SonicWall SonicOS integration
You can integrate SonicWall SonicOS with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
SonicWall SonicOS product overview
SonicWall delivers an automated, real-time breach detection and prevention platform. It offers a multi-engine sandbox approach that stops threats at the gateway, ensuring business continuity and enhancing network efficiency.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
ICMP PING CyberKit
INFO Telerik.Web.UI.WebResource.axd Access
Initial Aggressive Mode Completed
User Login Timeout
VPN Policy Enabled/Disabled
WEB-ATTACKS Apache Struts OGNL Expression Language Injection
WEB-ATTACKS Cross Web Server Remote Code Execution
WEB-ATTACKS Crystal Reports Web Viewer Information Disclosure
DNS Rebind Attack Blocked
IoT-ATTACKS Cisco Adaptive Security Appliance XSS
IoT-ATTACKS Axis IP Camera Authentication Bypass
Filtering
We filter messages as follows:
- We ALLOW alerts that use valid Common Event Format (CEF).
- We apply Level 20 DROP filters to remove high-volume but low-value messages.
Sample threat mappings
To determine the alert type, we use one of these fields, depending on the alert classification and the fields it includes.
ipscat
spycat
Otherwise, we fall back to cef.name
.
"value": "=> !isEmpty(fields.ipscat) ? searchRegexList(trim(replace( fields.ipscat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( fields.ipscat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( fields.ipscat, /\\\\*\"/g, '')) : !isEmpty(fields.spycat) ? searchRegexList(trim(replace( fields.spycat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( fields.spycat, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( fields.spycat, /\\\\*\"/g, '')) : !isEmpty(cef.name) ? searchRegexList(trim(replace( cef.name, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(trim(replace( cef.name, /\\\\*\"/g, '')), [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : trim(replace( cef.name, /\\\\*\"/g, '')) : undefined ",
Sample mappings:
{"alertType": "IP Spoof Detected", "threatId": "T1498", "threatName": "Network Denial of Service"}
{"alertType": "NTP Update Successful", "threatId": "T1547.003", "threatName": "Time Providers"}
{"alertType": "IPsec SA Added", "threatId": "T1552.004", "threatName": "Private Keys"}