events in a 3rd party SIEM platform the Sophos Central API can be leveraged. Sophos Central is used to centrally manage the Sophos agents, deploy protection policies, etc. The Sophos agents will forward events and alerts to Sophos Central and then, via API calls, these events can be extracted.
Sophos Intercept X events and alerts in Sophos Central
The list of alerts and events that the Sophos agents will send to Sophos Central can be found here.
Many of the events will reference additional data arguments/variables that are appended at the time of event generation (for example, depending on the event type, the argument added could be: detection name, URL captured, name of a policy, error number, name, and so on).
Integrating Sophos Central (API) in Wazuh SIEM
Sophos documentation details their SIEM Integration API that can be used to pull out endpoint related alerts and events.
There’s also a python integration that can be directly implemented on the Wazuh manager. The response’s JSON body can be easily decoded using Wazuh’s default JSON decoder and detection rules defined, matching Sophos severity to Wazuh’s rule level; grouping Sophos event types in different detection groups, etc.
Sophos Intercept X Events and Alerts in SOCFortress Platform
Agents health (global status)
Events and Alerts grouped by severity and Type
Events and Alerts table: