Secure Your Endpoints with Sophos & Logz.io

By: Gedalyah Reback

Endpoint Security insights with Logz.io and Sophos Intercept X: endpoint logs

Intercept X is Sophos’ endpoint security solution, including anti-ransomware, zero-day exploit prevention, plus managed endpoint defense and response. It employs a layered approach reliant on multiple security techniques for endpoint detection and response (EDR).

Those tactics include app lockdown, data loss prevention, web control and malware detection. It strives to detect performance issues and vulnerabilities early on, before they can be exploited via zones like non-standard ports or with malicious software.

Other notable features include deep learning PUA blocking (potentially unwanted applications), locking down Office or media apps, credential theft defense, and process privilege escalation.

Using no servers to build out, Intercept X operates as soon as you download the relevant agent.

Logz.io Cloud SIEM augments Intercept X’s strengths by syncing all the data that Sophos’ solution collects. That makes it easy to correlate and prioritize events. Logz.io Cloud SIEM will automatically parse Sophos Central Cloud logs, then enrich them with security data.

Rules and Dashboards

Logz.io maintains five rules for Sophos Intercept X: suspicious runtime attempt blocked, real-time protection disabled, user browsed a malicious URL, threat detected, and threat cleaned. The first rule blocks a suspicious file or script from running and might indicate the file had already infected the host. The second alerts to Sophos real-time protection being shut off either by a user or a program. The third blocks connections to a suspicious or known malicious URL, while the fourth and fifth detect a malicious file either being downloaded or run, and then deleted.

By default, all these rules monitor for a single incident, though this is configurable. Likewise, the time frame for detecting multiple incidents is also configurable.

Ship Sophos Logs to Logz.io

There are three prereqs you’ll need: 1) Sophos Intercept X Endpoint installed, 2) Access to the Sophos Central Cloud console, 3) Filebeat 7 installed, and 4) terminal access to the instance running Filebeat 7.

Run the Sophos API from the same instance as Filebeat 7. Make sure to configure config.ini for Sophos API, used in the Sophos siem.py file, under format = json.

Then, for HTTPS shipping, download the Logz.io cert:

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure filebeat.yml. You can copy and paste the following configuration:

# ...
filebeat.inputs:
- type: log
  paths:
    - <<FILE_PATH>>
  fields:
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "type"
       to: "event_type"
    ignore_missing: true
- add_fields:
    target: ''
    fields:
      type: "sophos-ep"
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
- drop_event:
    when:
      regexp:
        message: "^\\s*$"
#... Output
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Also add the following for the output in the same config file:

Replace <<SHIPPING-TOKEN>> and <<LISTENER-HOST>> with the appropriate values in the above snippets. Then double-check that Logz.io is the only output in the configuration file. Then change <<FILE_PATH>> to the output .TXT file retrieved from the Sophos siem.py script.

While you can create your own, Logz.io has set up two prefabricated Sophos Intercept X dashboards: Malware & Suspicious Web Activity and Summary.

Sophos Dashboard 1: Malware & Suspicious Web Activity

The first dash covers infected hosts, spikes in anti-malware logs, and other stats. The option exists to look at things according to saved custom searches. Let’s break it down.

Malware & Suspicious Web Activity Dashboard for Sophos Intercept X in Logz.io

You can filter either by host or module as seen to the upper left. Next to it is a bar chart that covers the hosts with the most malware activity.

At the upper right, you can see a distribution of malware activity in two segments: the inner circle with the top four events, and the outer circle broken down by percentage. As with the other graphs, you have the option to change each value’s color.

Below that are two charts that describe the most recent malware and suspicious web activities, respectively.

Most recent malware activities recorded on the Sophos dashboard in Logz.io

Most recent suspicious web activities recorded on the Sophos dashboard in Logz.io

Sophos Dashboard 2: Summary

Summary Dashboard for Sophos Intercept X in Logz.io

The summary dash will cover logs organized by threat type and severity, as well as a tally for the number of each type’s instance. The upper right-hand graph breaks down the distribution of modules, and the left-most graph in the middle line breaks that info down further. The next graph dives into the variations of events, broken down by severity level.

Utilizing Logz.io to augment and analyze Sophos data, it becomes easier to zero in on important log events. This feature works well with our many other integrations as well, such as with endpoint security with ESET, Hashicorp Vault, and Palo Alto Networks.

To learn more about Logz.io Cloud SIEM, check out the product page.