Sophos Central SaaS Integration with Wazuh

[Deepak Kolte]

Hello Team,

Please help to Integrate Sophos Central SaaS with Wazuh

Thanks

[Jonathan José Levy Gil]

Hi techdeepak1, thanks for using Wazuh !

Wazuh can be integrated with almost any platform using several options, the integration can be done using Log Data Collection (from a file or via syslog) or from an API that allows Wazuh to collect log data, either way the purpose is to gather the most relevant information from the monitored system in order to identify security events using its internal analysis engine with over 4000 rules specifically designed to detect user behavior, attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies, security policy violations, among others.  Currently, we have some rules for Sophos AV and Sophos FW, but I think we do not yet have an official integration with Sophos Central. However,  Sophos Central has secured APIs available for customers that allows the retrieval of event and alert data that can be used for other systems, like a SIEM. 

In this case, Wazuh could use this as an advantage for integration, of course it will be necessary to pull Sophos data using its API, I think it is possible to use JSON format so this way additional decoders won't be needed, only custom ruleset coverage based on Sophos data. This is the same approach we used to integrate and pull log data from AWS and other Cloud Based Services for example.

I hope you find this information helpful, 

Regards