Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=sonicwall-overview

SonicWall SonicOS integration

Log collector Firewall

You can integrate SonicWall SonicOS with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

SonicWall SonicOS product overview

SonicWall delivers an automated, real-time breach detection and prevention platform. It offers a multi-engine sandbox approach that stops threats at the gateway, ensuring business continuity and enhancing network efficiency.

Sophos documents

Integrate SonicWall SonicOS

What we ingest

Sample alerts seen by Sophos:

  • ICMP PING CyberKit
  • INFO Telerik.Web.UI.WebResource.axd Access
  • Initial Aggressive Mode Completed
  • User Login Timeout
  • VPN Policy Enabled/Disabled
  • WEB-ATTACKS Apache Struts OGNL Expression Language Injection
  • WEB-ATTACKS Cross Web Server Remote Code Execution
  • WEB-ATTACKS Crystal Reports Web Viewer Information Disclosure
  • DNS Rebind Attack Blocked
  • IoT-ATTACKS Cisco Adaptive Security Appliance XSS
  • IoT-ATTACKS Axis IP Camera Authentication Bypass

Filtering

We filter messages as follows:

  • We ALLOW alerts that use valid Common Event Format (CEF).
  • We apply Level 20 DROP filters to remove high-volume but low-value messages.

Sample threat mappings

To determine the alert type, we use one of these fields, depending on the alert classification and the fields it includes.

  • ipscat
  • spycat

Otherwise, we fall back to cef.name.

"value": "=> !isEmpty(fields.ipscat) ? searchRegexList(trim(replace( fields.ipscat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( fields.ipscat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( fields.ipscat, /\\\\*\"/g, '')) : !isEmpty(fields.spycat) ? searchRegexList(trim(replace( fields.spycat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( fields.spycat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( fields.spycat, /\\\\*\"/g, '')) : !isEmpty(cef.name) ? searchRegexList(trim(replace( cef.name, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( cef.name, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( cef.name, /\\\\*\"/g, '')) : undefined ",

Sample mappings:

{"alertType": "IP Spoof Detected", "threatId": "T1498", "threatName": "Network Denial of Service"}
{"alertType": "NTP Update Successful", "threatId": "T1547.003", "threatName": "Time Providers"}
{"alertType": "IPsec SA Added", "threatId": "T1552.004", "threatName": "Private Keys"}

Vendor documentation