Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 271561 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

List of possible log Events for SIEM integration

Danie de Jager

I need to integrate the Sophos Central events into our SIEM. I need to create regex for the type of events like:

  • Event::Endpoint::UpdateSuccess
  • Event::Endpoint::WebControlViolation

Where can I find the list of event types?



This thread was automatically locked due to age.
Parents
  • 0

    My Sales Engineer was able to give me a few examples to get started.  I suggest Sophos officially publish a list and example syntax (especially for the CEF format) so the SEIM community can pick it up and run with it.  I have mainly been collecting examples of my own in our SEIM and then writing a custom parser for them.  Only trouble, is I won't know if I'm missing an important one until I see an unnormalized one. :-(

  • 0 in reply to DavidGardner

    I was doing the same thing, but wanted a definitive list of all the possible events from the Sophos-XG firewall. So I found the database tables on the firewall and did a select to generate the list. Specifically I wanted to get the event ID, severity, type, and text of the message to load into my SIEM (I use Alienvault) so that it would show something more meaningful, and allow me to do realistic thresolding and correlation of stuff coming from Sophos. Now, instead of just seeing a generic IPS message in Alienvault, I see specific event names and details.

    Of course, as Sophos adds new signatures, my snapshot will become out of date, so I need to find a way to keep it in sync. Already, I'm getting a few "generic events" indicating somethings falling through to the catchall event, but I can deal with those.

Reply
  • 0 in reply to DavidGardner

    I was doing the same thing, but wanted a definitive list of all the possible events from the Sophos-XG firewall. So I found the database tables on the firewall and did a select to generate the list. Specifically I wanted to get the event ID, severity, type, and text of the message to load into my SIEM (I use Alienvault) so that it would show something more meaningful, and allow me to do realistic thresolding and correlation of stuff coming from Sophos. Now, instead of just seeing a generic IPS message in Alienvault, I see specific event names and details.

    Of course, as Sophos adds new signatures, my snapshot will become out of date, so I need to find a way to keep it in sync. Already, I'm getting a few "generic events" indicating somethings falling through to the catchall event, but I can deal with those.

Children
No Data
Unfiltered HTML