Sophos Central offers a unified console for managing Sophos products and lets you administer security settings across networks, endpoints, and clouds. Panther can collect, normalize, and analyze event and alert data from Sophos to help you identify suspicious activity in real-time. Your normalized data is then retained to power future security investigations in a serverless data lake powered by the cloud-native data platform, Snowflake.
Use Cases for Sophos Logs
Panther supports Sophos Central logs, which capture event and alert details from Sophos. Common SIEM use cases for monitoring these log types include:
- Alerts for malware, ransomware, exploit, virus, and PUA detection
- Notifications for blocked network or web traffic, such as known malicious or spam websites
- Notifications for endpoint policy violations and data loss prevention events
Onboarding Sophos with Panther
Panther supports ingesting Sophos logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS. To set up Sophos Central logs in Panther, users can simply choose Sophos from the list of log sources in the Panther console, configure your preferred data transport mechanism (AWS S3 or SQS), and configure Sophos to push logs to your chosen data transport source.
For more details on onboarding Sophos logs or for supported log schema, you can view our Sophos documentation here.
Parsing, Normalizing, & Analyzing
As Panther ingests Sophos audit logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to write detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and allows you to correlate data across all log sources - not just Sophos. You can use Panther’s various search tools - such as Data Explorer, Indicator Search, and Query Builder - to investigate your normalized logs for suspicious activity or vulnerabilities. For more on querying and searching normalized log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to restrictive detection rules or proprietary languages as seen in most legacy SIEMs. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detection logic for your security team.
Panther generates alerts when your detection rules or policies for Sophos are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts for your security team. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are grouped into five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Sophos logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our detailed documentation on configuring and monitoring Sophos logs here, or customers can join the Panther Community to share best practices or custom detections for monitoring Sophos.
The Ideal SIEM Integration for Sophos
With Panther, you don’t have to accept limitations with SIEM detections, waste time and effort on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud app data.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, practical, and scalable SIEM platform for Sophos, request a demo today.