# Sophos EDR Integration

Step-1 : Download/Clone the sophos packages

`python3 --version`

`git clone -b master https://github.com/sophos/Sophos-Central-SIEM-Integration.git`

`cd Sophos-Central-SIEM-Integration/`

`cp config.ini.sample config.ini`

`vi config.ini`

Add client ID, client\_secret, tenant ID and save it

Run [siem.py](http://siem.py)

`python3 siem.py`

Able to see the traffic

Now go to path and check the output

`cd Sophos-Central-SIEM-Integration/log`

Result.txt

`tail result.txt`

**Step-2** :Create sophos-siem.service

`cd /etc/systemctl/system`

`sudo cp any.service sophos-siem.service`

`vi sophos-siem.service and paste the content in the file`

\[Unit]

Description=SIEM\_Collector

After=network.target

\[Service]

User=blusapphire

WorkingDirectory=/home/blusapphire/Sophos-Central-SIEM-Integration

ExecStart= python3 [siem.py](http://siem.py)

RemainAfterExit=no

Restart=always

RestartSec=3

\[Install]

WantedBy = multi-user.target

`systemctl status sophos-siem.service`

`systemctl enable sophos-siem.service`

`systemctl start sophos-siem.service`

**Step-3 :** Add crontab to sophos

`logrotate`

`cd /etc/logrotate.d`

`nano sophos paste the content in the file, and save it`

/home/blusapphire/Sophos-Central-SIEM-Integration/log/result.txt {

size 10M

rotate 5

compress

delaycompress

missingok

notifempty

}

`sudo logrotate -d /etc/logrotate.d/sophos`

`sudo crontab –e and make changes related to sophos, save it`

10 \* \* \* \* /usr/bin/python3 /opt/bin/threatintel\_cache.py

0 \* \* \* \* logrotate -d /etc/logrotate.d/sophos

`logrotate -d /etc/logrotate.d/sophos`

**Step-4 :** Now create a script for sophos-edr

`cd /opt/gc/scripts/`

`cp –r any_script sophos-edr`

`cd sophos-edr`

`cd config`

Check jvm.options, pipeline.yml, logstash.yml files and do the changes accordingly

`cd pipelines`

Check input & output files and do the changes accordingly

`cd /etc/systemd/system/`

`sudo cp any.service sophos-edr.service`

Make the changes accordingly

`sudo systemctl status sophos-edr.service`

`systemctl enable sophos-edr.service`

`systemctl start sophos-edr.service`