Configure Endpoint Security - Sophos Intercept X (Windows Event Log)

Summary:

This knowledge base article provides step-by-step instructions on how to integrate Sophos Intercept X (Endpoint AV/EDR agent) with RocketCyber SOC (Security Operations Center) using the Windows Event Log. Specifically, it focuses on capturing Sophos Malware events, which are identified by Event ID 42, from the Windows Application Event Log. While RocketCyber supports a REST API integration from Sophos Central Partner, this alternative integration opportunity is for those who don't have access to a partner account. By following these instructions, you can enhance your organization's threat detection and response capabilities by leveraging the combined power of Sophos Intercept X and RocketCyber SOC.

RocketCyber configuration

  1. Navigate to the RocketApp: Endpoint Event Log Monitor when in context as your root level provider.
  2. Next, click on the gear icon, and scroll down near the bottom.
  3. Select "Add Custom Event From Log" and configure as seen in the screenshot below:
    Screen_Shot_2023-06-05_at_2.43.52_PM.png
  4. Now click Create.

Windows configuration

By default, Windows 11 and 10 systems will log this event without any modifications to your audit policy in GPO. To review event messages logged from Sophos to the Windows Event Log, open a command prompt as Admin and type: eventvwr

This will open the Event Viewer. Now navigate to Windows Logs / Application as shown in the image below. From here you can sort the logs by Source and/or Event ID. Specifically we are looking for Sophos | 42 in this scenario. In order to view such events, Sophos would need to have detected threats on the computer where you are viewing log data. If you need sample data, one can download the EICAR test file among other attack simulations for event generation.
Screen_Shot_2023-06-05_at_2.26.00_PM.png

Sophos Configuration

By default, Sophos Central is configured to write threat events to the Windows Application Log requiring no configuration. The corresponding events from Sophos Central should now be identical to the event messages in both Windows Event Viewer(shown above)
Screen_Shot_2023-06-05_at_2.25.19_PM.png

and the RocketCyber SOC platform as shown below >
Screen_Shot_2023-06-05_at_5.03.34_PM.png

Conclusion

While the RocketCyber - Sophos API integration was developed for partner accounts, this article shows an alternative approach to aggregating Sophos threat data to the RocketCyber SOC platform.