Sophos Central Integration with Wazuh

[John Carry]

Hello Wazuh Team,

Currently I am planning to integrate Sophos Central that is SaaS based with our Wazuh SIEM, the method provided by Sophos is through their API with valid API token for authentication, You may refer  below links as reference:

https://github.com/sophos/Sophos-Central-SIEM-Integration

https://support.sophos.com/support/s/article/KB-000036372?language=en_US

I able to successfully bring/fetch/query logs from Sophos central using API but the logs exist under the default/custom directory configured itself by Sophos, I have tested archives.json by enabling logall_json but no logs observed there.

Further the logs format fetched through script using API present at wazuh server are mentioned below, you requested to confirm are these JSON format ?

{"source_info": {"ip": "192.168.x.x"}, "customer_id": "xxxxxx-9768-4a05-a814-xxxxxx", "severity": "low", "endpoint_id": "xxxxxx-4875-9941-xxxx", "endpoint_type": "computer", "type": "Event::Endpoint::WebControlViolation", "id": "xxxxxxx-f1b4f6e8e83e", "group": "WEB", "name": "'https://152.199.21.89/' blocked due to category 'Advertisements & Pop-Ups'", "datastream": "event", "rt": "2022-12-28T16:11:59.718Z", "duid": "6230964b819ce910d7ac5100", "end": "2022-12-28T16:11:59.718Z", "suser": "XXXXX", "dhost": "xxx"}

{"source_info": {"ip": "192.168.x.x"}, "customer_id": "xxxxxx-9768-4a05-a814-xxxxxx", "severity": "low", "endpoint_id": "xxxxxx-4875-9941-xxxx", "endpoint_type": "computer", "type": "Event::Endpoint::WebControlViolation", "id": "xxxxxxx-f1b4f6e8e83e", "group": "WEB", "name": "'https://69.173.144.140/' blocked due to category 'Advertisements & Pop-Ups'", "datastream": "event", "rt": "2022-12-28T16:11:59.729Z", "duid": "6230964b819ce910d7ac5100", "end": "2022-12-28T16:11:59.729Z", "suser": "suser": "XXXXX", "dhost": "xxx"}

{"source_info": {"ip": "192.168.x.x"}, "customer_id": "xxxxxx-9768-4a05-a814-xxxxxx", "severity": "low", "endpoint_id": "xxxxxx-4875-9941-xxxx", "endpoint_type": "computer", "type": "Event::Endpoint::WebControlViolation", "id": "xxxxxxx-f1b4f6e8e83e", "group": "WEB", "name": "'https://185.86.139.96/' blocked due to category 'Advertisements & Pop-Ups'", "datastream": "event", "rt": "2022-12-28T16:11:59.739Z", "duid": "6230964b819ce910d7ac5100", "end": "2022-12-28T16:11:59.739Z", "suser": "suser": "XXXXX", "dhost": "xxx"}

Required Help from your end:

1) Please help me out how to enable WAZUH  to read/access/process these logs already available at wazuh server but at custom location (Default by sophos script), so that wazuh can start processing and creating alerts.

2) Is there any decoder and rules available to process these logs, are they JSON based format?

3) What else you would recommend to successfully onboard Sophos central to Wazuh?

Your kind support would be highly appreciated.

Regards,

John

[Juan Nicolás Asselle (Nico Asselle)]

Hi Jhon,

As far as I understood,  you already solve the log retrieval mechanism by a script that queries Sophos Central API and save them on a file in a custom location. This is happening in the same host that resides a Wazuh Agent or Wazuh Manager. I'm right?
In this case, we are really close to the finish of the trip. SIEM Script already solves some problems like avoiding duplicates or storing the last log retrieving and complex queries. The only thing is that we must execute it every 12 hours max (24 after the first, but 12 hours is common for every execution).

I suggest you the next approach
- Use a wodle "command" to execute SIEM Script with a custom frequency (1 hour maybe?) Reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-command.html
- Use wazuh-logcollector to pick results.txt file (SIEM Script default's filename in config.ini, apparently appended on each execution) and process it (send to the manager if you are in an agent, or analysis engine if you are in the manager). Ref https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html. out_format option could be helpful to identify logs in the analysis step
- Create rules (because JSON decoder will automatically identify it and parse according) that allow you to create alerts according to your requirements

As I said, this is one option of many. Please let me know if this information was useful.

Regards,

Nico

[John Carry]

Hello Wazuh/Nico,

First let me answer your question in-order to have clarity:

Referencing Your Question:

As far as I understood,  you already solve the log retrieval mechanism by a script that queries Sophos Central API and save them on a file in a custom location. This is happening in the same host that resides a Wazuh Agent or Wazuh Manager. I'm right?

Answer: Yes You are right, the result.txt file ion the same host i-e Wazuh Manager.

Further I have followed your both recommendation regarding Wodle and Picking of results.txt file, but I am observing no success because the siem.py script didn't run and no results were fetched into archives.json, how-ever I am observing few errors in ossec.conf which is pasted below, You are requested to correct me where I am making mistake:

Wodle Config:

Please be noted that the main script siem.py is already been made executable by command chmod +x.

Local File:

Script and Output File at Wazuh-Server END:

Error Reported in Ossec.conf:

Note: Please avoid error  " No such file of result.txt".

Regards,

John

[John Carry]

Hello Wazuh/Nico,

Looking forward for your response.

Regards,

John

[John Carry]

Hello Wazuh/Nico,

Further After enabling Verbose mode inside of local_internal_options.conf by placing wazuh_modules.debug=2, I have observed below mentioned output, you are requested to help me out.

Regards,

John

[Kevin Branch]

I see in the log that your Sophos_Integration script call returns an exit code of 1, which is what siem.py returns if it fails.  When you run siem.py manually, what output does it produce to the screen, and does it put real records into result.txt?  If it is writing records to result.txt, do you see signs of them being written to archives.json by Wazuh manager?

Kevin

[John Carry]

Hello Kevin,

Thanks for responding, let me answer your question one by one:

Note: The problem I have already reported to Nico that as per investigation the wodle part is having some problem (Screenshot/config already shared earlier), Basically the main problem is I am unbale to schedule the script siem.py  in-order to fetch Sophos alerts periodically, you are requested to consider my case on priority and help me out with it.

1)  When you run siem.py manually, what output does it produce to the screen?

Answer: The script runs normally as it gives output on screen (screenshot  pasted below).

2)  Does it put real records into result.txt? 

Answer: Yes the actual Sohpos events got fetched and was found in the result.txt.

3)  do you see signs of them being written to archives.json by Wazuh manager?

Answer: After enabling logall-json the result.txt's  content  got displayed inside archives.json.

Looking forward for your help, please give priority.

Regards,

John

[Kevin Branch]

Hi John,

I have been doing Wazuh ingestion of Sophos Central logs for multiple clients for quite some time.  It is quite feasible to do.  Personally, I drive the recurring call to siem.py via cron, using an /etc/cron.d/pull-sophos file containing this:

*/5 * * * * root cd /Sophos-Central-SIEM-Integration; ./siem.py &> /var/log/pull-sophos.log

However a Wazuh command wodle would actually be a more integrated way to approach this.  Why is this failing for you?  I suspect that you need to include the name of the python interpreter in the <command> section to get that siem.py script actually executed.  Try changing it to something like this:

<command>/usr/bin/python3 /Sophos-Central-SIEM-Integration/siem.py</command>

Once you get the Wazuh command wodle working, or pivot to a cron approach, the next step is to get Wazuh to analyze the incoming Sophos Central log events so you get alerts, not just archives about them.  I don't believe the standard Wazuh ruleset has any coverage for Sophos Central logs, which is why we built the following custom ruleset for our own needs.  You are welcome to use it as well.  Adapt it to suit your specific purposes.

https://github.com/branchnetconsulting/wazuh-tools/blob/master/sophos-central-wazuh-rules.xml

If you improve on it, please share your enhancements back for the benefit of the rest of us.

Kevin

[John Carry]

Hello Kevin,

Thanks alot for your help, I really appreciate that. How-ever have made the changes in the wodle but still the issue is same, facing same error inside ossec.conf.

Could you please help me out with correcting the wodle please?

Regards,

John

[Kevin Branch]

You are welcome, John.  If I were you, my next diagnostic step would be to capture the full stdout/stderr output from the execution of that command line to hopefully get us some insight into why the command is failing.  How about this?

<command>/usr/bin/python3.6 /Sophos-Central-SIEM-Integration/siem.py &> /var/log/sophos-diag.log</command>

Then after it runs and errors next, let's see what hopefully shows up in /var/log/sophos-diag.log

Kevin

[John Carry]

Hello Kevin,

Unable to find the "sophos-diag.log" file after running your provided command section, I am still confused what is the actual issue.

[Kevin Branch]

Sorry, John, it appears my latest response never actually reached the group.   Since I do not personally make much use of Wazuh command wodles, I will defer to juan.a...@wazuh.com on that topic.  I presume you could always use the crontab method I mentioned earlier to accomplish the same thing.

In case you have further questions related to the analysis of Sophos Central logs that you are already successful harvesting with Wazuh, I'll try to keep my eye on this thread in case I have something further to contribute.

Kevin

[John Carry]

Hello Kevin,

I really appreciate your help, could you please confirm the Sophos provided siem.py script will going to fetch over-all events i-e alerts been present at Sophos central end or there is some filtering been done at script or Sophos end to transit only selected events/alerts?

Is there any changes required at script or Sophos central end to query unselected logs ?

I would requested to share your professional knowledge on this ?

Regards,

John 

[Andrej Smirnov]

Hello John!

I don't know if you have managed to get this to work, but since there is no solution written here and since I have managed to get this to work I will post how I did it.

As was mentioned here before first you need to setup a new localfile path for siem.py results to be collected by log collector. In ossec.conf on manager add:

<localfile>

<location><path_to_result.txt>result.txt</location>

<log_format>json<log_format>

</localfile>

Then I have created a simple rule just to match "blocked due to category" alerts from Sophos to get them logged into alerts.json.

Then you need to create new wodle in ossec.conf to run siem.py. And here is the tricky part. If you will just write <command>/bin/python3.7 <path_to_script>siem.py</command> - it will fail because there are dependent scripts that are being used by siem.py. I assume this is why exit code 1 generates.

So what I did is I have created a simple bash script with following content:

#!/bin/bash

cd <path_to_siem.py> && /bin/pyhton3.7 <path_to_siem.py>siem.py

Then just add "<command>/bin/bash <path_to_bash_script>script.sh</command>" to your wodle and that should work.

Hope this will be helpful for you.

среда, 4 января 2023 г. в 07:16:15 UTC+2, John Carry:

[TheLotus 24]

Could you give a somewhat detailed guide on how to configure the wazuh server so that the sophos log reaches you?
 I am having problems running the siem.py script