Sophos Central SIEM API - Using the light switch to customize event outputs

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

If you’re using Sophos' default SIEM integration script and would like to select the types of events you’re retrieving, perhaps you don’t want to see application control events but would like to see endpoint non-compliant events, then you can make use of the -light switch when running the siem.py script. The light switch by default will exclude the following event types:
 

  • 'Event::Endpoint::NonCompliant',
  • 'Event::Endpoint::Compliant',
  • 'Event::Endpoint::Device::AlertedOnly',
  • 'Event::Endpoint::UpdateFailure',
  • 'Event::Endpoint::SavScanComplete',
  • 'Event::Endpoint::Application::Allowed',
  • 'Event::Endpoint::UpdateSuccess',
  • 'Event::Endpoint::WebControlViolation',
  • 'Event::Endpoint::WebFilteringBlocked'

You can easily edit this list and add or remove events as you see fit. You will need to edit the python script  name_mapping.py   which comes included with the Sophos Central SIEM Integration script. You should edit the last section of TYPE_HANDLERS after:

"Event::Endpoint::NonCompliant": None,    # None == ignore the event

Any event added to this list followed by None will be ignored when running the light version of the python script.

To get the list of events in Sophos Central, reference this KB

https://support.sophos.com/support/s/article/KB-000038309?language=en_US

For example, if I wanted to ignore events such as PUA detections (this is just an example, I am not recommending you do this), then I would add the following entry to the list:

Event::Endpoint::CorePuaDetection: None

Save name_mapping.py and then run the siem.py using the light switch:

Python siem.py -l

My results will ignore any Event::Endpoint::CorePuaDetection events.

You can also do the opposite and remove events from the “ignore” list by simply deleting the event record from the list. This method will allow you to customize in a very simple way a list of events you wish to retrieve using the SIEM API script.




Added TAGs
[edited by: emmosophos at 10:30 PM (GMT -7) on 13 Apr 2021]