Sophos EDR
Overview
Sophos EDR monitors, detects and mitigates threats on endpoints. This EDR reduces the attack surface and prevent attacks from running with an anti-exploit, an anti-ransomware and advanced control technology.
This setup guide shows how to forward events produced by Sophos EDR to Sekoia.io.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Sophos EDR. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Sophos EDR on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
CVE-2020-0688 Microsoft Exchange Server Exploit
Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.
- Effort: elementary
CVE-2020-17530 Apache Struts RCE
Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).
- Effort: intermediate
CVE-2021-20021 SonicWall Unauthenticated Administrator Access
Detects the exploitation of SonicWall Unauthenticated Admin Access.
- Effort: advanced
CVE-2021-20023 SonicWall Arbitrary File Read
Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.
- Effort: advanced
CVE-2021-22893 Pulse Connect Secure RCE Vulnerability
Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
- Effort: intermediate
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Cron Files Alteration
Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
- Effort: advanced
Detect requests to Konni C2 servers
This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
- Effort: elementary
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Download Files From Suspicious TLDs
Detects download of certain file types from hosts in suspicious TLDs
- Effort: master
Koadic MSHTML Command
Detects Koadic payload using MSHTML module
- Effort: intermediate
Package Manager Alteration
Package manager (eg: apt, yum) can be altered to install malicious software
- Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Malicious File Double Extension
Detects request to potential malicious file with double extension
- Effort: elementary
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
ProxyShell Microsoft Exchange Suspicious Paths
Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
SSH Authorized Key Alteration
The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.
- Effort: advanced
Sophos EDR Application Blocked
Sophos EDR detected a potentially malicious application and blocked it.
- Effort: master
Sophos EDR Application Detected
Sophos EDR detected a potentially malicious application.
- Effort: master
Sophos EDR CorePUA Clean
Sophos EDR detected a potentially unwanted application and cleaned it.
- Effort: master
Sophos EDR CorePUA Detection
Sophos EDR detected a potentially unwanted application.
- Effort: master
Suspicious URI Used In A Lazarus Campaign
Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.
- Effort: intermediate
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
File monitoring |
Monitor files and devices activities |
Process monitoring |
Monitor process activities |
Process use of network |
Monitor network activities |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | file, iam, network, process |
| Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Application::Blocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Controlled application blocked: Google Software Reporter Tool (Security tool)\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"APPLICATION_CONTROL\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file"
],
"code": "Event::Endpoint::Application::Blocked",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "Controlled application blocked: Google Software Reporter Tool (Security tool)",
"type": [
"denied"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"process": {
"title": "Google Software Reporter Tool (Security tool)"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "APPLICATION_CONTROL"
}
}
}
{
"message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Enc::DiskNotEncryptedEvent\",\"name\":\"Device is not encrypted.\",\"id\":\"f7c7e65a-a452-429c-9e0a-cdc16c5b50e9\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:23:07.981Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:24:08.662Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"Elon Musk\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::DiskNotEncryptedEvent",
"end": "2022-04-27T13:23:07.981000Z",
"reason": "Device is not encrypted.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:24:08.662000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"Elon Musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "Elon Musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "allow file transfer",
"category": [
"file"
],
"code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"type": [
"allowed"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXX\\Downloads",
"name": "YYYYYYYYYYYYYYYYY.mp4",
"path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"size": 559316722
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Multimedia file"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "DATA_LOSS_PREVENTION"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\\\XXXXXXXXXXXXXXX\\\\Documents\\\\Videos\\\\YYYYY.mp4 Destination type: Removable storage\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "allow file transfer",
"category": [
"file"
],
"code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage",
"type": [
"allowed"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXX\\Downloads",
"name": "YYYYYYYYYYYYYYYYY.mp4",
"path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4",
"size": 559316722
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Multimedia file"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"destination": {
"file": {
"path": "D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4"
},
"type": "Removable storage"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "DATA_LOSS_PREVENTION"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::DiskEncryptionInformation\",\"name\":\"Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.\",\"id\":\"55726d81-213b-43b6-be18-48dee3add6f8\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"c0e1e239-8912-4cc9-a6ed-245a964dec10\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:48.808Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:48.809Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\user\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::DiskEncryptionInformation",
"end": "2022-04-27T08:48:48.808000Z",
"reason": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T08:48:48.809000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"user"
]
},
"sophos": {
"customer": {
"id": "c0e1e239-8912-4cc9-a6ed-245a964dec10"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"domain": "TESLA",
"id": "62690353b62561118508746f",
"name": "user"
}
}
{
"message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Denc::EncryptionSuspendedEvent\",\"name\":\"Device Encryption is suspended\",\"id\":\"80130549-e09e-46d3-ab98-919fbd625884\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:47:16.490Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.320Z\",\"duid\":\"624aabf253f2e60fda590556\",\"suser\":\"TESLA\\\\admin\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Denc::EncryptionSuspendedEvent",
"end": "2022-04-27T08:47:16.490000Z",
"reason": "Device Encryption is suspended",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T08:48:19.320000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"domain": "TESLA",
"id": "624aabf253f2e60fda590556",
"name": "admin"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::HmpaExploitPrevented\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"'CodeCave' exploit prevented in Essential Objects Worker Process\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"RUNTIME_DETECTIONS\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file"
],
"code": "Event::Endpoint::HmpaExploitPrevented",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "'CodeCave' exploit prevented in Essential Objects Worker Process",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "RUNTIME_DETECTIONS"
},
"threat": {
"name": "CodeCave"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::Recovery::KeyReceived\",\"name\":\"A BitLocker recovery key has been received from: DESKTOP-1234.\",\"id\":\"c8e0b5c9-69d0-4885-8964-5cefaa8ef13e\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:08.749Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.565Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Enc::Recovery::KeyReceived",
"end": "2022-04-27T13:22:08.749000Z",
"reason": "A BitLocker recovery key has been received from: DESKTOP-1234.",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:22:13.565000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Denc::OutlookPluginEnabledEvent\",\"name\":\"Outlook add-in is enabled\",\"id\":\"37d8c083-2342-4e88-9da6-4f47e3143c9d\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:06.909Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.226Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::Denc::OutlookPluginEnabledEvent",
"end": "2022-04-27T13:22:06.909000Z",
"reason": "Outlook add-in is enabled",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:22:13.226000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "DENC"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::CorePuaDetection\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"PUA detected: 'Rule Generic PUA' at 'C:\\\\Users\\\\XXXXXXXXXX\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempc'\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"PUA\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"action": "detected",
"category": [
"file"
],
"code": "Event::Endpoint::CorePuaDetection",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"file": {
"directory": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp",
"name": "tempc",
"path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc"
},
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"rule": {
"name": "Rule Generic PUA"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "computer"
},
"event": {
"group": "PUA"
}
}
}
{
"message": "{\"appSha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"source_info\": {\"ip\": \"1.2.3.4\"}, \"customer_id\": \"d9b11461-9678-4448-ab88-4b5211d2bf5e\", \"endpoint_id\": \"61092e0b-b6f5-46c5-b0a7-68ee3b2dc822\", \"endpoint_type\": \"computer\", \"threat\": \"Generic Reputation PUA\", \"origin\": \"ML\", \"type\": \"Event::Endpoint::CorePuaDetection\", \"id\": \"c39307f6-0c51-4a55-af23-f2ac7905416d\", \"group\": \"PUA\", \"rt\": \"2023-08-07T21:55:28.843Z\", \"severity\": \"medium\", \"duid\": \"63ed3118d043e176065be9ba\", \"end\": \"2023-08-07T21:55:27.508Z\", \"name\": \"PUA detected: 'Generic Reputation PUA' at 'C:\\\\Users\\\\John Doe\\\\Documents\\\\suspicious.zip'\", \"dhost\": \"LAPTOP-01\", \"suser\": \"LAPTOP-01\\\\John Doe\"}",
"event": {
"action": "detected",
"category": [
"file"
],
"code": "Event::Endpoint::CorePuaDetection",
"end": "2023-08-07T21:55:27.508000Z",
"reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'",
"type": [
"info"
]
},
"@timestamp": "2023-08-07T21:55:28.843000Z",
"file": {
"directory": "C:\\Users\\John Doe\\Documents",
"hash": {
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
},
"name": "suspicious.zip",
"path": "C:\\Users\\John Doe\\Documents\\suspicious.zip"
},
"host": {
"hostname": "LAPTOP-01",
"name": "LAPTOP-01"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
],
"hosts": [
"LAPTOP-01"
],
"ip": [
"1.2.3.4"
],
"user": [
"John Doe"
]
},
"rule": {
"name": "Generic Reputation PUA"
},
"sophos": {
"customer": {
"id": "d9b11461-9678-4448-ab88-4b5211d2bf5e"
},
"endpoint": {
"id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822",
"type": "computer"
},
"event": {
"group": "PUA"
}
},
"user": {
"domain": "LAPTOP-01",
"id": "63ed3118d043e176065be9ba",
"name": "John Doe"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Registered\",\"name\":\"New computer registered: DESKTOP-1234\",\"id\":\"b3c9c053-6037-469d-9bee-49d39f7932d0\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:17:10.188Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:17:10.197Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::Registered",
"end": "2022-04-27T13:17:10.188000Z",
"reason": "New computer registered: DESKTOP-1234",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T13:17:10.197000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin tech"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"id": "574fcff42ead810f5e43b0fc",
"name": "admin tech"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::SavScanComplete\",\"name\":\"Scan 'Sophos Cloud Scheduled Scan' completed\",\"id\":\"fca84bd1-44df-4c30-ab79-103b971e714a\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:59:59.000Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T09:00:03.548Z\",\"duid\":\"611cda48cf87290e90dfc1d1\",\"suser\":\"Elon Musk\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::SavScanComplete",
"end": "2022-04-27T08:59:59Z",
"reason": "Scan 'Sophos Cloud Scheduled Scan' completed",
"type": [
"info"
]
},
"@timestamp": "2022-04-27T09:00:03.548000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
],
"user": [
"Elon Musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "92d4ef41-9c13-4041-bbed-952011796812",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"id": "611cda48cf87290e90dfc1d1",
"name": "Elon Musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateFailure\",\"endpoint_type\":\"server\",\"endpoint_id\":\"350e274b-777f-4b67-b34b-10d17a6c6193\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.\",\"id\":\"f68abcb6-c87f-46ae-a82a-7919bf313a66\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T07:41:03.101Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T07:41:03.118Z\",\"dhost\":\"DESKTOP-1234\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateFailure",
"end": "2022-04-25T07:41:03.101000Z",
"reason": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T07:41:03.118000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "350e274b-777f-4b67-b34b-10d17a6c6193",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateRebootRequired\",\"endpoint_type\":\"server\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Reboot to complete update; computer stays protected in the meantime\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateRebootRequired",
"end": "2022-04-25T03:15:31.760000Z",
"reason": "Reboot to complete update; computer stays protected in the meantime",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T03:15:31.777000Z",
"host": {
"hostname": "DOMAIN-1234",
"name": "DOMAIN-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hosts": [
"DOMAIN-1234"
],
"ip": [
"1.2.3.4"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "5da7691b-cc01-4330-bb8b-358362c3a5f1",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateSuccess\",\"endpoint_type\":\"server\",\"endpoint_id\":\"2ddff78e-27a1-40ff-8478-6c9be62e3b29\",\"source_info\":{\"ip\":\"4.5.6.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Update succeeded\",\"id\":\"a4c6776e-2f47-4bea-b5b3-7f1914c03a70\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T04:57:09.886Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T04:57:09.900Z\",\"dhost\":\"ACLOUD-2K22\"}",
"event": {
"category": [
"file",
"process"
],
"code": "Event::Endpoint::UpdateSuccess",
"end": "2022-04-25T04:57:09.886000Z",
"reason": "Update succeeded",
"type": [
"info"
]
},
"@timestamp": "2022-04-25T04:57:09.900000Z",
"host": {
"hostname": "ACLOUD-2K22",
"name": "ACLOUD-2K22"
},
"log": {
"level": "low"
},
"observer": {
"ip": "4.5.6.7"
},
"related": {
"hosts": [
"ACLOUD-2K22"
],
"ip": [
"4.5.6.7"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "2ddff78e-27a1-40ff-8478-6c9be62e3b29",
"type": "server"
},
"event": {
"group": "UPDATING"
}
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UserAutoCreated\",\"name\":\"New user added automatically: TESLA\\\\e.musk\",\"id\":\"1498e255-e9c1-4835-b0b9-8ae7b44ae6f7\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:19.449Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.456Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\e.musk\"}",
"event": {
"category": [
"iam"
],
"code": "Event::Endpoint::UserAutoCreated",
"end": "2022-04-27T08:48:19.449000Z",
"reason": "New user added automatically: TESLA\\e.musk",
"type": [
"creation"
]
},
"@timestamp": "2022-04-27T08:48:19.456000Z",
"host": {
"hostname": "DESKTOP-1234",
"name": "DESKTOP-1234"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.3.3.7"
},
"related": {
"hosts": [
"DESKTOP-1234"
],
"ip": [
"1.3.3.7"
],
"user": [
"e.musk"
]
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b",
"type": "computer"
},
"event": {
"group": "PROTECTION"
}
},
"user": {
"domain": "TESLA",
"id": "62690353b62561118508746f",
"name": "e.musk"
}
}
{
"message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::WebFilteringBlocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"3205420f-f05c-4f03-bb10-3ff6bf97b6ab\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Access was blocked to \\\"www.malicious-site.com\\\" because of \\\"Rulename\\\".\",\"id\":\"a91e11e2-1739-4f01-bf33-2dfd165e5ca3\",\"group\":\"WEB\",\"datastream\":\"event\",\"end\":\"2022-04-25T09:35:54.000Z\",\"suser\":\"Elon Musk\",\"rt\":\"2022-04-25T09:35:55.764Z\",\"duid\":\"615ff633eae9110e824c07b7\",\"dhost\":\"TESLA-SUPPORT\"}",
"event": {
"category": [
"network"
],
"code": "Event::Endpoint::WebFilteringBlocked",
"end": "2022-04-25T09:35:54Z",
"reason": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".",
"type": [
"denied"
]
},
"@timestamp": "2022-04-25T09:35:55.764000Z",
"host": {
"hostname": "TESLA-SUPPORT",
"name": "TESLA-SUPPORT"
},
"log": {
"level": "low"
},
"observer": {
"ip": "1.3.3.7"
},
"related": {
"hosts": [
"TESLA-SUPPORT"
],
"ip": [
"1.3.3.7"
],
"user": [
"Elon Musk"
]
},
"rule": {
"name": "Rulename"
},
"sophos": {
"customer": {
"id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b"
},
"endpoint": {
"id": "3205420f-f05c-4f03-bb10-3ff6bf97b6ab",
"type": "computer"
},
"event": {
"group": "WEB"
}
},
"url": {
"original": "www.malicious-site.com",
"path": "www.malicious-site.com"
},
"user": {
"id": "615ff633eae9110e824c07b7",
"name": "Elon Musk"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.path |
keyword |
Full path to the file, including the file name. |
file.size |
long |
File size in bytes. |
host.hostname |
keyword |
Hostname of the host. |
host.name |
keyword |
Name of the host. |
log.level |
keyword |
Log level of the log event. |
observer.ip |
ip |
IP addresses of the observer. |
process.title |
keyword |
Process title. |
rule.name |
keyword |
Rule name |
sophos.customer.id |
keyword |
The identifier of the customer |
sophos.destination.file.path |
keyword |
The path of a destination transfert |
sophos.destination.type |
keyword |
The type of a destination transfert |
sophos.endpoint.id |
keyword |
The identifier of the endpoint |
sophos.endpoint.type |
keyword |
The type of the endpoint |
sophos.event.group |
keyword |
The family of the event |
sophos.threat.name |
keyword |
The name of the detected threat |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
Configure
Create SOPHOS EDR Credentials
Warning
If you have a "Partner" or "Organization" entity, you need to do the following procedure on every tenant attached to it. Please find more information on the official documentation
In the Sophos Central Admin console:
- On the left panel, go to
Global Settingsand selectAPI Credentials Management. - Click on
Add Credentialto create a credential dedicated to Sekoia.io. - Give it a name, select the role
Service Principal ReadOnlyand click onAdd. - In the
API credential Summary, copy theClient IDand theClient Secret. It will be used later in Sekoia.io to retrieve the events.
Create the intake
- Go to the Intake page and create a new
Sophos EDRintake. - Copy the associated Intake key
Pull events
- Go to the Playbook page.
- Click on
+ PLAYBOOKand chooseCreate a playbook from scratch. - Give it a name and a description and click on
Next. - In
Choose a trigger, select the Get Sophos events. - Click on the
Get Sophos eventsmodule on the right sidebar and in theModule Configurationsection, selectCreate new configuration. -
Write a
nameand paste theclient_idandclient_secretfrom the Sophos console and click onSave.Info
- If you want to change the region with your own region, you can find your region via protect devices field, first click on Protect Devices, Then copy link of any download links and finally Check the region that appears as part of the URL.
- No need to change the Oauth2 Authorization Url for the moment, as this's the only endpoint to get a JWT token
-
In the
Trigger Configurationsection, click onCreate new configuration. - Write a
name, choose afrequency- Default is60-, paste theintake_keyassociated to yourSophos EDRintake and click onSave. - On the top right corner, start the Playbook. You should see monitoring messages in the
Logssection. - Check on the Events page that the Sophos logs are being received.
