Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=aryaka-overview

Aryaka integration overview

You can integrate Aryaka with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Aryaka product overview

Aryaka provides Unified SASE as a Service, which includes wide-area software-defined networking connectivity, application delivery and network security.

Sophos documents

Integrate Aryaka

What we ingest

Sample alerts seen by Sophos:

  • ET DNS Query for TLD-CODE TLD
  • ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
  • ETPRO SCAN IPMI Get Authentication Request (DETAILS)

Filtering

We filter messages as follows.

Platform Filter and Log Collector:

  • We ALLOW all valid alerts that are in JSON format.
  • We then DROP alerts containing the text strings "\"message\":\"Aryaka Pre-SSL Flow Logs\"" or "\"message\":\"Aryaka Post-SSL Flow Logs\"" due to the very high volume of messages.

Sample threat mappings

We define the alert type by the field fields.alert.signature. We can also fall back to fields.message in the case of flow logs.

Sample mappings:

{"alertType": "ET DNS Query for TLD-CODE TLD", "threatId": "T1071.004", "threatName": "Application Layer Protocol: DNS"}
{"alertType": "ET INFO Session Traversal Utilities for NAT (STUN Binding Response)", "threatId": "T1599.001", "threatName": "Network Boundary Bridging: Network Address Translation Traversal"}
{"alertType": "ETPRO SCAN IPMI Get Authentication Request (DETAILS)", "threatId": "T1046", "threatName": "Network Service Scanning"}

Vendor documentation