Sending process creation logs to SIEM

Question

Is it possible to ship process creation - and other telemetry - from XDR/Central to SIEM? 
 CrowdStrike has an FDR feature to write telemetry to S3, allowing you to consume it within Splunk etc. MS Defender for Endpoint (MDE) has something similar with blob storage. I'm not sure how Carbon Black does it, but I know you can ingest their raw telemetry too. 
 I'm aware of https://github.com/sophos/Sophos-Central-SIEM-Integration but this doesn't appear to be actual telemetry, rather alerting, scan results, update results etc.

Qoosh · Accepted Answer

Hi Greg, 
 Thanks for reaching out to the Sophos Community Forum. 
 Currently, it&rsquo;s not possible to offload the data collected via XDR outside of the results returned from queries run using the XDR Query API. The Sophos Central SIEM API will allow you to query events and alerts. 
 I suggest reaching out to your Sophos Account Manager to inquire about this as a potential feature request. If this functionality is already on the product roadmap, they may also be able to give you a rough estimate of when to expect it.

Sending process creation logs to SIEM

Top Replies