Sophos

The Sumo Logic app for Sophos delivers robust security monitoring and threat detection capabilities by harnessing detailed data from Sophos security solutions. This app features pre-configured dashboards that provide deep insights into security events and alerts, enabling security teams to quickly identify, analyze, and respond to potential threats.

With a comprehensive view of all security events, categorized by severity and type, the app offers visual tools such as geo-location mapping and event timelines to help prioritize incident response. It also emphasizes alert severity, sources, and affected products, highlighting trends and common issues that may require immediate attention.

By analyzing the frequency and types of alerts, security teams can track evolving threats and refine their defense strategies. The app also includes a real-time recent alerts section, allowing for rapid assessment and response to active threats.

Overall, the Sumo Logic app for Sophos equips organizations with the essential tools to strengthen their security posture and defend against sophisticated cyber threats.

info

This app includes built-in monitors. For details on creating custom monitors, refer to Create monitors for Sophos app.

Log types

This app uses Sumo Logic’s Sophos Source to collect Alerts and Events from the Sophos Central platform.

Sample log messages

Alerts

{
  "id": "aaabbbdddcccddd",
  "allowedActions": [
    "acknowledge"
  ],
  "category": "denc",
  "description": "Device is not encrypted.",
  "groupKey": "NCxFdbhf5bnghVuYzo6RGlza05bfgh5W50LDEs",
  "managedAgent": {
    "id": "aaabbbdddcccddd",
    "type": "computer"
  },
  "product": "encryption",
  "raisedAt": "2024-08-23T13:38:41.904Z",
  "severity": "medium",
  "tenant": {
    "id": "aaabbbdddcccddd",
    "name": "Sumo AB"
  },
  "type": "Event::Endpoint::SavDisabled",
  "person": {
    "id": "aaabbbdddcccddd"
  }
}

Events

{
  "endpoint_type": "computer",
  "endpoint_id": "c64b280-acd2-4483-b5qf-00e324de24",
  "user_id": "aaabbbdddcccddd",
  "when": "2024-08-25T05:08:16.023Z",
  "type": "Event::Endpoint::ServiceNotRunning",
  "source": "johnRH\\john",
  "location": "john-RH",
  "severity": "high",
  "id": "aaabbbdddcccddd",
  "group": "PROTECTION",
  "created_at": "2024-07-06T05:08:16.033Z",
  "source_info": {
    "ip": "0.0.0.0"
  },
  "customer_id": "b0gfd2ae-1cw9-422e-a8f5-12fbf70bxd42",
  "name": "One or more Sophos services are missing or not running"
}

Sample queries

Total Alerts

_sourceCategory=sophos managedAgent raisedAt // mandatory fields for alerts
| json "severity","category","product","managedAgent.type","tenant.name","type","description","raisedAt","id" as severity,category,product,source,tenant,type,description,raisedAt,id nodrop

// Global filters
| where severity matches "*"
| where product matches "*"
| where category matches "*"
| where type matches "*"
| where source matches "*"
| where tenant matches "*"

| count by id
| count

Set up collection

Follow the instructions provided to set up Cloud-to-Cloud Integration for Sophos Source for the Sophos app. These instructions will guide you through the process of creating a source using the Sophos Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Sophos app is properly integrated and configured to collect and analyze your Sophos Source.

Installing the Sophos app

To install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. Click Next in the Setup Data section.
5. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Viewing Sophos dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

• You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
• You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
• Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Alerts Overview

The Sophos - Alerts Overview dashboard offers a comprehensive overview of security alerts across your network. This dashboard helps you to visualize the total number of alerts and their severity, breaking them into High, Medium, and Low categories to facilitate a prioritized response to critical threats. The dashboard highlights the top 10 most common alert types, providing insight into recurring security issues that require attention. It tracks alert trends over time and by categories such as panic, runtime detections, and policy, helping to identify patterns and shifts in the threat landscape. Additionally, it provides a detailed breakdown of alerts by their source (for example: computer, mobile) and the products affected (for example, encryption, endpoint), as well as a ranking of tenants based on the number of alerts, useful for organizations with multi-tenant environments. The recent alerts section lists the latest incidents with detailed descriptions, enabling quick analysis and response.

Events Overview

The Sophos - Events Overview dashboard provides a comprehensive summary of security events detected by Sophos across your network. This dashboard also provides a high-level view of the total number of security events, categorized by severity and type, helping you to quickly assess the security posture of your environment.

Create monitors for Sophos app

From your App Catalog:

1. From the Sumo Logic navigation, select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. Make sure the app is installed.
4. Navigate to What's Included tab and scroll down to the Monitors section.
5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
6. Scroll down to Monitor Details.
7. Under Location click on New Folder.
   note

   By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

8. Enter Folder Name. Folder Description is optional.
   tip

   Using app version in the folder name will be helpful to determine the versioning for future updates.

9. Click Create. Once the folder is created, click on Save.

Sophos alerts

The Sumo Logic app for Sophos includes a comprehensive set of monitors designed to enhance security monitoring and incident response. These alerts are triggered by critical security events, such as the detection of blocklisted activities, high-severity alerts, and events indicating potential threats like ransomware or malicious traffic. For instance, specific alerts notify when malware cannot be automatically cleaned up, when real-time protection is disabled for an extended period, or when ransomware attempts to access the file system. By focusing on the severity and nature of these security incidents, the app provides actionable insights, enabling security teams to respond promptly and effectively to emerging threats.

Name	Description	Trigger Type (Critical / Warning / MissingData)	Alert Condition
Sophos - Blocklisted Alerts	This alert is fired when blocklisted alerts are generated, signaling a critical security event.	Critical	Count > 0
Sophos - High Severity Alerts	This alert is fired upon generation of high-severity alerts, indicating significant security threats.	Critical	Count > 0
Sophos - High Severity Events	This alert is fired when high-severity events occur, highlighting major incidents that require immediate attention.	Critical	Count > 0
Sophos - Malicious Traffic Detected	This alert is fired when suspicious network traffic, possibly linked to a botnet or malware attack, is detected, ensuring proactive threat mitigation.	Critical	Count > 0
Sophos - Malware Not Cleaned-Up	This alert is fired when some detected malware remains unresolved for over 24 hours, indicating a potential persistence of the threat.	Critical	Count > 0
Sophos - Manual Cleanup Required	This alert is fired when malware cannot be automatically removed, requiring manual intervention to eliminate the threat.	Critical	Count > 0
Sophos - Medium Severity Alerts	This alert is fired when upon generation of more than five medium-severity alerts, providing early warnings of potential issues.	Critical	Count > 5
Sophos - Medium Severity Events	This alert is fired when upon five medium-severity events are logged, indicating a cluster of notable but less critical incidents.	Critical	Count > 5
Sophos - Ransomware Detected	Detects and alerts when ransomware is found and blocked, preventing file system access and potential damage.	Critical	Count > 0
Sophos - Real Time Protection Disabled	This alert is fired when real-time protection is disabled for more than 2.5 hours, leaving systems vulnerable to threats.	Critical	Count > 0
Sophos - Running Manual Not Cleaned Up	This alert is fired when a program running on a computer exhibits malicious or suspicious behavior that cannot be cleaned up.	Critical	Count > 0

Upgrade/Downgrade the Sophos app (Optional)

To update the app, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
   Optionally, you can identify apps that can be upgraded in the Upgrade available section.
3. To upgrade the app, select Upgrade from the Manage dropdown.
   1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
   2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
         • Key. Select either of these options for the data source.
           • Choose Source Category and select a source category from the list for Default Value.
           • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the Sophos app (Optional)

To uninstall the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Uninstall.