• Stars
    star
    103
  • Rank 333,046 (Top 7 %)
  • Language
    Python
  • Created about 8 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple integration script for 3rd party systems such as SIEMs. Offers command line, file or syslog output in CEF, JSON or key-value pair formats.

SIEM Script

Powered By Sophos Central

N|Solid

This repository contains a script package to export event and alert data from Sophos Central into a SIEM solution.

Any issue discovered using the script should be reported to Sophos Support.

SIEM

The script in this directory allows you to use the Sophos Central API to get data into your SIEM solution.

Access to the APIs requires API Credentials that can be setup in the Sophos Central UI by going to Global Settings from the navigation bar and then selecting API Credentials Management. From this page, you can click the Add Credential button to create new credentials (client ID and client secret). Here is more information available on how to setup API Credentials: https://community.sophos.com/kb/en-us/125169

Installation

Download and extract from here for the latest release. For older version, please consult the Releases section below. For changes to the API, please consult the API Updates section below. We recommend running this script with the latest version of Python 3.7 or newer. We have tested that this program works with Python 3.6 on multiple platforms. However, support for that version of Python will be dropped when it reaches end-of-life.

Releases

See changelog for full details.

v2.1.0
  • Bug fixes
v2.0.1
  • Added check for minimum supported Python version.
v2.0.0
  • New JWT-based authentication for the SIEM API
  • Better support for partners and enterprise customers
  • State file consolidated
  • Drop support for Python 2.x
v1.1.0
  • CSA-2918: Adding text identifier to distinguish between an 'Event' and 'Alert'
  • CSA-2917: Fixing issue with double alert reporting
v1.0.0
  • Initial release

API Updates

The following updates are part of an API update. They will be live for all versions of SIEM after their listed release dates.

See changelog for full details.

2019-04-13
  • Updated conversion logic to ensure matching identifiers between output objects for the following elements: -- endpoint_id -- customer_id -- event_service_event_id

Configuration

The script gets the last 12 hours of events on its initial run. A maximum of 24 hours of historical data can be retrieved. The script keeps tab of its state,โ€‚it will always pick-up from where it left off based on a state file stored in the state folder. The script calls the server until there are no more events available. There is also a built-in retry mechanism if there are any network issues. The script exits if there are no more events available or when retry fails. In this case the next scheduled run of the script will pick-up state from the last run using the state file.

Set the SOPHOS_SIEM_HOME environment variable to point to the folder where config.ini, siem_cef_mapping.txt, state and log folders will be located. state and log folders are created when the script is run for the first time.

config.ini is a configuration file that exists by default in the siem-scripts folder.

Here are the steps to configure the script:
  1. Open config.ini in a text editor.
  2. Under Client ID and Client Secret in the config file, copy and paste the API Credentials from the API Credentials Management page in Sophos Central.
  3. Under Customer tenant id in the config file, you can mention the tenant id for which you want to fetch alerts and events.
Optional configuration steps:
  1. Under json, cef or keyvalue, you could choose the preferred output of the response i.e. json, cef or keyvalue.
  2. Under filename, you can specify the filename that your output would be saved to. Options are syslog, stdout or any custom file name. Custom files are created in a folder named log.
  3. If you are using syslog then under syslog properties in the config file, configure address, facility and socktype.
  4. under state_file_path, specify the full or relative path to the cache file (with a ".json" extension)

Running the script

Run python siem.py and you should see the results as specified in the config file. Here is the list of available options:

Option Description
-s <Unix Timestamp>, --since= Return results since specified Unix Timestamp, max last 24 hours, defaults to last 12 hours if there is no state file
-c <Config File Path>, --config= Specify a configuration file, defaults to config.ini
-l, --light Ignore noisy events: web control (Event::Endpoint::WebControlViolation, Event::Endpoint::WebFilteringBlocked), device control (Event::Endpoint::Device::AlertedOnly, Event::Endpoint::SavScanComplete), update success/failure (Event::Endpoint::UpdateFailure, Event::Endpoint::UpdateSuccess), application allowed (Event::Endpoint::Application::Allowed), (non)compliant (Event::Endpoint::NonCompliant, Event::Endpoint::Compliant)
-d, --debug Print debug logs
-v, --version Print version
-q, --quiet Suppress status messages. No output would be printed by siem.py

License

Copyright 2016-2021 Sophos Limited

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

SOREL-20M

Sophos-ReversingLabs 20 million sample dataset
Python
549
star
2

yaraml_rules

Security ML models encoded as Yara rules
Python
175
star
3

gpt3-and-cybersecurity

GPT-3 use cases for Cybersecurity
Python
44
star
4

solarwinds-threathunt

Threathunt details for the Solarwinds compromise
31
star
5

sophos-central-api-connector

Leverage Sophos Central API
Python
22
star
6

factory-run-pipeline

A GitHub Action to run a Sophos Factory pipeline.
TypeScript
13
star
7

sophos-central-apis-postman

Postman collection to work with Sophos Central APIs
12
star
8

XG-Management-Helper

Visual Basic .NET
11
star
9

sophos-firewall-sdk

Python module for working with Sophos Firewall API
Python
7
star
10

PS.Machine_Health

This will create a health report for every machines in an MSP/EDB/Single Sophos Central console
Python
6
star
11

Incident-Response

Scripts to aid in incident response scenarios
Shell
5
star
12

PS.Unprotected_Machines

This will compare all the machines in every Sophos Central MSP/EDB/Single Console and Active Directory. It will list all the machines not protected by Sophos Central and when those machines last spoke to a Domain Controller. It will also mark as suspicious any machine where the AD login time is prior to the last Sophos Central message time. Please follow the PDF guide
Python
5
star
13

Sophos-Cloud-Optix-Remediation-Functions

Automatically remediate security issues detected in your Cloud Environments with Sophos Cloud Optix using serverless functions.
Python
3
star
14

PS.Turn_On_Tamper

This will turned on Tamper Protection for all machines in a MSP/EDB/Single console
Python
3
star
15

Sophos-Migration-Utility-CLI

Sophos Migration Utility CLI for UTM -> SFOS configuration conversion
Perl
3
star
16

se-ops.Factory_Solutions

2
star
17

App-SFDC

Command-line tools for Salesforce.com
Perl
2
star
18

Crypt-PKCS11-Easy

Try to make PKCS#11 less miserable
Perl
2
star
19

PS.Trigger_On_Demand_Scan

The script will trigger an On-Demand scan on all Windows Endpoints. It will NOT trigger on Macs, Windows Servers or Linux
Python
2
star
20

factory-eks-terraform-demo

Integration demo for Sophos Factory, AWS EKS, and Terraform.
HCL
2
star
21

WWW-SFDC

Perl wrapper around the Salesforce.com SOAP APIs
Perl
2
star
22

sophos-firewall-audit

Audit Sophos XG firewall for compliance with security baseline
Python
2
star
23

XgOnAzurePOC

Templates and Scripts Used In the XG On Azure PoC Document
Shell
1
star
24

factory-cli

Official repository for the Sophos Factory command line tool (CLI)
TypeScript
1
star
25

p5-Krb5

Kerberos v5 bindings
C
1
star
26

factory-opa-terraform-demo

Open Policy Agent Terraform Example for Sophos Factory
Open Policy Agent
1
star
27

factory-api-client

Official Sophos Factory API client library for JavaScript.
TypeScript
1
star
28

factory-runner-utils

Archive of Sophos Factory self-hosted runner agent utilities.
Shell
1
star
29

Sophos-Data-Lake-Example-Tool

Python
1
star
30

App-SFDC-Metadata

Metadata commands for App::SFDC
Perl
1
star
31

App-SFDC-Command-ExecuteAnonymous

Perl
1
star
32

factory-quickstart-resources

Resources for starting with Sophos Factory.
HTML
1
star
33

factory-compliance

Artifacts required by the Sophos Factory Compliance use case.
1
star
34

pymetascanner

Simple Python script to scan files with Metadefender
Python
1
star
35

factory-cis-certification

Resources for the Sophos Factory CIS Certification Pipelines.
Python
1
star
36

WebService-LogicMonitor

Interact with LogicMonitor through their API
Perl
1
star
37

demoscripts

Python
1
star