From 60997db3c1b42264c2dd95ab3ef2c8bcdd480d55 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 9 Jan 2024 11:06:52 +0100 Subject: [PATCH 1/3] add some extra explination --- .../sophos_threat_analysis_center.md | 23 +++++++++++++++++++ .../integrations/endpoint/sophos_edr.md | 4 ++++ 2 files changed, 27 insertions(+) diff --git a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md index d56aa16af5..1eb2b16852 100644 --- a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md +++ b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md @@ -42,6 +42,23 @@ Copy the Client ID and Client Secret. ### Enable logs to Sophos data lake +By default sophos central will not send logs to the Data Lake automatically, so you have to do it manually. you will need to enable hydration for both Endpoints and Servers as you want. + +To enable hydrating the data lake for endpoint: +1. Click **Endpoint Protection** +2. Click **Settings** +3. Scroll down and click **Data Lake uploads** +4. Toggle the switch to enable **Upload to the Data Lake** +5. (OPTIONAL) - if you want to exclude any devices, select them from the available list and move them to the excluded list + +To enable hydrating the data lake for server: + +1. Click **Server Protection** +2. Click **Settings** +3. Scroll down and click **Data Lake uploads** +4. Toggle the switch to enable **Upload to the Data Lake** +5. **(OPTIONAL)** - if you want to exclude any devices, select them from the available list and move them to the excluded list + Log on your Sophos Interface and follow [this guide](https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/130364/getting-started-with-sophos-xdr-data-lake-hydration). ## Create the intake @@ -57,6 +74,10 @@ Log on your Sophos Interface and follow [this guide](https://community.sophos.co 4. In `Choose a trigger`, select the `Query IOC from data lake`. 5. Click on the `Query IOC from data lake` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. 6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. + + !!! info + - You can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos Threat Analysis Center` intake and click on `Save`. 9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section. @@ -65,3 +86,5 @@ Log on your Sophos Interface and follow [this guide](https://community.sophos.co ## Further Readings - [Sophos Analysis Threat Center documentation](https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/index.html) +- [Sophos Analysis Threat Center guide](https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/130364/getting-started-with-sophos-xdr-data-lake-hydration) +- [Identify your region](https://support.sophos.com/support/s/article/KB-000044836?language=en_US) diff --git a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md index 68625c04c9..bb0e5e1483 100644 --- a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md +++ b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md @@ -40,6 +40,10 @@ In the Sophos Central Admin console: 4. In `Choose a trigger`, select the [Get Sophos events](../../../../automate/library/sophos/#get-sophos-events). 5. Click on the `Get Sophos events` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. 6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. + + !!! info + - You can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos EDR` intake and click on `Save`. 9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section. From 0ad5b9c90bc77975b2e7b16390159fff958c7d0b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 9 Jan 2024 11:14:53 +0100 Subject: [PATCH 2/3] update some mistakes --- .../cloud_and_saas/sophos_threat_analysis_center.md | 5 ++--- .../xdr/features/collect/integrations/endpoint/sophos_edr.md | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md index 1eb2b16852..223c5fae5b 100644 --- a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md +++ b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md @@ -45,6 +45,7 @@ Copy the Client ID and Client Secret. By default sophos central will not send logs to the Data Lake automatically, so you have to do it manually. you will need to enable hydration for both Endpoints and Servers as you want. To enable hydrating the data lake for endpoint: + 1. Click **Endpoint Protection** 2. Click **Settings** 3. Scroll down and click **Data Lake uploads** @@ -59,8 +60,6 @@ To enable hydrating the data lake for server: 4. Toggle the switch to enable **Upload to the Data Lake** 5. **(OPTIONAL)** - if you want to exclude any devices, select them from the available list and move them to the excluded list -Log on your Sophos Interface and follow [this guide](https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/130364/getting-started-with-sophos-xdr-data-lake-hydration). - ## Create the intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Sophos Analysis Threat Center. @@ -76,7 +75,7 @@ Log on your Sophos Interface and follow [this guide](https://community.sophos.co 6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. !!! info - - You can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos Threat Analysis Center` intake and click on `Save`. diff --git a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md index bb0e5e1483..809f215790 100644 --- a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md +++ b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md @@ -42,8 +42,8 @@ In the Sophos Central Admin console: 6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. !!! info - - You can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. - + - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos EDR` intake and click on `Save`. 9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section. From 9ed2efdf1fb0a12d1bf5a613b69febb68baddd1b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 9 Jan 2024 12:03:46 +0100 Subject: [PATCH 3/3] Add a paragraph in info part --- .../integrations/cloud_and_saas/sophos_threat_analysis_center.md | 1 + docs/xdr/features/collect/integrations/endpoint/sophos_edr.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md index 223c5fae5b..0e8f6c4568 100644 --- a/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md +++ b/docs/xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md @@ -76,6 +76,7 @@ To enable hydrating the data lake for server: !!! info - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + - No need to change the **Oauth2 Authorization Url** for the moment (this's the only endpoint to get a JWT token). 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos Threat Analysis Center` intake and click on `Save`. diff --git a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md index 809f215790..c1a381cb67 100644 --- a/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md +++ b/docs/xdr/features/collect/integrations/endpoint/sophos_edr.md @@ -43,6 +43,7 @@ In the Sophos Central Admin console: !!! info - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. + - No need to change the **Oauth2 Authorization Url** for the moment, as this's the only endpoint to get a JWT token 7. In the `Trigger Configuration` section, click on `Create new configuration`. 8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos EDR` intake and click on `Save`.