{ "name": "sophos_central", "title": "Sophos Central", "version": "1.22.0", "release": "ga", "description": "This Elastic integration collects logs from Sophos Central with Elastic Agent.", "type": "integration", "download": "/epr/sophos_central/sophos_central-1.22.0.zip", "path": "/package/sophos_central/1.22.0", "icons": [ { "src": "/img/sophos_central_logo.svg", "path": "/package/sophos_central/1.22.0/img/sophos_central_logo.svg", "title": "Sophos Central logo", "size": "108x18", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr" ], "signature_path": "/epr/sophos_central/sophos_central-1.22.0.zip.sig", "format_version": "3.3.2", "readme": "/package/sophos_central/1.22.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/sophos-central-alerts.png", "path": "/package/sophos_central/1.22.0/img/sophos-central-alerts.png", "title": "Sample screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/sophos-central-events.png", "path": "/package/sophos_central/1.22.0/img/sophos-central-events.png", "title": "Sample screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/sophos_central/1.22.0/LICENSE.txt", "/package/sophos_central/1.22.0/changelog.yml", "/package/sophos_central/1.22.0/manifest.yml", "/package/sophos_central/1.22.0/validation.yml", "/package/sophos_central/1.22.0/docs/README.md", "/package/sophos_central/1.22.0/img/sophos-central-alerts.png", "/package/sophos_central/1.22.0/img/sophos-central-events.png", "/package/sophos_central/1.22.0/img/sophos_central_logo.svg", "/package/sophos_central/1.22.0/kibana/tags.yml", "/package/sophos_central/1.22.0/data_stream/alert/manifest.yml", "/package/sophos_central/1.22.0/data_stream/alert/sample_event.json", "/package/sophos_central/1.22.0/data_stream/event/manifest.yml", "/package/sophos_central/1.22.0/data_stream/event/sample_event.json", "/package/sophos_central/1.22.0/kibana/dashboard/sophos_central-1616f9a0-77af-11ed-98b8-2bf13cc9deaa.json", "/package/sophos_central/1.22.0/kibana/dashboard/sophos_central-3ad33c00-7ad8-11ed-a685-e7c53637b621.json", "/package/sophos_central/1.22.0/data_stream/alert/fields/base-fields.yml", "/package/sophos_central/1.22.0/data_stream/alert/fields/beats.yml", "/package/sophos_central/1.22.0/data_stream/alert/fields/fields.yml", "/package/sophos_central/1.22.0/data_stream/event/fields/base-fields.yml", "/package/sophos_central/1.22.0/data_stream/event/fields/beats.yml", "/package/sophos_central/1.22.0/data_stream/event/fields/fields.yml", "/package/sophos_central/1.22.0/data_stream/alert/agent/stream/httpjson.yml.hbs", "/package/sophos_central/1.22.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/sophos_central/1.22.0/data_stream/event/agent/stream/httpjson.yml.hbs", "/package/sophos_central/1.22.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "sophos_central", "title": "Sophos Central logs", "description": "Collect logs using HTTP JSON.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "Tenant client ID.", "multi": false, "required": true, "show_user": true }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Tenant client secret.", "multi": false, "required": true, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID.", "multi": false, "required": true, "show_user": true }, { "name": "request_url", "type": "text", "title": "Request URL", "description": "Data region URL for the tenant e.g: https://api-{dataRegion}.central.sophos.com.", "multi": false, "required": true, "show_user": true }, { "name": "token_url", "type": "text", "title": "Token URL", "description": "Token_url must be the same as used while generating tenant_id, follow this [link](https://developer.sophos.com/getting-started-tenant) for configuration. This URL should be without the url path, for example - `https://id.sophos.com` i.e., without the path `/api/v2/oauth2/token`.", "multi": false, "required": true, "show_user": false, "default": "https://id.sophos.com" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Sophos Central logs via HTTP JSON", "description": "Collecting logs from sophos central via HTTP JSON." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "sophos_central.alert", "title": "Collect Sophos Central SIEM Alert logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "The starting date from which alerts will be retrieved is defined as a Unix timestamp in UTC. Must be within the last 24 hours. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "The maximum number of items to return, default is 200, max is 1000.", "multi": false, "required": true, "show_user": false, "default": 200 }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sophos_central.alerts fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sophos_central-alert" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Sophos Central SIEM Alerts", "description": "This Elastic integration collects logs from Sophos Central.", "enabled": true, "ingestion_method": "API" } ], "package": "sophos_central", "path": "alert" }, { "type": "logs", "dataset": "sophos_central.event", "title": "Collect Sophos Central SIEM Events logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "The starting date from which alerts will be retrieved is defined as a Unix timestamp in UTC. Must be within the last 24 hours. Valid time units are s, m, h.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "The maximum number of items to return, default is 200, max is 1000.", "multi": false, "required": true, "show_user": false, "default": 200 }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sophos_central.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sophos_central-event" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Sophos Central SIEM Events", "description": "Collect Sophos Central SIEM Events from API.", "enabled": true, "ingestion_method": "API" } ], "package": "sophos_central", "path": "event" } ] }