This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending process creation logs to SIEM

Is it possible to ship process creation - and other telemetry - from XDR/Central to SIEM?

CrowdStrike has an FDR feature to write telemetry to S3, allowing you to consume it within Splunk etc. MS Defender for Endpoint (MDE) has something similar with blob storage. I'm not sure how Carbon Black does it, but I know you can ingest their raw telemetry too.

I'm aware of https://github.com/sophos/Sophos-Central-SIEM-Integration but this doesn't appear to be actual telemetry, rather alerting, scan results, update results etc.



This thread was automatically locked due to age.
  • Hi Greg,

    Thanks for reaching out to the Sophos Community Forum. 

    Currently, it’s not possible to offload the data collected via XDR outside of the results returned from queries run using the XDR Query API. The Sophos Central SIEM API will allow you to query events and alerts. 

    I suggest reaching out to your Sophos Account Manager to inquire about this as a potential feature request. If this functionality is already on the product roadmap, they may also be able to give you a rough estimate of when to expect it.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids