Sophos
Sophos normalizes Sophos events and enables you to analyze Sophos data using customizable reports, alerts, dashboards and searches.
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Added Syslog Collector based Sophos General log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. | KB-22634 | - |
Past Releases
Sophos v6.0.0
Release Date: August 08, 2023
Supported On: Logpoint v6.7.0 or later
Download: Sophos_6.0.0.pak
SHA256: 43af7924dd34d658ec895712d3e5dc65de10dddd40c54576ab9a418e296c9ae4
Enhancements
| Description | Issue ID | Reference ID |
|---|---|---|
| Added a new compiled normalizer SophosCompiledNormlaizer to support Sophos Central, Sophos Central CEF, Sophos EndPoint, Sophos EnterpriseConsoleServer, Sophos UTM and SophosXG Firewall logs. | KB-20115 | - |
|
Enhanced the performance of SophosXGFirewallCompiledNormalizer by reducing the time taken to normalizeSophosXG Firewall logs. |
KB-17554 | 67654 |
|
Added the device_category field in SophosXGFirewallCompiledNormalizer to forward SophosXGFirewalllogs to UEBA. |
KB-16419 | 64913, 65960 |
|
Replaced the recipient_count fieldwithreceiver_count in Sophos logs to maintain consistency. Also, updated signatures to normalize Sophos Email Appliance logs. |
KB-18785 | 70310 |
| Added signatures in LP_Sophos UTM to normalizeSophos UTMlogs. | KB-18572 | - |
| Renamed the inserted_ts field to insert_ts for SophosCompiledNormlaizer to normalize SophosEndPoint logs. | KB-20277 | - |
|
Replaced the Potential, Unwanted and Application labels with PUA label. |
Bug Fix
|
Description
|
Issue ID
|
Reference ID
|
|---|---|---|
|
SomeSophosXG Firewall logs were not properly normalized by SophosXGFirewallCompiledNormalizer. |
KB-18373 | 69397 |
Sophos v5.2.0
Release Date: October 20, 2022
Supported On: Logpoint v6.7.0 or later
Download: Sophos_5.2.0.pak
SHA256: 5701dfff24a00365648be97d0766ec91f15eede8b42b5b31344771539b3c27cb
Enhancements
| Description | Issue ID | Reference ID |
|---|---|---|
| Renamed the event_name field to event to maintain consistency. | KB-15682 | - |
| Added file, path, domain, compliance_status, application, object , and action fields in Sophos logs. Also, renamed object field to application to maintain consistency. | KB-13403 | 56913 |
|
Removed the LP_Sophos UTM Policy Violation alert as it is no longer relevant. |
KB-13888 | - |
| Mapped the device_name, timestamp and device_name fields to device and device_model to host in SophosXGFirewallCompiledNormalizer. | KB-16876 | - |
| Added signatures in LP_Sophos_XG_Firewall to normalize Sophos Firewall logs. | KB-16876, KB-12943 | 65842, 55001 |
Bug Fixes
The following issues are fixed:
|
Description
|
Issue ID
|
Reference ID
|
|---|---|---|
| SophosCentralCEFCompiledNormalizer incorrectly normalized the value of severity. | KB-17450 | - |
|
Some Sophos Central logs were not properly normalized by SophosCentralCEFCompiledNormalizer. |
KB-15474, KB-17037 | 61054 |
| Some Sophos UTM logs were not properly normalized by SophosUTMCompiledNormalizer. | KB-15570 | - |
Sophos v5.1.0
Enhancements
- Sophos now includes a compiled normalizer, SophosCentralCEFCompiledNormalizer, to normalize the Sophos Central key-value pair CEF logs.
- The taxonomy of the following fields are changed to maintain consistency:
| Application | Previously Used Field Name | Modified Field Name |
|---|---|---|
|
SophosXGFirewallCompiledNormalizer |
remotenetwork | peer_address |
| connectionname | connection | |
| connectiontype | connection_type | |
| localnetwork | local_address | |
| remoteinterfaceip | peer_interface_address | |
| localinterfaceip | local_interface_address | |
| localgateway | gateway | |
| imaction | im_action | |
| ft_req_status | ft_request_status | |
|
SophosCentralCompiledNormalizer
|
||
| object_name | object | |
| source_info_ip | source_address |
- The field device_category is now added for SophosCentralCompiledNormalizerandSophosECSCompiledNormalizer.
- The following labels are now added for SophosCentralCompiledNormalizer andSophosUTMCompiledNormalizer:
| Application | Event Category | Labels |
| SophosCentralCompiledNormalizer | UpdateRebootUrgentlyRequired | Reboot,Update |
| UpdateRebootRequired | Reboot,Update | |
| Management Suspended | Management, Suspend | |
| Management Resumed | Management, Resume | |
| Enc DiskEncryptionInformation | Disk,Encryption,Information | |
| CorePuaDetection | Unwanted, Application, Detect | |
| DownloadReputationUserBlocked | User, Block | |
| CorePuaClean | Unwanted, Application, Clean | |
| WindowsFirewall Blocked | Windows, Firewall, Block | |
| SavScanComplete | Antivirus, Scan, Complete | |
| SavDisabled | Antivirus, Disable | |
| SavEnabled | Antivirus, Enable | |
| ServiceRestored | Service, Start | |
| ServiceNotRunning | Service, Stop | |
|
SophosUTMCompiledNormalizer |
label | Deny, Web, Request, Block |
Bug Fixes
The following issues have now been resolved:
- An issue where the date and time format of the field created_atfor SophosCentralCompiledNormalizer was parsed incorrectly. The date and time format is now updated to support YYYY/MM/DD hh:mm:ss.
- An issue where the dashboard LP_Sophos Centraldisplayed null values.
Support
If you have any questions or require assistance, create a support ticket.
For Sophos_3.2.0.pak I can see for every dashboard, normalizsation package etc. the version number. Why not for Sophos_5.0.0.pak?
Sophos_5.0.0.pak contains a dashboard "Sophos UTM System" with version 36. But in the meantime exists a dashboard with version number 38 (SR #43051).