Exporting alerts to Sophos Central

You can send Sophos Linux Sensor (SLS) alert data to Sophos Central.

Overview

When you send SLS alert data to Sophos Central, detection output is accessible in the Data Lake and the Threat Analysis Center. Within Live Discover, you can search for alerts in the Data Lake but not on the endpoint. See Live Discover.

Sending alert data to Sophos Central doesn't affect the Devices view or your license count. When a sensor sends an alert to Sophos Central, it provides detection details but won't consume a license. You also won't see your SLS devices in Server Protection.

This is an optional configuration. You can still choose not to send data to Sophos Central and output SLS alert data to another destination.

Prerequisites

To send SLS alert data to Sophos Central, the sensor version must be 5.5.2.22 or later. This version adds the following four files to /etc/sophos:

sophosca1.crl
sophosca1.crt
sophosca2.crl
sophosca2.crt

These are the certificate files needed to communicate with and feed data to Sophos Central. They must remain in /etc/sophos.

Note

When you deploy SLS as a container image, the image includes the certificate files. You must configure a reference to these files in the runtimedetections.yaml file. See Configure container images.

In addition to the minimum sensor version, you must also have the following:

One of the following licenses:
- Intercept X Advanced for Server with XDR
- Intercept X Advanced for Server with MTR Standard
- Server E Intercept X Advanced for Server with MTR Advanced
A valid SLS package repository token. See How to generate the Sophos Linux Sensor package repository API token.
Your Sophos Central MCS URL. See Finding your MCS URL.

Finding your MCS URL

To find your Sophos Central MCS URL, do as follows:

Sign in to Sophos Central.
Click your account name, and then click Support settings.
Look for the line that starts with "This account is located in" to find out what geographical region your Sophos Central account is in.

Use the following table to find your MCS URL based on your region:

Region	MCS URL
United States (Oregon)	mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
United States (Ohio)	mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
Ireland	mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
Germany	mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
Canada	mcs2.stn100yul.ctr.sophos.com
Australia	mcs2.stn100syd.ctr.sophos.com
Asia Pacific (Tokyo)	mcs2.stn100hnd.ctr.sophos.com
South America (Sao Paulo)	mcs2.stn100gru.ctr.sophos.com

If you don't see any of the regions listed in the table in your Sophos Central UI, use mcs2.stn100bom.ctr.sophos.com as your MCS URL.

RPM/DEB package configuration

To configure the sensor to send alert data to Sophos Central, you must add an alert_output configuration to /etc/sophos/runtimedetections.yaml. Do as follows:

Open /etc/sophos/runtimedetections.yaml in a text editor.
Add the following lines, replacing {MCS_URL} with your Sophos Central MCS url and {SLS_TOKEN} with your SLS package repository token:

alert_output:
  outputs:
  - type: mcs
    enabled: true
    url: {MCS_URL}
    api_key: {SLS_TOKEN}

Save the changes and exit.
Restart the sensor. Enter the following command:

systemctl restart sophoslinuxsensor

Here's an example:

# This configuration sends alert data to both stdout and Sophos Central.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
customer_id: "########-####-####-####-############"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'
  - type: mcs
    enabled: true
    url: "https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
    api_key: "SLS-########"

Configure container images

When running SLS as a container image, you must also include a reference to the certificate files utilized when connecting to Sophos Central in /etc/sophos/runtimedetections.yaml. This is so SLS can reference the files when the container starts.

Add the following lines to /etc/sophos/runtimedetections.yaml:

    mcs_certs: ["/etc/sophos-certs/sophosca1.crt","/etc/sophos-certs/sophosca2.crt"]
    certificate_revocation_list: ["/etc/sophos-certs/sophosca1.crl","/etc/sophos-certs/sophosca2.crt"]

Tip

You only need to include either the sophosca1 files or the sophosca2 files in your configuration. We recommend including both sets of files so that SLS can fail over if MCS communication is blocked.

Here's an example:

# This configuration sends alert data to stdout and Sophos Central and references both Sophos .crt and .crl files.
send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
customer_id: "########-####-####-####-############"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'
  - type: mcs
    enabled: true
    url: "https://mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
    api_key: "SLS-########"
    mcs_certs: ["/etc/sophos-certs/sophosca1.crt","/etc/sophos-certs/sophosca2.crt"]
    certificate_revocation_list: ["/etc/sophos-certs/sophosca1.crl","/etc/sophos-certs/sophosca2.crt"]

Test the alert output

After you configure and restart your sensor, we recommend you create a test alert to check that SLS is working and sending alerts to Sophos Central. Do as follows:

Run the following command to trigger the Test Alert policy:
```
sophoslinuxsensor -test-alert
```
You should see the following alert on your Linux device:
```
$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
```
Sign in to Sophos Central.
Go to Threat Analysis Center > Detections to see the detection.

Note

The detection can take up to 20 minutes to appear in Sophos Central.