Description

Sophos UTM is a unified threat management platform designed to protect your businesses from known and emerging malware including viruses, rootkits and spyware. The solution provides a complete network security package with everything your organization needs in a single modular appliance. Capabilities include Web and Email Filtering, Network Protection, Network Routing and Services, Advanced Threat Protection, Authentication, Email Encryption and DLP, Web Policy and VPN.

Architecture

Sophos provides a syslog output to transmit logs to a SIEM. As outlined in Sophos docs , there are several log categories available. Scope of this integration will be limited to dhcpd, http and packet filter based on customer supplied log samples.

This integration will provide an update to the current UTM and will replace the Javascript processing, in favor of ingest pipelines.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

[x] Change follows the contributing guidelines
[ ] Supported versions of the monitoring target are documented
[ ] Supported operating systems are documented (if applicable)
[x] Integration or System tests exist
[x] Documentation exists
[x] Fields follow ECS and naming conventions
[x] At least a manual test with ES / Kibana / Agent has been performed.
[x] Required Kibana version set to: 8.6.1

New Package

[x] Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

[x] Dashboards exists
[x] Screenshots added or updated
[x] Datastream filters added to visualizations

Log dataset changes

[x] Pipeline tests exist (if applicable)
[x] Generated output for at least 1 log file exists
[x] Sample event (sample_event.json) exists

elastic / integrations

Sophos UTM #6184