Exporting Alerts to Google Cloud Pub/Sub

Introduction

Google Cloud Pub/Sub is an asynchronous messaging service that decouples services that produce events from services that process events. See Pub/Sub.

You can use Pub/Sub as messaging-oriented middleware or event ingestion and delivery for streaming analytics pipelines.

Setting up pub/sub to receive alerts

Login to the pub/sub project and create a topic to send the alerts following the below steps

1. Click CREATE TOPIC and add the topic id. This id will be used in the sensor set up later.

1. The checkboxes can be left unchecked while creating a topic.

Setting up Sophos Linux Sensor to send the alerts to pub/sub

The following example output require an existing pubsub project and topic. It also requires that the a service account with pubsub.topics.publish.

# Send alerts to alert topic in the pubsub in Sophos project with credentials
alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert
      credentials_json: /home/ubuntu/.gcp/credentials.json

Alternatively GOOGLE_APPLICATION_CREDENTIALS can be set to point to the credentials.json and then credentials_json can be omitted:

# Send alerts to alert topic in the pubsub in sophos project with credentials
alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert

Optionally with some additional permissions you can also turn on the option to check that the topic and project are valid at start-up.

alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert
      validate_topic: true

The additional permissions are:

• pubsub.schemas.get
• pubsub.schemas.list
• pubsub.snapshots.get
• pubsub.snapshots.list
• pubsub.subscriptions.get
• pubsub.subscriptions.list
• pubsub.topics.get
• pubsub.topics.list
• resourcemanager.projects.get
• serviceusage.quotas.get
• serviceusage.services.get
• serviceusage.services.list