Hi,
I need to be able to pull the telemetry from Sophos Intercept X into my SIEM. I am currently using the GitHub project linked below to pull alerts into the SIEM, but I need the raw telemetry. Is this possible yet? This is an old thread that was asking for the same - community.sophos.com/.../sending-process-creation-logs-to-siem
https://github.com/sophos/Sophos-Central-SIEM-Integration
Thanks,
Jeremy
Hi Jeremy,
Thanks for reaching out to the Sophos Community forum.
May I ask if you're trying to pull all of the data stored within the Sophos Data Lake, or if you are instead intending to use SIEM as an SOC?
It's not currently possible to replicate all of the data within the Sophos Data Lake. Most customers have chosen to run Data Lake and Live Discover queries against devices to then ingest the responses/data into their SIEM solutions.
It's also possible to use the XDR API in order to run queries.
Hi Jeremy,
Thanks for reaching out to the Sophos Community forum.
May I ask if you're trying to pull all of the data stored within the Sophos Data Lake, or if you are instead intending to use SIEM as an SOC?
It's not currently possible to replicate all of the data within the Sophos Data Lake. Most customers have chosen to run Data Lake and Live Discover queries against devices to then ingest the responses/data into their SIEM solutions.
It's also possible to use the XDR API in order to run queries.
