This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tamper Protection - Alerts

Good Afternoon, 

If we have a machine/server where someone generates a tamper protection event. I can see in the console under 'Events', I can see the Tamper Protection - Event Viewer, depending on the search criteria I can see the list of events. Is there a way if someone authenticates, the admins are alerted to this and an email is generated? 

Many Thanks, 

Will Janes.  



This thread was automatically locked due to age.
Parents
  • Hello Will Janes,

    the admins are alerted to this and an email is generated
    not sure I understand the and correctly - you mean this email would be the alerted?

    There's no such mechanism in SEC that I know of, TP hasn't even a section on the Dashboard. And also the endpoint doesn't send emails for TP events (BTW: I'd have expected that entering an invalid password would create a Tamper attempt event, looks like it doesn't).
    Would require some programming to get (more or less immediate) alerts. You could use the Reporting Log Writer to export the EventsTamperProtectionData, monitor the log for changes and act accordingly (no, I haven't done it).

    Christian

Reply
  • Hello Will Janes,

    the admins are alerted to this and an email is generated
    not sure I understand the and correctly - you mean this email would be the alerted?

    There's no such mechanism in SEC that I know of, TP hasn't even a section on the Dashboard. And also the endpoint doesn't send emails for TP events (BTW: I'd have expected that entering an invalid password would create a Tamper attempt event, looks like it doesn't).
    Would require some programming to get (more or less immediate) alerts. You could use the Reporting Log Writer to export the EventsTamperProtectionData, monitor the log for changes and act accordingly (no, I haven't done it).

    Christian

Children
  • Hello Christian, 

    Thanks for the response. 

    So for example, if someone knows the the tamper protection password, that user logs in, it authenticates and writes to the log file. 

    I would like to know if there is anything that Sophos can offer so that if this happens administrators are made aware as it happens, in some for of alert.  

    Thanks, 

    Will Janes. 

  • Hello Will Janes,

    it [...] writes
    the endpoint sends an event to the management server which records it in the database. The Log Writer regularly queries the database and writes new records to its log.
    I'm not Sophos, premium support might have something up their sleeve but as said I'm not aware of any existing alerting mechanism or interface (Central, BTW, has a SIEM feature).

    Christian