Sophos Azure



  1. Sophos Azure Vpn
  2. Sophos Azure Ad Sync
  3. Sophos Azure
  4. Sophos Azure Vm

Sophos XG Firewall provides the world’s best network visibility, protection, and response to secure your Azure environments. Integrate multiple, leading security technologies into a single, preconfigured virtual-machine image with extensive reporting, including full insight into user and network activity. By default, Sophos Secure Workspace for iOS works with Azure AD. To get started, sign up for Sophos Secure Workspace for iOS using an account in your instance of Azure AD. Enterprise Single Sign-On - Azure Active Directory supports rich enterprise-class single sign-on with Sophos Secure Workspace for iOS out of the box. On the Azure VMs page, you can view your Azure VMs. Go to Server Protection Servers Azure VMs. Tip We recommend using Sophos Cloud Optix for comprehensive visibility of Azure resources. Sophos Cloud Optix for EDR features are included with the Intercept X Advanced for Server with EDR license.

-->

Important

The Sophos XG Firewall data connector in Azure Sentinel is currently in public preview.This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Azure

This article explains how to connect your Sophos XG Firewall appliance to Azure Sentinel. The Sophos XG Firewall data connector allows you to easily connect your Sophos XG Firewall logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between Sophos XG Firewall and Azure Sentinel makes use of Syslog.

Note

Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.

Forward Sophos XG Firewall logs to the Syslog agent

Configure Sophos XG Firewall to forward Syslog messages to your Azure workspace via the Syslog agent.

  1. In the Azure Sentinel portal, click Data connectors and select Sophos XG Firewall connector.

  2. Select Open connector page.

  3. Follow the instructions on the Sophos XG Firewall page.

Find your data

After a successful connection is established, the data appears in Log Analytics under Syslog.

Validate connectivity

It may take up to 20 minutes until your logs start to appear in Log Analytics.

Next steps

In this document, you learned how to connect Sophos XG Firewall to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:

  • Learn how to get visibility into your data, and potential threats.
  • Get started detecting threats with Azure Sentinel.
  • Use workbooks to monitor your data.
-->

Azure Security Center provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Security Center to generate the following two recommendations:

  • Install endpoint protection solutions on your virtual machine
  • Resolve endpoint protection health issues on your machines

Windows Defender

  • Security Center recommends you 'Install endpoint protection solutions on virtual machine' when Get-MpComputerStatus runs and the result is AMServiceEnabled: False

  • Security Center recommends you 'Resolve endpoint protection health issues on your machines' when Get-MpComputerStatus runs and any of the following occurs:

    • Any of the following properties are false:

      • AMServiceEnabled
      • AntispywareEnabled
      • RealTimeProtectionEnabled
      • BehaviorMonitorEnabled
      • IoavProtectionEnabled
      • OnAccessProtectionEnabled
    • If one or both of the following properties are 7 or more:

      • AntispywareSignatureAge
      • AntivirusSignatureAge

Microsoft System Center endpoint protection

Sophos
  • Security Center recommends you 'Install endpoint protection solutions on virtual machine' when importing SCEPMpModule ('$env:ProgramFilesMicrosoft Security ClientMpProviderMpProvider.psd1') and running Get-MProtComputerStatus results in AMServiceEnabled = false.

  • Security Center recommends you 'Resolve endpoint protection health issues on your machines' when Get-MprotComputerStatus runs and any of the following occurs:

    • At least one of the following properties is false:

      • AMServiceEnabled
      • AntispywareEnabled
      • RealTimeProtectionEnabled
      • BehaviorMonitorEnabled
      • IoavProtectionEnabled
      • OnAccessProtectionEnabled
    • If one or both of the following Signature Updates are greater or equal to 7:

      • AntispywareSignatureAge
      • AntivirusSignatureAge

Trend Micro

  • Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:
    • HKLM:SOFTWARETrendMicroDeep Security Agent exists
    • HKLM:SOFTWARETrendMicroDeep Security AgentInstallationFolder exists
    • The dsa_query.cmd file is found in the Installation Folder
    • Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected

Symantec endpoint protection

Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:

  • HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionPRODUCTNAME = 'Symantec Endpoint Protection'
  • HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateASRunningStatus = 1

Or

  • HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionCurrentVersionPRODUCTNAME = 'Symantec Endpoint Protection'
  • HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateASRunningStatus = 1

Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:

  • Check Symantec Version >= 12: Registry location: HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersion' -Value 'PRODUCTVERSION'
  • Check Real-Time Protection status: HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint ProtectionAVStoragesFilesystemRealTimeScanOnOff 1
  • Check Signature Update status: HKLMSoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateLatestVirusDefsDate <= 7 days
  • Check Full Scan status: HKLM:SoftwareSymantecSymantec Endpoint ProtectionCurrentVersionpublic-opstateLastSuccessfulScanDateTime <= 7 days
  • Find signature version number Path to signature version for Symantec 12: Registry Paths+ 'CurrentVersionSharedDefs' -Value 'SRTSP'
  • Path to signature version for Symantec 14: Registry Paths+ 'CurrentVersionSharedDefsSDSDefs' -Value 'SRTSP'

Registry Paths:

  • 'HKLM:SoftwareSymantecSymantec Endpoint Protection' + $Path;
  • 'HKLM:SoftwareWow6432NodeSymantecSymantec Endpoint Protection' + $Path

McAfee endpoint protection for Windows

Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:

  • HKLM:SOFTWAREMcAfeeEndpointAVProductVersion exists
  • HKLM:SOFTWAREMcAfeeAVSolutionMCSHIELDGLOBALGLOBALenableoas = 1

Sophos Azure Vpn

Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:

  • McAfee Version: HKLM:SOFTWAREMcAfeeEndpointAVProductVersion >= 10
  • Find Signature Version: HKLM:SoftwareMcAfeeAVSolutionDSDS -Value 'dwContentMajorVersion'
  • Find Signature date: HKLM:SoftwareMcAfeeAVSolutionDSDS -Value 'szContentCreationDate' >= 7 days
  • Find Scan date: HKLM:SoftwareMcAfeeEndpointAVODS -Value 'LastFullScanOdsRunTime' >= 7 days

McAfee Endpoint Security for Linux Threat Prevention

Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:

  • File /opt/isec/ens/threatprevention/bin/isecav exists
  • '/opt/isec/ens/threatprevention/bin/isecav --version' output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10

Sophos Azure Ad Sync

Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:

  • '/opt/isec/ens/threatprevention/bin/isecav --listtask' returns Quick scan, Full scan and both of the scans <= 7 days
  • '/opt/isec/ens/threatprevention/bin/isecav --listtask' returns DAT and engine Update time and both of them <= 7 days
  • '/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary' returns On Access Scan status

Sophos Antivirus for Linux

Security Center recommends you 'Install endpoint protection solutions on virtual machine' when any of the following checks aren't met:

  • File /opt/sophos-av/bin/savdstatus exits or search for customized location 'readlink $(which savscan)'
  • '/opt/sophos-av/bin/savdstatus --version' returns Sophos name = Sophos Anti-Virus and Sophos version >= 9

Security Center recommends you 'Resolve endpoint protection health issues on your machines' when any of the following checks aren't met:

  • '/opt/sophos-av/bin/savlog --maxage=7 | grep -i 'Scheduled scan .* completed' | tail -1', returns a value
  • '/opt/sophos-av/bin/savlog --maxage=7 | grep 'scan finished' | tail -1', returns a value
  • '/opt/sophos-av/bin/savdstatus --lastupdate' returns lastUpdate, which should be <= 7 days
  • '/opt/sophos-av/bin/savdstatus -v' is equal to 'On-access scanning is running'
  • '/opt/sophos-av/bin/savconfig get LiveProtection' returns enabled

Sophos Azure

Troubleshoot and support

Troubleshoot

Sophos azure sentinel

Microsoft Antimalware extension logs are available at:%Systemdrive%WindowsAzureLogsPluginsMicrosoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)1.5.5.x(version#)CommandExecution.log

Support

Sophos Azure Vm

For more help, contact the Azure experts on the MSDN Azure and Stack Overflow forums. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support FAQ.





Comments are closed.