Hi all. In the process of coming up with some integration between Sophos Central and our ITSM platform. We've got a SC Enterprise Dashboard and will have over 500 sub-estates in a few months when we're up and running.
I'm using an unaltered version of the python SIEM script to pull events back - which is working perfectly. My question is simple in one way, but I think the answer may be more complex.
Here's a sample result:
{"id": "8b0c8761-ae98-b400-099f-26ccefd85c70", "endpoint_type": "server", "customer_id": "23da2a3c-2085-4401-78da-48399db6c5f6", "severity": "high", "source_info": {"ip": "10.18.10.2"}, "endpoint_id": "b13b87c7-562c-e45e-2bc5-1a05eeb10c5e", "threat": "EICAR-AV-Test", "type": "Event::Endpoint::Threat::CleanupFailed", "name": "EICAR-AV-Test", "group": "MALWARE", "dhost": "TEST", "rt": "2019-01-31T12:23:54.804Z", "end": "2019-01-30T12:23:51.000Z", "suser": "n/a", "detection_identity_name": "EICAR-AV-Test", "filePath": "C:\\Users\\administrator.SOLUS\\Desktop\\EICARtest.txt"}
The customer_id I've highlighted in there is my quandry. How can I transpose this GUID into the name of the sub-estate? I know that I can get the .csv from the Deployment tab of the enterprise console which allows a customer ID to be passed to the generic installer …. but those are different GUIDs.
So, my 2-part question is:
1. Is there anywhere that I can create an xml or similar that contains the names of the sub-estates and the customer_ID fields?
2. Is it possible to fettle the SIEM.py file to get it to drag back the customer name too? I've had a look through the swagger file but can't find anything in there.
Many thanks in advance!
This thread was automatically locked due to age.