Sophos Central is a cloud-based unified security management platform. This technology pack extracts and normalizes Endpoint Protection telemetry from Sophos Central to align with Graylog's schema, providing field extraction, normalization, enrichment, and GIM categorization of endpoint security events.
Supported Version(s)
-
Sophos Central is a continuously updated managed service. This pack integrates with the Sophos Central SIEM Integration v1 API.
-
Tested for Windows endpoints; other OS platforms may have limited support.
Requirements
-
Graylog Enterprise version 6.2.0 or later.
-
Sophos Endpoint agent with Endpoint Protection policies enabled.
-
Sophos Central API credentials (Client ID and Client Secret) with read access and query permissions (e.g., Service Principal Super Admin role).
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Sophos Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Sophos Device Log Messages"
Log Collection
Sophos Central events are collected via Graylog's built-in Sophos Central input.
Sophos Central API Configuration
-
Create API credentials in Sophos Central Admin with read access and query permissions (e.g., Service Principal Super Admin role).
-
Store the Client ID and Client Secret securely.
-
Launch the Sophos Central input in Graylog and provide the API credentials.
-
Configure optional parameters: Ingest Alerts toggle, Polling Interval (default 5 minutes recommended), and Enable Throttling option.
-
Save and start the input.
Log Format Example
Sophos Central delivers events in JSON format.
Malware Detection Event
{"type":"Event::Endpoint::CoreDetection","origin":"SAV","created_at":"2025-01-24T11:32:22.544Z","threat":"Mal/Kryptik-DL","group":"MALWARE","name":"Malware detected: 'Mal/Kryptik-DL' at 'C:\\Users\\testuser\\Downloads\\suspicious.exe'","severity":"medium","endpoint_id":"abc123","endpoint_type":"computer","when":"2025-01-24T11:32:22.544Z","location":"DESKTOP-JDVP7LN","id":"event-12345","customer_id":"cust-xyz","source_info":{"ip":"192.168.1.50"}}
What is Provided
-
Field extraction, normalization, and enrichment of Sophos Central Endpoint Protection logs.
-
GIM code 301000 (host_malware_detection) for MALWARE events.
-
GIM code 301002 (hips_detection) for PUA, APPLICATION_CONTROL, PERIPHERALS, DATA_LOSS_PREVENTION, and WEB events.
-
GIM code 219999 (service event) for PROTECTION, UPDATING, DENC, and SYSTEM_HEALTH events.
-
Event severity normalization (low/medium/high/critical to numeric 2-5 scale).
-
Core remedy items extraction for malware and PUA events.
-
Monitoring dashboard for threat detections and affected endpoints.
GIM Categorization
GIM categorization is provided for the following event groups: APPLICATION_CONTROL, DATA_LOSS_PREVENTION, DENC, MALWARE, PERIPHERALS, PROTECTION, PUA, SYSTEM_HEALTH, UPDATING, WEB.
| Event Group | gim_event_type_code | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|
| MALWARE | 301000 | detection | detection.host_detection | host_malware_detection |
| PUA | 301002 | detection | detection.host_detection | hips_detection |
| APPLICATION_CONTROL | 301002 | detection | detection.host_detection | hips_detection |
| PERIPHERALS | 301002 | detection | detection.host_detection | hips_detection |
| DATA_LOSS_PREVENTION | 301002 | detection | detection.host_detection | hips_detection |
| WEB | 301002 | detection | detection.host_detection | hips_detection |
| PROTECTION | 219999 | service | service.default | service event |
| UPDATING | 219999 | service | service.default | service event |
| DENC | 219999 | service | service.default | service event |
| SYSTEM_HEALTH | 219999 | service | service.default | service event |
Sophos Central Spotlight
The Sophos Central Spotlight offers dashboards with two tabs: Overview and Threat Events, providing visibility into threat detections and affected endpoint identification.
Overview
Threat Events
