Sophos Connector

Configuration of Sophos Firewall Connector.

1. Under the connector, go to Ingestion.
2. SelectSophos Firewall Connector. Click on Configure.
3. Select the Enable Sophos Firewall Events? as Yes.
4. Provide the hostname and Serial Number of the Firewall.
5. Select the Validate and Save.
6. Will receive the Token Copy and Save the token will be required in setting up an ES agent.

• Sophos Firewall Connector System Requirement.

1. Linux or Mac machine with Static IP address allocation.
2. Assign: RAM: 4 GB or more, CPU: 2 vCPUs or more, Disk: 100 GB or more.
3. Curl installed.

• Sophos ES Agent Installation

The Fleet url will change as per the tenant present on the stack. The dev team will let us know about this information

• If tenant is on stack 1 then url will be https://elk-next-fleet-1.seqrite.com:443
• If tenant is on stack 2 then url will be https://elk-next-fleet-2.seqrite.com:443
• If tenant is on stack 3 then url will be https://elk-next-fleet-3.seqrite.com:443
• If tenant is on stack 4 then url will be https://elk-next-fleet-4.seqrite.com:443

The dev team will let us know about this information

1. In the prepared, Linux or Mac machine, we are good to install the ES agent.
2. Replace with the actual token you saved during connector configuration.
3. Then run the command to install:
4. sudo bash mkdir Sophos_es_agent cd Sophos_es_agent curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.17.9-linux-x86_64.tar.gz tar xzvf elastic-agent-8.17.9-linux-x86_64.tar.gz cd elastic-agent-8.17.9-linux-x86_64 sudo ./elastic-agent install --url=https://elk-next-fleet-1.seqrite.com:443 --insecure --enrollment-token=<Token>

• Sophos ES Firewall Configuration

1. The Sophos ES agent is up and running.

2. Go to Sophos Web interface, Go to System Services > Log Settings. Under Syslog Server, Select Add. Set the event collector machine IP and UDP port 1514 as target for syslog log forwarding.

   

3. Select Save. And In Log Settings, Right click on All. Select Apply.

   

4. Click on Apply.

5. After performing all the above steps, alerts will begin to generate in the XDR portal automatically, indicating successful configuration.

• Sophos ES Agent Un-installation:

1. After deleting the Sophos Firewall connector configuration in the XDR portal, it is necessary to completely uninstall or remove the ES agent from the Linux or macOS system.
2. Run the following command to Uninstall or remove the ES agent

sudo bash elastic-agent uninstall rm -rf elastic-agent-8.17.9-linux-x86_64 elastic-agent-8.17.9-linux-x86_64.tar.gz sudo rm -rf /opt/Elastic/Agent sudo rm -rf /etc/elastic-agent sudo rm -rf /var/lib/elastic-agent sudo rm -rf /var/log/elastic-agent #Verify it's Gone ps aux | grep elastic-agent sudo systemctl status elastic-agent