Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Hello,
I integrated Sophos with Qradar using the API, it had been working till today as I'm seeing a timed out error.
We didn't any change in the firewall policies.
[root@invqrdraio bin]# python3 siem.pyConfig endpoint=/siem/v1/events, filename='Sophos_Central.log' and format='cef'URL: api1.central.sophos.com/.../eventsTraceback (most recent call last): File "/usr/lib64/python3.6/urllib/request.py", line 1349, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/usr/lib64/python3.6/http/client.py", line 1254, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 974, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1407, in connect super().connect() File "/usr/lib64/python3.6/http/client.py", line 946, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/lib64/python3.6/socket.py", line 724, in create_connection raise err File "/usr/lib64/python3.6/socket.py", line 713, in create_connection sock.connect(sa)TimeoutError: [Errno 110] Connection timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "siem.py", line 413, in <module> main() File "siem.py", line 410, in main run(options, config_data, state_data) File "siem.py", line 402, in run endpoint, options, config_data, state File "siem.py", line 383, in get_alerts_or_events write_cef_format(results) File "siem.py", line 121, in write_cef_format for i in results: File "/usr/bin/api_client.py", line 319, in make_token_request events = self.call_endpoint(token.url, default_headers, args) File "/usr/bin/api_client.py", line 260, in call_endpoint events_response = self.request_url(events_request_url, None, default_headers) File "/usr/bin/api_client.py", line 196, in request_url response = self.opener.open(request) File "/usr/lib64/python3.6/urllib/request.py", line 526, in open response = self._open(req, data) File "/usr/lib64/python3.6/urllib/request.py", line 544, in _open '_open', req) File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain result = func(*args) File "/usr/lib64/python3.6/urllib/request.py", line 1392, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib64/python3.6/urllib/request.py", line 1351, in do_open raise URLError(err)urllib.error.URLError: <urlopen error [Errno 110] Connection timed out>[root@invqrdraio bin]#
Thanks for reaching out to the Sophos Community Forum.
Let me know if you are using the script referenced in the following article.- Send alert and event data to your SIEM
If so, could you let me know when this was last updated on your side? Some revisions and fixes were applied last to the default script on June 22nd.
I'm using the latest version of the script (2.1.6), I configured it just 1 month ago and it was working well till 5 days ago.
The timeout error typically occurs when the route to the server is no longer working, or if there’s a caching server in between your system and the API you're trying to reach.
Could you try running the pre-built SIEM API query in this post to see if the error continues to be generated? This will help us determine if something needs to be adjusted in the query you're running.If the same error continues to persist, you may want to try connecting a test device to an unrestricted network to test again.