Sophos

The Sumo Logic app for Sophos delivers robust security monitoring and threat detection capabilities by harnessing detailed data from Sophos security solutions. This app features pre-configured dashboards that provide deep insights into security events and alerts, enabling security teams to quickly identify, analyze, and respond to potential threats.

With a comprehensive view of all security events, categorized by severity and type, the app offers visual tools such as geo-location mapping and event timelines to help prioritize incident response. It also emphasizes alert severity, sources, and affected products, highlighting trends and common issues that may require immediate attention.

By analyzing the frequency and types of alerts, security teams can track evolving threats and refine their defense strategies. The app also includes a real-time recent alerts section, allowing for rapid assessment and response to active threats.

Overall, the Sumo Logic app for Sophos equips organizations with the essential tools to strengthen their security posture and defend against sophisticated cyber threats.

info

This app includes built-in monitors. For details on creating custom monitors, refer to Create monitors for Sophos app.

Log types

This app uses Sumo Logic’s Sophos Source to collect Alerts and Events from the Sophos Central platform.

Sample log messages

Alerts

{
  "id": "aaabbbdddcccddd",
  "allowedActions": [
    "acknowledge"
  ],
  "category": "denc",
  "description": "Device is not encrypted.",
  "groupKey": "NCxFdbhf5bnghVuYzo6RGlza05bfgh5W50LDEs",
  "managedAgent": {
    "id": "aaabbbdddcccddd",
    "type": "computer"
  },
  "product": "encryption",
  "raisedAt": "2024-08-23T13:38:41.904Z",
  "severity": "medium",
  "tenant": {
    "id": "aaabbbdddcccddd",
    "name": "Sumo AB"
  },
  "type": "Event::Endpoint::SavDisabled",
  "person": {
    "id": "aaabbbdddcccddd"
  }
}

Events

{
  "endpoint_type": "computer",
  "endpoint_id": "c64b280-acd2-4483-b5qf-00e324de24",
  "user_id": "aaabbbdddcccddd",
  "when": "2024-08-25T05:08:16.023Z",
  "type": "Event::Endpoint::ServiceNotRunning",
  "source": "johnRH\\john",
  "location": "john-RH",
  "severity": "high",
  "id": "aaabbbdddcccddd",
  "group": "PROTECTION",
  "created_at": "2024-07-06T05:08:16.033Z",
  "source_info": {
    "ip": "0.0.0.0"
  },
  "customer_id": "b0gfd2ae-1cw9-422e-a8f5-12fbf70bxd42",
  "name": "One or more Sophos services are missing or not running"
}

Sample queries

Total Alerts

_sourceCategory=sophos managedAgent raisedAt // mandatory fields for alerts
| json "severity","category","product","managedAgent.type","tenant.name","type","description","raisedAt","id" as severity,category,product,source,tenant,type,description,raisedAt,id nodrop

// Global filters
| where severity matches "*"
| where product matches "*"
| where category matches "*"
| where type matches "*"
| where source matches "*"
| where tenant matches "*"

| count by id
| count

Collection configuration and app installation

Depending on the set up collection method, you can configure and install the app in three ways:

• Create a new collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under a new Sumo Logic Collector and later install the app; Or
• Use an existing collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under an existing Sumo Logic Collector and later install the app; Or
• Use existing source and install the app. Use your existing configured Sumo Logic Cloud-to-Cloud (C2C) source and install the app.

info

Use the Cloud-to-Cloud Integration for Sophos to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Sophos app is properly integrated and configured to collect and analyze your Sophos data.

Create a new collector and install the app

To set up collection and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Create a new Collector.
   1. Collector Name. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
   2. Timezone. Set the default time zone when it is not extracted from the log timestamp. Time zone settings on Sources override a Collector time zone setting.
   3. (Optional) Metadata. Click the +Add Metadata link to add custom log Metadata Fields. Define the fields you want to associate, each metadata field needs a name (key) and value.
      • A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
      • An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
   4. Click Next.
5. Use the new Cloud-to-Cloud Integration to configure the source.
6. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
7. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing collector and install the app

To setup source in the existing collector and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Use an existing Collector.
5. From the Select Collector dropdown, select the collector that you want to setup your source with and click Next.
6. Use the new Cloud-to-Cloud Integration to configure the source.
7. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
8. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing source and install the app

To skip collection and only install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Skip this step and use existing source and click Next.
5. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Viewing Sophos dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

• You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
• You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
• Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Alerts Overview

The Sophos - Alerts Overview dashboard offers a comprehensive overview of security alerts across your network. This dashboard helps you to visualize the total number of alerts and their severity, breaking them into High, Medium, and Low categories to facilitate a prioritized response to critical threats. The dashboard highlights the top 10 most common alert types, providing insight into recurring security issues that require attention. It tracks alert trends over time and by categories such as panic, runtime detections, and policy, helping to identify patterns and shifts in the threat landscape. Additionally, it provides a detailed breakdown of alerts by their source (for example: computer, mobile) and the products affected (for example, encryption, endpoint), as well as a ranking of tenants based on the number of alerts, useful for organizations with multi-tenant environments. The recent alerts section lists the latest incidents with detailed descriptions, enabling quick analysis and response.

Events Overview

The Sophos - Events Overview dashboard provides a comprehensive summary of security events detected by Sophos across your network. This dashboard also provides a high-level view of the total number of security events, categorized by severity and type, helping you to quickly assess the security posture of your environment.

Create monitors for Sophos app

From your App Catalog:

1. From the Sumo Logic navigation, select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. Make sure the app is installed.
4. Navigate to What's Included tab and scroll down to the Monitors section.
5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
6. Scroll down to Monitor Details.
7. Under Location click on New Folder.
   note

   By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

8. Enter Folder Name. Folder Description is optional.
   tip

   Using app version in the folder name will be helpful to determine the versioning for future updates.

9. Click Create. Once the folder is created, click on Save.

Sophos alerts

The Sumo Logic app for Sophos includes a comprehensive set of monitors designed to enhance security monitoring and incident response. These alerts are triggered by critical security events, such as the detection of blocklisted activities, high-severity alerts, and events indicating potential threats like ransomware or malicious traffic. For instance, specific alerts notify when malware cannot be automatically cleaned up, when real-time protection is disabled for an extended period, or when ransomware attempts to access the file system. By focusing on the severity and nature of these security incidents, the app provides actionable insights, enabling security teams to respond promptly and effectively to emerging threats.

Name	Description	Trigger Type (Critical / Warning / MissingData)	Alert Condition
Sophos - Blocklisted Alerts	This alert is fired when blocklisted alerts are generated, signaling a critical security event.	Critical	Count > 0
Sophos - High Severity Alerts	This alert is fired upon generation of high-severity alerts, indicating significant security threats.	Critical	Count > 0
Sophos - High Severity Events	This alert is fired when high-severity events occur, highlighting major incidents that require immediate attention.	Critical	Count > 0
Sophos - Malicious Traffic Detected	This alert is fired when suspicious network traffic, possibly linked to a botnet or malware attack, is detected, ensuring proactive threat mitigation.	Critical	Count > 0
Sophos - Malware Not Cleaned-Up	This alert is fired when some detected malware remains unresolved for over 24 hours, indicating a potential persistence of the threat.	Critical	Count > 0
Sophos - Manual Cleanup Required	This alert is fired when malware cannot be automatically removed, requiring manual intervention to eliminate the threat.	Critical	Count > 0
Sophos - Medium Severity Alerts	This alert is fired when upon generation of more than five medium-severity alerts, providing early warnings of potential issues.	Critical	Count > 5
Sophos - Medium Severity Events	This alert is fired when upon five medium-severity events are logged, indicating a cluster of notable but less critical incidents.	Critical	Count > 5
Sophos - Ransomware Detected	Detects and alerts when ransomware is found and blocked, preventing file system access and potential damage.	Critical	Count > 0
Sophos - Real Time Protection Disabled	This alert is fired when real-time protection is disabled for more than 2.5 hours, leaving systems vulnerable to threats.	Critical	Count > 0
Sophos - Running Manual Not Cleaned Up	This alert is fired when a program running on a computer exhibits malicious or suspicious behavior that cannot be cleaned up.	Critical	Count > 0

Upgrade/Downgrade the Sophos app (Optional)

To update the app, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
   Optionally, you can identify apps that can be upgraded in the Upgrade available section.
3. To upgrade the app, select Upgrade from the Manage dropdown.
   1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
   2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
         • Key. Select either of these options for the data source.
           • Choose Source Category and select a source category from the list for Default Value.
           • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the Sophos app (Optional)

To uninstall the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Uninstall.