Intercept X is Sophos’ endpoint security solution, including anti-ransomware, zero-day exploit prevention, plus managed endpoint defense and response. It employs a layered approach reliant on multiple security techniques for endpoint detection and response (EDR).
Those tactics include app lockdown, data loss prevention, web control and malware detection. It strives to detect performance issues and vulnerabilities early on, before they can be exploited via zones like non-standard ports or with malicious software.
Other notable features include deep learning PUA blocking (potentially unwanted applications), locking down Office or media apps, credential theft defense, and process privilege escalation.
Using no servers to build out, Intercept X operates as soon as you download the relevant agent.
Logz.io Cloud SIEM augments Intercept X’s strengths by syncing all the data that Sophos’ solution collects. That makes it easy to correlate and prioritize events. Logz.io Cloud SIEM will automatically parse Sophos Central Cloud logs, then enrich them with security data.
Rules and Dashboards
Logz.io maintains five rules for Sophos Intercept X: suspicious runtime attempt blocked, real-time protection disabled, user browsed a malicious URL, threat detected, and threat cleaned. The first rule blocks a suspicious file or script from running and might indicate the file had already infected the host. The second alerts to Sophos real-time protection being shut off either by a user or a program. The third blocks connections to a suspicious or known malicious URL, while the fourth and fifth detect a malicious file either being downloaded or run, and then deleted.
By default, all these rules monitor for a single incident, though this is configurable. Likewise, the time frame for detecting multiple incidents is also configurable.
Ship Sophos Logs to Logz.io
There are three prereqs you’ll need: 1) Sophos Intercept X Endpoint installed, 2) Access to the Sophos Central Cloud console, 3) Filebeat 7 installed, and 4) terminal access to the instance running Filebeat 7.
Run the Sophos API from the same instance as Filebeat 7. Make sure to configure
config.ini for Sophos API, used in the Sophos
siem.py file, under
format = json.
Then, for HTTPS shipping, download the Logz.io cert:
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
filebeat.yml. You can copy and paste the following configuration:
# ... filebeat.inputs: - type: log paths: - <<FILE_PATH>> fields: token: <<LOG-SHIPPING-TOKEN>> fields_under_root: true json.keys_under_root: true encoding: utf-8 ignore_older: 3h #For version 7 and higher filebeat.registry.path: /var/lib/filebeat #The following processors are to ensure compatibility with version 7 processors: - rename: fields: - from: "type" to: "event_type" ignore_missing: true - add_fields: target: '' fields: type: "sophos-ep" - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true - drop_event: when: regexp: message: "^\\s*$" #... Output output: logstash: hosts: ["<<LISTENER-HOST>>"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Also add the following for the output in the same config file:
<<LISTENER-HOST>> with the appropriate values in the above snippets. Then double-check that Logz.io is the only output in the configuration file. Then change
<<FILE_PATH>> to the output
.TXT file retrieved from the Sophos
While you can create your own, Logz.io has set up two prefabricated Sophos Intercept X dashboards: Malware & Suspicious Web Activity and Summary.
Sophos Dashboard 1: Malware & Suspicious Web Activity
The first dash covers infected hosts, spikes in anti-malware logs, and other stats. The option exists to look at things according to saved custom searches. Let’s break it down.
You can filter either by host or module as seen to the upper left. Next to it is a bar chart that covers the hosts with the most malware activity.
At the upper right, you can see a distribution of malware activity in two segments: the inner circle with the top four events, and the outer circle broken down by percentage. As with the other graphs, you have the option to change each value’s color.
Below that are two charts that describe the most recent malware and suspicious web activities, respectively.
Sophos Dashboard 2: Summary
The summary dash will cover logs organized by threat type and severity, as well as a tally for the number of each type’s instance. The upper right-hand graph breaks down the distribution of modules, and the left-most graph in the middle line breaks that info down further. The next graph dives into the variations of events, broken down by severity level.
Utilizing Logz.io to augment and analyze Sophos data, it becomes easier to zero in on important log events. This feature works well with our many other integrations as well, such as with endpoint security with ESET, Hashicorp Vault, and Palo Alto Networks.
To learn more about Logz.io Cloud SIEM, check out the product page.