Sophos

Sophos offers a range of cybersecurity solutions, including endpoint protection, firewalls, and cloud security. Sophos logs provide detailed information on security events such as malware detections, firewall activity, web filtering, intrusion attempts, and endpoint health. These logs are used to monitor network and device security, investigate threats, and ensure compliance with security policies across an organization’s IT infrastructure.

Ingest Method

This source is a polling source and will download new event/alert logs from the Sophos API approximately every 60 seconds.

Setup

To connect your source, generate an API Token from your Sophos Central account and add it to new RunReveal source in the sources dashboard.

Enter the API Access URL that Sophos provides, and copy the generated Headers into the Headers field.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: sophos_alert_logs (48 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String

Column	Type
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`readOnly`	Bool
`rawLog`	String
`type`	String
`when`	DateTime
`created_at`	DateTime
`customer_id`	String
`data`	Map(String, String)
`description`	String
`event_service_event_id`	String
`info`	Map(String, String)
`location`	String
`severity`	String
`source`	String
`threat`	String
`threat_cleanable`	UInt8

Table: sophos_event_logs (70 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	LowCardinality(String)
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String
`readOnly`	Bool
`rawLog`	String

Column	Type
`type`	String
`when`	DateTime
`created_at`	DateTime
`customer_id`	String
`endpoint_id`	String
`endpoint_type`	String
`group`	String
`location`	String
`name`	String
`origin`	String
`severity`	String
`source`	String
`source_info`	Map(String, String)
`threat`	String
`user_id`	String
`appCerts`	Array(String)
`appSha256`	String
`core_remedy_items`	String
`ips_threat_data.detectionType`	Int64
`ips_threat_data.executableName`	String
`ips_threat_data.executablePath`	String
`ips_threat_data.executablePid`	String
`ips_threat_data.executableVersion`	String
`ips_threat_data.localPort`	String
`ips_threat_data.rawData`	String
`ips_threat_data.remoteIp`	String
`ips_threat_data.remotePort`	String
`ips_threat_data.techSupportId`	String
`details`	Map(String, String)
`whitelist_properties`	Map(String, String)
`amsi_threat_data.parentProcessId`	String
`amsi_threat_data.parentProcessPath`	String
`amsi_threat_data.processId`	String
`amsi_threat_data.processName`	String
`amsi_threat_data.processPath`	String

Snowflake Structured Webhooks