Exporting event data to Sophos Central
You can send Sophos Linux Sensor (SLS) alert and event data to Sophos Central.
Overview
When you send SLS event data to Sophos Central, detection output is accessible in the Sophos Central console. Alert data is shown in the Threat Analysis Center as detection events and may generate cases. Within Live Discover, you can search for alerts and metaevents in the Data Lake but not on the endpoint. See Live Discover.
SLS is licensed per device. However, your Sophos Central Devices view and license count won't reflect your SLS instances. You also won't see your SLS devices in Server Protection. This is because SLS can send detection details and alerts to, but isn't managed by, Sophos Central.
This is an optional configuration. You can still choose not to send data to Sophos Central and output SLS data to another destination.
Prerequisites
To send SLS alert data to Sophos Central, the sensor version must be 5.5.2.22 or later. This version adds the .crl and .crt files needed to communicate with and feed data to Sophos Central in one of the following locations:
- RPM and DEB package installations:
/etc/sophos - Container format installations:
/etc/sophos-certs
Here's an example:
sophos@UbuntuVM2:/etc/sophos$ ls
sophosca1.crl sophosca1.crt sophosca2.crl sophosca2.crt sophosca3.crl sophosca3.crt sophosca4.crl sophosca4.crt
In addition to the minimum sensor version, you must also have the following:
-
One of the following licenses:
- Intercept X Advanced for Server with XDR
- Central Managed Detection and Response Essential Server
- Central Managed Detection and Response Complete Server
-
Your Sophos Central MCS URL (
{MCS_URL}). See Finding your MCS URL.Note
When you enter your MCS URL into
runtimedetections.yaml, it must start with "https://". -
A valid SLS package repository token (
{LINUX_REPO_API_KEY}) and your Sophos Central tenant ID ({tenant-id}). See How to generate the Sophos Linux Sensor package repository API token.{LINUX_REPO_API_KEY}is a short string that starts with "SLS-".-
{tenant-id}is a string in the following format:1a2345b6-78c9-012d-ef34-5a6b789c0de1
Finding your MCS URL
To find your Sophos Central MCS URL, do as follows:
- Sign in to Sophos Central.
- Click your account name, and then click Support settings.
- Look for the line that starts with "This account is located in" to find out what geographical region your Sophos Central account is in.
-
Use the following table to find your MCS URL based on your region:
Region MCS URL United States (Oregon) mcs2-cloudstation-us-west-2.prod.hydra.sophos.com United States (Ohio) mcs2-cloudstation-us-east-2.prod.hydra.sophos.com Ireland mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com Germany mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com Canada mcs2.stn100yul.ctr.sophos.com Australia mcs2.stn100syd.ctr.sophos.com Asia Pacific (Tokyo) mcs2.stn100hnd.ctr.sophos.com South America (Sao Paulo) mcs2.stn100gru.ctr.sophos.com If you don't see any of the regions listed in the table in your Sophos Central UI, use
mcs2.stn100bom.ctr.sophos.comas your MCS URL.
Alert configuration
To configure the sensor to send alert data to Sophos Central, you must add an alert_output configuration to /etc/sophos/runtimedetections.yaml. Do as follows:
- Open
/etc/sophos/runtimedetections.yamlin a text editor. -
Add the following lines, replacing {tenant-id} with your unique Sophos Central ID, {MCS_URL} with your Sophos Central MCS url, and {LINUX_REPO_API_KEY} with your SLS package repository token:
send_labs_telemetry: true endpoint_telemetry_enabled: true cloud_meta: auto # Set your customer id: customer_id: "{tenant-id}" mcs: token: "{LINUX_REPO_API_KEY}" url: "{MCS_URL}" enabled: true -
Save the changes and exit.
- Restart the sensor. Enter the following command:
systemctl restart sophoslinuxsensor
Here's an example configuration file:
Note
The customer_id and api_key values are redacted.
# This configuration sends alert data to both stdout and Sophos Central.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "########-####-####-####-############"
mcs:
token: “SLS-########"
url: “https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com”
enabled: true
alert_output:
outputs:
- type: stdout
enabled: true
template: 'Alert triggered: {{ .StrategyName}}'
Send metaevents to the Sophos Data Lake
Starting in 5.11.0, SLS supports sending event data to the Sophos Data Lake. We recommend you turn on this setting when configuring Sophos Central as an alert output. Sending event data to the Data Lake lets you use Live Discover queries in Sophos Central to check your devices for threats and compliance.
Note
If you're running 5.10 or earlier, you can still send alert data to Sophos Central. See Event output errors.
To configure SLS to send event data to the Data Lake, do as follows:
- Open
/etc/sophos/runtimedetections.yamlin a text editor. - Add the following lines:
investigations:
reporting_interval: 5s
zeromq:
topics:
- process_events: running_processes_linux_events
audit_user_msg: user_events_linux
sinks:
- backend: mcs
name: "mcs"
type: mcs
flight_recorder:
enabled: true
tables:
- name: "process_events"
enabled: true
rows: 1000
filter:
- match eventType == "PROCESS_EVENT_TYPE_EXEC"
- match eventType == "BASELINE_TASK"
- default ignore
- name: "audit_user_msg"
enabled: true
rows: 1000
filter:
- ignore programName == "cron"
- ignore processPid == 1
- default match
- Save the changes and exit.
- Restart the sensor. Enter the following command:
systemctl restart sophoslinuxsensor
Here's an example configuration file:
Note
The customer_id and api_key values are redacted.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "########-####-####-####-############"
mcs:
token: “SLS-########"
url: “https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com”
enabled: true
alert_output:
outputs:
- type: stdout
enabled: true
template: 'Alert triggered: {{ .StrategyName}}'
investigations:
reporting_interval: 5s
zeromq:
topics:
- process_events: running_processes_linux_events
audit_user_msg: user_events_linux
sinks:
- backend: mcs
name: "mcs"
type: mcs
flight_recorder:
enabled: true
tables:
- name: "process_events"
enabled: true
rows: 1000
filter:
- match eventType == "PROCESS_EVENT_TYPE_EXEC"
- match eventType == "BASELINE_TASK"
- default ignore
- name: "audit_user_msg"
enabled: true
rows: 1000
filter:
- ignore programName == "cron"
- ignore processPid == 1
- default match
Note
The event dispatcher only supports the following tables:
- process_events
- audit_usr_msg
All other tables aren't available in the Sophos Data Lake.
Test the output
After you configure and restart your sensor, we recommend you create a test alert to check that SLS is working and sending alert and event data to Sophos Central. Do as follows:
Note
These commands work on installations where SLS is deployed as a host process. If SLS is running as a container image, see the following for testing alerts:
- Docker: Confirm Sensor Functionality.
- Kubernetes: Confirm Sensor functionality.
-
Run the following command to trigger the Test Alert policy:
sophoslinuxsensor -test-alertYou should see the following alert on your Linux device:
$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester -
Sign in to Sophos Central.
-
Go to Threat Analysis Center > Detections to see the detection.
Note
The detection can take up to 20 minutes to appear in Sophos Central.
More resources