Sophos EDR
Overview
Sophos EDR monitors, detects and mitigates threats on endpoints. This EDR reduces the attack surface and prevent attacks from running with an anti-exploit, an anti-ransomware and advanced control technology.
This setup guide shows how to forward events produced by Sophos EDR to Sekoia.io.
- Vendor: Sophos
- Supported environment: Cloud
- Detection based on: Telemetry
- Supported application or feature: File monitoring, Process monitoring
Configure
Create SOPHOS EDR Credentials
Warning
If you have a "Partner" or "Organization" entity, you need to do the following procedure on every tenant attached to it. Please find more information on the official documentation
In the Sophos Central Admin console:
- On the left panel, go to
Global Settingsand selectAPI Credentials Management. - Click on
Add Credentialto create a credential dedicated to Sekoia.io. - Give it a name, select the role
Service Principal ReadOnlyand click onAdd. - In the
API credential Summary, copy theClient IDand theClient Secret. It will be used later in Sekoia.io to retrieve the events.
Create the intake
- Go to the Intake page and create a new
Sophos EDRintake. - Copy the associated Intake key
Pull events
- Go to the Playbook page.
- Click on
+ PLAYBOOKand chooseCreate a playbook from scratch. - Give it a name and a description and click on
Next. - In
Choose a trigger, select the Get Sophos events. - Click on the
Get Sophos eventsmodule on the right sidebar and in theModule Configurationsection, selectCreate new configuration. -
Write a
nameand paste theclient_idandclient_secretfrom the Sophos console and click onSave.Info
- If you want to change the region with your own region, you can find your region via protect devices field, first click on Protect Devices, Then copy link of any download links and finally Check the region that appears as part of the URL.
- No need to change the Oauth2 Authorization Url for the moment, as this's the only endpoint to get a JWT token
-
In the
Trigger Configurationsection, click onCreate new configuration. - Write a
name, choose afrequency- Default is60-, paste theintake_keyassociated to yourSophos EDRintake and click onSave. - On the top right corner, start the Playbook. You should see monitoring messages in the
Logssection. - Check on the Events page that the Sophos logs are being received.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"severity": "low",
"type": "Event::Endpoint::Application::Blocked",
"endpoint_type": "computer",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "Controlled application blocked: Google Software Reporter Tool (Security tool)",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "APPLICATION_CONTROL",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"severity": "medium",
"type": "Event::Endpoint::Enc::DiskNotEncryptedEvent",
"name": "Device is not encrypted.",
"id": "f7c7e65a-a452-429c-9e0a-cdc16c5b50e9",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "DENC",
"datastream": "event",
"end": "2022-04-27T13:23:07.981Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T13:24:08.662Z",
"duid": "574fcff42ead810f5e43b0fc",
"suser": "Elon Musk"
}
{
"severity": "low",
"type": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"endpoint_type": "computer",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "DATA_LOSS_PREVENTION",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"severity": "low",
"type": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"endpoint_type": "computer",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "DATA_LOSS_PREVENTION",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"severity": "low",
"type": "Event::Endpoint::Enc::DiskEncryptionInformation",
"name": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.",
"id": "55726d81-213b-43b6-be18-48dee3add6f8",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "c0e1e239-8912-4cc9-a6ed-245a964dec10",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "DENC",
"datastream": "event",
"end": "2022-04-27T08:48:48.808Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T08:48:48.809Z",
"duid": "62690353b62561118508746f",
"suser": "TESLA\\user"
}
{
"severity": "medium",
"type": "Event::Endpoint::Denc::EncryptionSuspendedEvent",
"name": "Device Encryption is suspended",
"id": "80130549-e09e-46d3-ab98-919fbd625884",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "DENC",
"datastream": "event",
"end": "2022-04-27T08:47:16.490Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T08:48:19.320Z",
"duid": "624aabf253f2e60fda590556",
"suser": "TESLA\\admin"
}
{
"severity": "low",
"type": "Event::Endpoint::HmpaExploitPrevented",
"endpoint_type": "computer",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "'CodeCave' exploit prevented in Essential Objects Worker Process",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "RUNTIME_DETECTIONS",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"severity": "low",
"type": "Event::Endpoint::Enc::Recovery::KeyReceived",
"name": "A BitLocker recovery key has been received from: DESKTOP-1234.",
"id": "c8e0b5c9-69d0-4885-8964-5cefaa8ef13e",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "DENC",
"datastream": "event",
"end": "2022-04-27T13:22:08.749Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T13:22:13.565Z",
"duid": "574fcff42ead810f5e43b0fc",
"suser": "admin tech"
}
{
"severity": "low",
"type": "Event::Endpoint::Denc::OutlookPluginEnabledEvent",
"name": "Outlook add-in is enabled",
"id": "37d8c083-2342-4e88-9da6-4f47e3143c9d",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "DENC",
"datastream": "event",
"end": "2022-04-27T13:22:06.909Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T13:22:13.226Z",
"duid": "574fcff42ead810f5e43b0fc",
"suser": "admin tech"
}
{
"severity": "low",
"type": "Event::Endpoint::CorePuaDetection",
"endpoint_type": "computer",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "PUA",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"appSha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "d9b11461-9678-4448-ab88-4b5211d2bf5e",
"endpoint_id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822",
"endpoint_type": "computer",
"threat": "Generic Reputation PUA",
"origin": "ML",
"type": "Event::Endpoint::CorePuaDetection",
"id": "c39307f6-0c51-4a55-af23-f2ac7905416d",
"group": "PUA",
"rt": "2023-08-07T21:55:28.843Z",
"severity": "medium",
"duid": "63ed3118d043e176065be9ba",
"end": "2023-08-07T21:55:27.508Z",
"name": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'",
"dhost": "LAPTOP-01",
"suser": "LAPTOP-01\\John Doe"
}
{
"severity": "low",
"type": "Event::Endpoint::Registered",
"name": "New computer registered: DESKTOP-1234",
"id": "b3c9c053-6037-469d-9bee-49d39f7932d0",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "PROTECTION",
"datastream": "event",
"end": "2022-04-27T13:17:10.188Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T13:17:10.197Z",
"duid": "574fcff42ead810f5e43b0fc",
"suser": "admin tech"
}
{
"severity": "low",
"type": "Event::Endpoint::SavScanComplete",
"name": "Scan 'Sophos Cloud Scheduled Scan' completed",
"id": "fca84bd1-44df-4c30-ab79-103b971e714a",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "92d4ef41-9c13-4041-bbed-952011796812",
"endpoint_type": "computer",
"group": "PROTECTION",
"datastream": "event",
"end": "2022-04-27T08:59:59.000Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T09:00:03.548Z",
"duid": "611cda48cf87290e90dfc1d1",
"suser": "Elon Musk"
}
{
"severity": "low",
"type": "Event::Endpoint::UpdateFailure",
"endpoint_type": "server",
"endpoint_id": "350e274b-777f-4b67-b34b-10d17a6c6193",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.",
"id": "f68abcb6-c87f-46ae-a82a-7919bf313a66",
"group": "UPDATING",
"datastream": "event",
"end": "2022-04-25T07:41:03.101Z",
"suser": "n/a",
"rt": "2022-04-25T07:41:03.118Z",
"dhost": "DESKTOP-1234"
}
{
"severity": "low",
"type": "Event::Endpoint::UpdateRebootRequired",
"endpoint_type": "server",
"endpoint_id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"source_info": {
"ip": "1.2.3.4"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "Reboot to complete update; computer stays protected in the meantime",
"id": "bc60c18b-dc21-43a3-bfd5-f28963f288e2",
"group": "UPDATING",
"datastream": "event",
"end": "2022-04-25T03:15:31.760Z",
"suser": "n/a",
"rt": "2022-04-25T03:15:31.777Z",
"dhost": "DOMAIN-1234"
}
{
"severity": "low",
"type": "Event::Endpoint::UpdateSuccess",
"endpoint_type": "server",
"endpoint_id": "2ddff78e-27a1-40ff-8478-6c9be62e3b29",
"source_info": {
"ip": "4.5.6.7"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "Update succeeded",
"id": "a4c6776e-2f47-4bea-b5b3-7f1914c03a70",
"group": "UPDATING",
"datastream": "event",
"end": "2022-04-25T04:57:09.886Z",
"suser": "n/a",
"rt": "2022-04-25T04:57:09.900Z",
"dhost": "ACLOUD-2K22"
}
{
"severity": "low",
"type": "Event::Endpoint::UserAutoCreated",
"name": "New user added automatically: TESLA\\e.musk",
"id": "1498e255-e9c1-4835-b0b9-8ae7b44ae6f7",
"source_info": {
"ip": "1.3.3.7"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"endpoint_type": "computer",
"group": "PROTECTION",
"datastream": "event",
"end": "2022-04-27T08:48:19.449Z",
"dhost": "DESKTOP-1234",
"rt": "2022-04-27T08:48:19.456Z",
"duid": "62690353b62561118508746f",
"suser": "TESLA\\e.musk"
}
{
"severity": "low",
"type": "Event::Endpoint::WebFilteringBlocked",
"endpoint_type": "computer",
"endpoint_id": "3205420f-f05c-4f03-bb10-3ff6bf97b6ab",
"source_info": {
"ip": "1.3.3.7"
},
"customer_id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"name": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".",
"id": "a91e11e2-1739-4f01-bf33-2dfd165e5ca3",
"group": "WEB",
"datastream": "event",
"end": "2022-04-25T09:35:54.000Z",
"suser": "Elon Musk",
"rt": "2022-04-25T09:35:55.764Z",
"duid": "615ff633eae9110e824c07b7",
"dhost": "TESLA-SUPPORT"
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Sophos EDR. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Sophos EDR on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
CVE-2020-0688 Microsoft Exchange Server Exploit
Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.
- Effort: elementary
CVE-2020-17530 Apache Struts RCE
Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).
- Effort: intermediate
CVE-2021-20021 SonicWall Unauthenticated Administrator Access
Detects the exploitation of SonicWall Unauthenticated Admin Access.
- Effort: advanced
CVE-2021-20023 SonicWall Arbitrary File Read
Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.
- Effort: advanced
CVE-2021-22893 Pulse Connect Secure RCE Vulnerability
Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
- Effort: intermediate
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Detect requests to Konni C2 servers
This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
- Effort: elementary
Discord Suspicious Download
Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.
- Effort: intermediate
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Download Files From Suspicious TLDs
Detects download of certain file types from hosts in suspicious TLDs
- Effort: master
Koadic MSHTML Command
Detects Koadic payload using MSHTML module
- Effort: intermediate
Linux Shared Lib Injection Via Ldso Preload
Detect ld.so.preload modification for shared lib injection, technique used by attackers to load arbitrary code into process
- Effort: intermediate
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Malicious File Double Extension
Detects request to potential malicious file with double extension
- Effort: elementary
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
Process Trace Alteration
PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.
- Effort: advanced
ProxyShell Microsoft Exchange Suspicious Paths
Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
- Effort: elementary
RSA SecurID Failed Authentification
Detects many failed attempts to authenticate followed by a successfull login for a super admin account.
- Effort: advanced
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
Remote Monitoring and Management Software - Atera
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sophos EDR Application Blocked
Sophos EDR detected a potentially malicious application and blocked it.
- Effort: master
Sophos EDR Application Detected
Sophos EDR detected a potentially malicious application.
- Effort: master
Sophos EDR CorePUA Clean
Sophos EDR detected a potentially unwanted application and cleaned it.
- Effort: master
Sophos EDR CorePUA Detection
Sophos EDR detected a potentially unwanted application.
- Effort: master
Suspicious Download Links From Legitimate Services
Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
- Effort: intermediate
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
Suspicious TOR Gateway
Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: advanced
Suspicious URI Used In A Lazarus Campaign
Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.
- Effort: intermediate
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
File monitoring |
Monitor files and devices activities |
Process monitoring |
Monitor process activities |
Process use of network |
Monitor network activities |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | file, iam, network, process |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Application::Blocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Controlled application blocked: Google Software Reporter Tool (Security tool)\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"APPLICATION_CONTROL\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file"
],
"code": "Event::Endpoint::Application::Blocked",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "Controlled application blocked: Google Software Reporter Tool (Security tool)",
"type": [
"denied"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"process": {
"title": "Google Software Reporter Tool (Security tool)"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "APPLICATION_CONTROL"
}
}
}
{
"message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Enc::DiskNotEncryptedEvent\",\"name\":\"Device is not encrypted.\",\"id\":\"f7c7e65a-a452-429c-9e0a-cdc16c5b50e9\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:23:07.981Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:24:08.662Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"Elon Musk\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::DiskNotEncryptedEvent",
"end": "2022-04-27T13:23:07.981000Z",
"reason": "Device is not encrypted.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:24:08.662000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"Elon Musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "Elon Musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "allow file transfer",
"category": [
"file"
],
"code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"type": [
"allowed"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXX\\Downloads",
"name": "YYYYYYYYYYYYYYYYY.mp4",
"path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"size": 559316722
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Multimedia file"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "DATA_LOSS_PREVENTION"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\\\XXXXXXXXXXXXXXX\\\\Documents\\\\Videos\\\\YYYYY.mp4 Destination type: Removable storage\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "allow file transfer",
"category": [
"file"
],
"code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage",
"type": [
"allowed"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXX\\Downloads",
"name": "YYYYYYYYYYYYYYYYY.mp4",
"path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"size": 559316722
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Multimedia file"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"destination": {
"file": {
"path": "D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4"
},
"type": "Removable storage"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "DATA_LOSS_PREVENTION"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::DiskEncryptionInformation\",\"name\":\"Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.\",\"id\":\"55726d81-213b-43b6-be18-48dee3add6f8\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"c0e1e239-8912-4cc9-a6ed-245a964dec10\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:48.808Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:48.809Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\user\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::DiskEncryptionInformation",
"end": "2022-04-27T08:48:48.808000Z",
"reason": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T08:48:48.809000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"user"
]
},
"sophos": {
"customer": {
"id": "c0e1e239-8912-4cc9-a6ed-245a964dec10"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"domain": "TESLA",
"id": "62690353b62561118508746f",
"name": "user"
}
}
{
"message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Denc::EncryptionSuspendedEvent\",\"name\":\"Device Encryption is suspended\",\"id\":\"80130549-e09e-46d3-ab98-919fbd625884\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:47:16.490Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.320Z\",\"duid\":\"624aabf253f2e60fda590556\",\"suser\":\"TESLA\\\\admin\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Denc::EncryptionSuspendedEvent",
"end": "2022-04-27T08:47:16.490000Z",
"reason": "Device Encryption is suspended",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T08:48:19.320000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"domain": "TESLA",
"id": "624aabf253f2e60fda590556",
"name": "admin"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::HmpaExploitPrevented\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"'CodeCave' exploit prevented in Essential Objects Worker Process\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"RUNTIME_DETECTIONS\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file"
],
"code": "Event::Endpoint::HmpaExploitPrevented",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "'CodeCave' exploit prevented in Essential Objects Worker Process",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "RUNTIME_DETECTIONS"
},
"threat": {
"name": "CodeCave"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::Recovery::KeyReceived\",\"name\":\"A BitLocker recovery key has been received from: DESKTOP-1234.\",\"id\":\"c8e0b5c9-69d0-4885-8964-5cefaa8ef13e\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:08.749Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.565Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::Recovery::KeyReceived",
"end": "2022-04-27T13:22:08.749000Z",
"reason": "A BitLocker recovery key has been received from: DESKTOP-1234.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:22:13.565000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Denc::OutlookPluginEnabledEvent\",\"name\":\"Outlook add-in is enabled\",\"id\":\"37d8c083-2342-4e88-9da6-4f47e3143c9d\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:06.909Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.226Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Denc::OutlookPluginEnabledEvent",
"end": "2022-04-27T13:22:06.909000Z",
"reason": "Outlook add-in is enabled",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:22:13.226000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::CorePuaDetection\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"PUA detected: 'Rule Generic PUA' at 'C:\\\\Users\\\\XXXXXXXXXX\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempc'\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"PUA\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "detected",
"category": [
"file"
],
"code": "Event::Endpoint::CorePuaDetection",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp",
"name": "tempc",
"path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc"
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Rule Generic PUA"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "PUA"
}
}
}
{
"message": "{\"appSha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"source_info\": {\"ip\": \"1.2.3.4\"}, \"customer_id\": \"d9b11461-9678-4448-ab88-4b5211d2bf5e\", \"endpoint_id\": \"61092e0b-b6f5-46c5-b0a7-68ee3b2dc822\", \"endpoint_type\": \"computer\", \"threat\": \"Generic Reputation PUA\", \"origin\": \"ML\", \"type\": \"Event::Endpoint::CorePuaDetection\", \"id\": \"c39307f6-0c51-4a55-af23-f2ac7905416d\", \"group\": \"PUA\", \"rt\": \"2023-08-07T21:55:28.843Z\", \"severity\": \"medium\", \"duid\": \"63ed3118d043e176065be9ba\", \"end\": \"2023-08-07T21:55:27.508Z\", \"name\": \"PUA detected: 'Generic Reputation PUA' at 'C:\\\\Users\\\\John Doe\\\\Documents\\\\suspicious.zip'\", \"dhost\": \"LAPTOP-01\", \"suser\": \"LAPTOP-01\\\\John Doe\"}",
"event": {
"action": "detected",
"category": [
"file"
],
"code": "Event::Endpoint::CorePuaDetection",
"end": "2023-08-07T21:55:27.508000Z",
"reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'",
"type": [
"info"
]
},
"@timestamp": "2023-08-07T21:55:28.843000Z",
"file": {
"directory": "C:\\Users\\John Doe\\Documents",
"hash": {
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
},
"name": "suspicious.zip",
"path": "C:\\Users\\John Doe\\Documents\\suspicious.zip"
},
"host": {
"hostname": "LAPTOP-01",
"name": "LAPTOP-01"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
],
"hosts": [
"LAPTOP-01"
],
"ip": [
"1.2.3.4"
],
"user": [
"John Doe"
]
},
"rule": {
"name": "Generic Reputation PUA"
},
"sophos": {
"customer": {
"id": "d9b11461-9678-4448-ab88-4b5211d2bf5e"
},
"endpoint": {
"id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822",
"type": "computer"
},
"event": {
"group": "PUA"
}
},
"user": {
"domain": "LAPTOP-01",
"id": "63ed3118d043e176065be9ba",
"name": "John Doe"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Registered\",\"name\":\"New computer registered: DESKTOP-1234\",\"id\":\"b3c9c053-6037-469d-9bee-49d39f7932d0\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:17:10.188Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:17:10.197Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::Registered",
"end": "2022-04-27T13:17:10.188000Z",
"reason": "New computer registered: DESKTOP-1234",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:17:10.197000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::SavScanComplete\",\"name\":\"Scan 'Sophos Cloud Scheduled Scan' completed\",\"id\":\"fca84bd1-44df-4c30-ab79-103b971e714a\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:59:59.000Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T09:00:03.548Z\",\"duid\":\"611cda48cf87290e90dfc1d1\",\"suser\":\"Elon Musk\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::SavScanComplete",
"end": "2022-04-27T08:59:59Z",
"reason": "Scan 'Sophos Cloud Scheduled Scan' completed",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T09:00:03.548000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"Elon Musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"id": "611cda48cf87290e90dfc1d1",
"name": "Elon Musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateFailure\",\"endpoint_type\":\"server\",\"endpoint_id\":\"350e274b-777f-4b67-b34b-10d17a6c6193\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.\",\"id\":\"f68abcb6-c87f-46ae-a82a-7919bf313a66\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T07:41:03.101Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T07:41:03.118Z\",\"dhost\":\"DESKTOP-1234\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateFailure",
"end": "2022-04-25T07:41:03.101000Z",
"reason": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T07:41:03.118000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "350e274b-777f-4b67-b34b-10d17a6c6193",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateRebootRequired\",\"endpoint_type\":\"server\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Reboot to complete update; computer stays protected in the meantime\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateRebootRequired",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "Reboot to complete update; computer stays protected in the meantime",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateSuccess\",\"endpoint_type\":\"server\",\"endpoint_id\":\"2ddff78e-27a1-40ff-8478-6c9be62e3b29\",\"source_info\":{\"ip\":\"4.5.6.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Update succeeded\",\"id\":\"a4c6776e-2f47-4bea-b5b3-7f1914c03a70\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T04:57:09.886Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T04:57:09.900Z\",\"dhost\":\"ACLOUD-2K22\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateSuccess",
"end": "2022-04-25T04:57:09.886000Z",
"reason": "Update succeeded",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T04:57:09.900000Z",
"host": {
"hostname": "ACLOUD-2K22",
"name": "ACLOUD-2K22"
},
"log": {
"level": "low"
},
"observer": {
"ip": "4.5.6.7"
},
"related": {
"hosts": [
"ACLOUD-2K22"
],
"ip": [
"4.5.6.7"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "2ddff78e-27a1-40ff-8478-6c9be62e3b29",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UserAutoCreated\",\"name\":\"New user added automatically: TESLA\\\\e.musk\",\"id\":\"1498e255-e9c1-4835-b0b9-8ae7b44ae6f7\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:19.449Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.456Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\e.musk\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::UserAutoCreated",
"end": "2022-04-27T08:48:19.449000Z",
"reason": "New user added automatically: TESLA\\e.musk",
"type": [
"creation"
]
},
"@timestamp": "2022-04-27T08:48:19.456000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.3.3.7"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.3.3.7"
],
"user": [
"e.musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"domain": "TESLA",
"id": "62690353b62561118508746f",
"name": "e.musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::WebFilteringBlocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"3205420f-f05c-4f03-bb10-3ff6bf97b6ab\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Access was blocked to \\\"www.malicious-site.com\\\" because of \\\"Rulename\\\".\",\"id\":\"a91e11e2-1739-4f01-bf33-2dfd165e5ca3\",\"group\":\"WEB\",\"datastream\":\"event\",\"end\":\"2022-04-25T09:35:54.000Z\",\"suser\":\"Elon Musk\",\"rt\":\"2022-04-25T09:35:55.764Z\",\"duid\":\"615ff633eae9110e824c07b7\",\"dhost\":\"TESLA-SUPPORT\"}",
"event": {
"category": [
"network"
],
"code": "Event::Endpoint::WebFilteringBlocked",
"end": "2022-04-25T09:35:54Z",
"reason": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".",
"type": [
"denied"
]
},
"@timestamp": "2022-04-25T09:35:55.764000Z",
"host": {
"hostname": "TESLA-SUPPORT",
"name": "TESLA-SUPPORT"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.3.3.7"
},
"related": {
"hosts": [
"TESLA-SUPPORT"
],
"ip": [
"1.3.3.7"
],
"user": [
"Elon Musk"
]
},
"rule": {
"name": "Rulename"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "3205420f-f05c-4f03-bb10-3ff6bf97b6ab",
"type": "computer"
},
"event": {
"group": "WEB"
}
},
"url": {
"original": "www.malicious-site.com",
"path": "www.malicious-site.com"
},
"user": {
"id": "615ff633eae9110e824c07b7",
"name": "Elon Musk"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.path |
keyword |
Full path to the file, including the file name. |
file.size |
long |
File size in bytes. |
host.hostname |
keyword |
Hostname of the host. |
host.name |
keyword |
Name of the host. |
log.level |
keyword |
Log level of the log event. |
observer.ip |
ip |
IP addresses of the observer. |
process.title |
keyword |
Process title. |
rule.name |
keyword |
Rule name |
sophos.customer.id |
keyword |
The identifier of the customer |
sophos.destination.file.path |
keyword |
The path of a destination transfert |
sophos.destination.type |
keyword |
The type of a destination transfert |
sophos.endpoint.id |
keyword |
The identifier of the endpoint |
sophos.endpoint.type |
keyword |
The type of the endpoint |
sophos.event.group |
keyword |
The family of the event |
sophos.threat.name |
keyword |
The name of the detected threat |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.