Exporting alerts to Sophos Central

You can send Sophos Linux Sensor (SLS) alert data to Sophos Central.

Overview

When you send SLS alert data to Sophos Central, detection output is accessible in the Data Lake and the Threat Analysis Center. Within Live Discover, you can search for alerts in the Data Lake but not on the endpoint. See Live Discover.

SLS is licensed per device. However, your Sophos Central Devices view and license count won't reflect your SLS instances. You also won't see your SLS devices in Server Protection. This is because SLS can send detection details and alerts to, but isn't managed by, Sophos Central.

This is an optional configuration. You can still choose not to send data to Sophos Central and output SLS alert data to another destination.

Prerequisites

To send SLS alert data to Sophos Central, the sensor version must be 5.5.2.22 or later. This version adds the .crl and .crt files needed to communicate with and feed data to Sophos Central in one of the following locations:

• RPM and DEB package installations: /etc/sophos
• Container format installations: /etc/sophos-certs

Here's an example:

sophos@UbuntuVM2:/etc/sophos$ ls
sophosca1.crl sophosca1.crt sophosca2.crl sophosca2.crt sophosca3.crl sophosca3.crt sophosca4.crl sophosca4.crt

In addition to the minimum sensor version, you must also have the following:

• One of the following licenses:

  • Intercept X Advanced for Server with XDR
  • Central Managed Detection and Response Essential Server
  • Central Managed Detection and Response Complete Server

• Your Sophos Central MCS URL ({MCS_URL}). See Finding your MCS URL.

  Note

  When you enter your MCS URL into runtimedetections.yaml, it must start with "https://".

• A valid SLS package repository token ({LINUX_REPO_API_KEY}) and your Sophos Central tenant ID ({tenant-id})`. See How to generate the Sophos Linux Sensor package repository API token.

  • {LINUX_REPO_API_KEY} is a short string that starts with "SLS-".

  • {tenant-id} is a string in the following format:

    1a2345b6-78c9-012d-ef34-5a6b789c0de1
    

Finding your MCS URL

To find your Sophos Central MCS URL, do as follows:

1. Sign in to Sophos Central.
2. Click your account name, and then click Support settings.
3. Look for the line that starts with "This account is located in" to find out what geographical region your Sophos Central account is in.

4. Use the following table to find your MCS URL based on your region:

   Region	MCS URL
   United States (Oregon)	mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
   United States (Ohio)	mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
   Ireland	mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
   Germany	mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
   Canada	mcs2.stn100yul.ctr.sophos.com
   Australia	mcs2.stn100syd.ctr.sophos.com
   Asia Pacific (Tokyo)	mcs2.stn100hnd.ctr.sophos.com
   South America (Sao Paulo)	mcs2.stn100gru.ctr.sophos.com

   If you don't see any of the regions listed in the table in your Sophos Central UI, use mcs2.stn100bom.ctr.sophos.com as your MCS URL.

RPM/DEB package configuration

To configure the sensor to send alert data to Sophos Central, you must add an alert_output configuration to /etc/sophos/runtimedetections.yaml. Do as follows:

1. Open /etc/sophos/runtimedetections.yaml in a text editor.
2. Add the following lines, replacing {MCS_URL} with your Sophos Central MCS url and {LINUX_REPO_API_KEY} with your SLS package repository token:

alert_output:
  outputs:
  - type: mcs
    enabled: true
    url: "{MCS_URL}"
    api_key: "{LINUX_REPO_API_KEY}"

1. Save the changes and exit.
2. Restart the sensor. Enter the following command:

systemctl restart sophoslinuxsensor

Here's an example configuration file:

# This configuration sends alert data to both stdout and Sophos Central.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "########-####-####-####-############"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'
  - type: mcs
    enabled: true
    url: "https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
    api_key: "SLS-########"

Configure container images

When running SLS as a container image, you must also include a reference to the certificate files utilized when connecting to Sophos Central in /etc/sophos/runtimedetections.yaml. This is so SLS can reference the files when the container starts.

Add the following lines to /etc/sophos/runtimedetections.yaml:

    mcs_certs: ["/etc/sophos-certs/sophosca1.crt","/etc/sophos-certs/sophosca2.crt"]
    certificate_revocation_list: ["/etc/sophos-certs/sophosca1.crl","/etc/sophos-certs/sophosca2.crl"]

Here's an example configuration file:

# This configuration sends alert data to stdout and Sophos Central and references both sophosca1 and sophosca2 .crt and .crl files.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "########-####-####-####-############"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'
  - type: mcs
    enabled: true
    url: "https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
    api_key: "SLS-########"
    mcs_certs: ["/etc/sophos-certs/sophosca1.crt","/etc/sophos-certs/sophosca2.crt"]
    certificate_revocation_list: ["/etc/sophos-certs/sophosca1.crl","/etc/sophos-certs/sophosca2.crl"]

Test the alert output

After you configure and restart your sensor, we recommend you create a test alert to check that SLS is working and sending alerts to Sophos Central. Do as follows:

1. Run the following command to trigger the Test Alert policy:

   sophoslinuxsensor -test-alert
   

   You should see the following alert on your Linux device:

   $ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
   

2. Sign in to Sophos Central.

3. Go to Threat Analysis Center > Detections to see the detection.

   Note

   The detection can take up to 20 minutes to appear in Sophos Central.