Sophos XG Firewall provides the world’s best network visibility, protection, and response to secure your Azure environments. Integrate multiple, leading security technologies into a single, preconfigured virtual-machine image with extensive reporting, including full insight into user and network activity. By default, Sophos Secure Workspace for iOS works with Azure AD. To get started, sign up for Sophos Secure Workspace for iOS using an account in your instance of Azure AD. Enterprise Single Sign-On - Azure Active Directory supports rich enterprise-class single sign-on with Sophos Secure Workspace for iOS out of the box. On the Azure VMs page, you can view your Azure VMs. Go to Server Protection Servers Azure VMs. Tip We recommend using Sophos Cloud Optix for comprehensive visibility of Azure resources. Sophos Cloud Optix for EDR features are included with the Intercept X Advanced for Server with EDR license.
-->Important
The Sophos XG Firewall data connector in Azure Sentinel is currently in public preview.This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
This article explains how to connect your Sophos XG Firewall appliance to Azure Sentinel. The Sophos XG Firewall data connector allows you to easily connect your Sophos XG Firewall logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between Sophos XG Firewall and Azure Sentinel makes use of Syslog.
Note
Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
Forward Sophos XG Firewall logs to the Syslog agent
Configure Sophos XG Firewall to forward Syslog messages to your Azure workspace via the Syslog agent.
In the Azure Sentinel portal, click Data connectors and select Sophos XG Firewall connector.
Select Open connector page.
Follow the instructions on the Sophos XG Firewall page.
Find your data
After a successful connection is established, the data appears in Log Analytics under Syslog.
Validate connectivity
It may take up to 20 minutes until your logs start to appear in Log Analytics.
Next steps
In this document, you learned how to connect Sophos XG Firewall to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Use workbooks to monitor your data.
Azure Security Center provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Security Center to generate the following two recommendations:
- Install endpoint protection solutions on your virtual machine
- Resolve endpoint protection health issues on your machines
Windows Defender
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when Get-MpComputerStatus runs and the result is AMServiceEnabled: False
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when Get-MpComputerStatus runs and any of the following occurs:
Any of the following properties are false:
- AMServiceEnabled
- AntispywareEnabled
- RealTimeProtectionEnabled
- BehaviorMonitorEnabled
- IoavProtectionEnabled
- OnAccessProtectionEnabled
If one or both of the following properties are 7 or more:
- AntispywareSignatureAge
- AntivirusSignatureAge
Microsoft System Center endpoint protection
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when importing SCEPMpModule ('$env:ProgramFilesMicrosoft Security ClientMpProviderMpProvider.psd1') and running Get-MProtComputerStatus results in AMServiceEnabled = false.
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when Get-MprotComputerStatus runs and any of the following occurs:
At least one of the following properties is false:
- AMServiceEnabled
- AntispywareEnabled
- RealTimeProtectionEnabled
- BehaviorMonitorEnabled
- IoavProtectionEnabled
- OnAccessProtectionEnabled
If one or both of the following Signature Updates are greater or equal to 7:
- AntispywareSignatureAge
- AntivirusSignatureAge
Trend Micro
- Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
- HKLM:SOFTWARETrendMicroDeep Security Agent exists
- HKLM:SOFTWARETrendMicroDeep Security AgentInstallationFolder exists
- The dsa_query.cmd file is found in the Installation Folder
- Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected
Symantec endpoint protection
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
- HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionPRODUCTNAME = 'Symantec Endpoint Protection'
- HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateASRunningStatus = 1
Or
- HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionCurrentVersionPRODUCTNAME = 'Symantec Endpoint Protection'
- HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateASRunningStatus = 1
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:
- Check Symantec Version >= 12: Registry location: HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersion' -Value 'PRODUCTVERSION'
- Check Real-Time Protection status: HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionAVStoragesFilesystemRealTimeScanOnOff 1
- Check Signature Update status: HKLMSoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateLatestVirusDefsDate <= 7 days
- Check Full Scan status: HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateLastSuccessfulScanDateTime <= 7 days
- Find signature version number Path to signature version for Symantec 12: Registry Paths+ 'CurrentVersionSharedDefs' -Value 'SRTSP'
- Path to signature version for Symantec 14: Registry Paths+ 'CurrentVersionSharedDefsSDSDefs' -Value 'SRTSP'
Registry Paths:
- 'HKLM:SoftwareSymantecSymantec Endpoint Protection' + $Path;
- 'HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint Protection' + $Path
McAfee endpoint protection for Windows
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
- HKLM:SOFTWAREMcAfeeEndpointAVProductVersion exists
- HKLM:SOFTWAREMcAfeeAVSolutionMCSHIELDGLOBALGLOBALenableoas = 1
Sophos Azure Vpn
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:
- McAfee Version: HKLM:SOFTWAREMcAfeeEndpointAVProductVersion >= 10
- Find Signature Version: HKLM:SoftwareMcAfeeAVSolutionDSDS -Value 'dwContentMajorVersion'
- Find Signature date: HKLM:SoftwareMcAfeeAVSolutionDSDS -Value 'szContentCreationDate' >= 7 days
- Find Scan date: HKLM:SoftwareMcAfeeEndpointAVODS -Value 'LastFullScanOdsRunTime' >= 7 days
McAfee Endpoint Security for Linux Threat Prevention
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
- File /opt/isec/ens/threatprevention/bin/isecav exists
- '/opt/isec/ens/threatprevention/bin/isecav --version' output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10
Sophos Azure Ad Sync
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:
- '/opt/isec/ens/threatprevention/bin/isecav --listtask' returns Quick scan, Full scan and both of the scans <= 7 days
- '/opt/isec/ens/threatprevention/bin/isecav --listtask' returns DAT and engine Update time and both of them <= 7 days
- '/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary' returns On Access Scan status
Sophos Antivirus for Linux
Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
- File /opt/sophos-av/bin/savdstatus exits or search for customized location 'readlink $(which savscan)'
- '/opt/sophos-av/bin/savdstatus --version' returns Sophos name = Sophos Anti-Virus and Sophos version >= 9
Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:
- '/opt/sophos-av/bin/savlog --maxage=7 | grep -i 'Scheduled scan .* completed' | tail -1', returns a value
- '/opt/sophos-av/bin/savlog --maxage=7 | grep 'scan finished' | tail -1', returns a value
- '/opt/sophos-av/bin/savdstatus --lastupdate' returns lastUpdate, which should be <= 7 days
- '/opt/sophos-av/bin/savdstatus -v' is equal to 'On-access scanning is running'
- '/opt/sophos-av/bin/savconfig get LiveProtection' returns enabled
Sophos Azure
Troubleshoot and support
Troubleshoot
Microsoft Antimalware extension logs are available at:%Systemdrive%WindowsAzureLogsPluginsMicrosoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)1.5.5.x(version#)CommandExecution.log
Support
Sophos Azure Vm
For more help, contact the Azure experts on the MSDN Azure and Stack Overflow forums. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support FAQ.
Comments are closed.