Sophos EDR Integration

Step-1 : Download/Clone the sophos packages

python3 --version

git clone -b master https://github.com/sophos/Sophos-Central-SIEM-Integration.git

cd Sophos-Central-SIEM-Integration/

cp config.ini.sample config.ini

vi config.ini

Add client ID, client_secret, tenant ID and save it

Run siem.py

python3 siem.py

Able to see the traffic

Now go to path and check the output

cd Sophos-Central-SIEM-Integration/log

Result.txt

tail result.txt

Step-2 :Create sophos-siem.service

cd /etc/systemctl/system

sudo cp any.service sophos-siem.service

vi sophos-siem.service and paste the content in the file

[Unit]

Description=SIEM_Collector

After=network.target

[Service]

User=blusapphire

WorkingDirectory=/home/blusapphire/Sophos-Central-SIEM-Integration

ExecStart= python3 siem.py

RemainAfterExit=no

Restart=always

RestartSec=3

[Install]

WantedBy = multi-user.target

systemctl status sophos-siem.service

systemctl enable sophos-siem.service

systemctl start sophos-siem.service

Step-3 : Add crontab to sophos

logrotate

cd /etc/logrotate.d

nano sophos paste the content in the file, and save it

/home/blusapphire/Sophos-Central-SIEM-Integration/log/result.txt {

size 10M

rotate 5

compress

delaycompress

missingok

notifempty

}

sudo logrotate -d /etc/logrotate.d/sophos

sudo crontab –e and make changes related to sophos, save it

10 * * * * /usr/bin/python3 /opt/bin/threatintel_cache.py

0 * * * * logrotate -d /etc/logrotate.d/sophos

logrotate -d /etc/logrotate.d/sophos

Step-4 : Now create a script for sophos-edr

cd /opt/gc/scripts/

cp –r any_script sophos-edr

cd sophos-edr

cd config

Check jvm.options, pipeline.yml, logstash.yml files and do the changes accordingly

cd pipelines

Check input & output files and do the changes accordingly

cd /etc/systemd/system/

sudo cp any.service sophos-edr.service

Make the changes accordingly

sudo systemctl status sophos-edr.service

systemctl enable sophos-edr.service

systemctl start sophos-edr.service