TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Sophos XG Firewall Logs | ✅ | ✅ | ✅ | sophos_xg_firewall_logs | Key Value | S3 |
Overview
Sophos is a leading British-based cybersecurity company, founded in 1985, that provides comprehensive, AI-native security solutions to over 500,000 organizations and millions of users in more than 150 countries. They specialize in protecting endpoints, networks, and cloud environments, 
offering a wide portfolio that includes Intercept X endpoint protection, firewalls, and Managed Detection and Response (MDR) services. Known for its adaptive AI technology, Sophos defends against advanced threats like ransomware, malware, and phishing attacks by combining human expertise with automated, real-time threat intelligence
Supported data types
Sophos XG Firewall Logs
Overview:
Sophos XG/XGS Firewall logs provide comprehensive visibility into network activity, system events, and security protection, offering detailed data on traffic sources, destinations, matching rules, and user activity via the Log Viewer or exported to Sophos Central or syslog servers. These logs are categorized into event logs (for daily monitoring) and troubleshooting logs (detailed logs such as ips.log or awarrenhttp.log for debugging), with options to filter by module, feature, or severity levels. The firewall supports data anonymization, log suppression to reduce noise, and automatic log rotation to manage local disk space in the /var partition.
Table name: sophos_xg_firewall_logs
Send data to Hunters
Hunters supports the ingestion of Sophos XG Firewall Logs via an intermediary AWS S3 bucket.
To connect Sophos XG Firewall Logs:
Export your logs from Sophos XG Firewall Logs to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Key Value format:
<30>device_name="XXX" timestamp="2020-01-01T12:00:00+0000" device_model="MODEL_X" device_serial_id="SN123456" log_id="LOG123456" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" duration=12 fw_rule_id="96" fw_rule_name="INTERNAL_RULE" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="Unknown (0x0000)" in_interface="Port5" out_interface="Port1" src_mac="00:00:00:00:00:00" dst_mac="00:00:00:00:00:00" src_ip="10.0.0.1" src_country="XX" dst_ip="10.0.0.2" dst_country="XX" protocol="TCP" src_port=123 dst_port=1234 packets_sent=5 packets_received=4 bytes_sent=358 bytes_received=293 src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_event="Stop" con_id="CID99999" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port5" out_display_interface="Port1" log_occurrence="1"