{ "flow": [ { "flowID": "f6b2e9e7-d9b8-477c-9d5e-be689153b2b6", "next": [ { "flowID": "f7e6ea5b-2f00-48e7-8576-f8ff0d81cbbd", "logic": true, "order": 0, "tag": "" } ], "triggerID": "66fa4fd6fb47d262a0241d99", "type": "trigger", "ui": { "x": -1100, "y": -50 } }, { "actionID": "66fa4fd6fb47d262a0241d9a", "flowID": "f7e6ea5b-2f00-48e7-8576-f8ff0d81cbbd", "next": [ { "flowID": "28257508-a12e-4301-b680-ec7c91d25d97", "logic": true, "order": 0, "tag": "" } ], "type": "action", "ui": { "x": -800, "y": 25 } }, { "actionID": "66fa4fd6fb47d262a0241d9c", "flowID": "28257508-a12e-4301-b680-ec7c91d25d97", "next": [ { "flowID": "3f44a664-ae54-4fac-a72c-5e145f7ca109", "logic": true, "order": 0, "tag": "" } ], "type": "action", "ui": { "x": -475, "y": 25 } }, { "flowID": "fe7f18dc-24d8-46cf-bc31-20d5d1540855", "next": [ { "flowID": "31ade645-3f55-4fd2-a93e-2e981fce90b4", "logic": true, "order": 0, "tag": "" } ], "triggerID": "66fa4fd6fb47d262a0241d99", "type": "trigger", "ui": { "x": -1100, "y": 300 } }, { "actionID": "66fa506dfb47d262a0241f0c", "flowID": "31ade645-3f55-4fd2-a93e-2e981fce90b4", "next": [ { "flowID": "f2c5b388-ffcc-49b5-b325-5cf6af9fd1ad", "logic": true, "order": 0, "tag": "" }, { "flowID": "efb55221-9d51-4fc7-8961-c1aea8d3b1e2", "logic": true, "order": 0, "tag": "" } ], "type": "action", "ui": { "x": -750, "y": 375 } }, { "actionID": "66fa5022fb47d262a0241e43", "flowID": "efb55221-9d51-4fc7-8961-c1aea8d3b1e2", "next": [], "type": "action", "ui": { "x": -475, "y": 375 } } ], "action": { "66fa4fd6fb47d262a0241d9a": { "className": "action", "comment": "", "creationTime": 1679925189.0, "enabled": true, "lastUpdateTime": 1727680901.3385863, "log": false, "logData": false, "logicString": "", "name": "Variable Definitions", "systemCrashHandler": false, "varDefinitions": { "assettype": { "scope": 0, "value": "%%data[event][endpoint_type]%%" }, "category": { "scope": 0, "value": "%%lower(data[event][group])%%" }, "description": { "scope": 0, "value": "%%lower(data[event][name])%%" }, "endpoint_id": { "scope": 0, "value": "%%data[event][endpoint_id]%%" }, "event_id": { "scope": 0, "value": "%%data[event][id]%%" }, "event_type": { "scope": 0, "value": "%%lower(data[event][type])%%" }, "host": { "scope": 0, "value": "%%lower(data[event][location])%%" }, "lastSeen": { "scope": 0, "value": "%%datetimeToEpoch(split(data[event][when],\".\",0),\"%Y-%m-%dT%H:%M:%S\")%%" }, "severity": [ { "if": "if data[event][severity] != None", "scope": 0, "value": "%%data[event][severity]%%" }, { "scope": 0, "value": "None" } ], "src_ip": { "scope": 0, "value": "%%data[event][source_info][ip]%%" }, "tenant_id": { "scope": 0, "value": "%%data[event][customer_id]%%" }, "user": [ { "if": "if data[event][source] == \"n/a\"", "scope": 0, "value": "n/a" }, { "scope": 0, "value": "lower(split(data[event][source],\"\\\\\",1))" } ], "user_id": [ { "if": "if data[event][user_id] != None", "scope": 0, "value": "%%data[event][user_id]%%" }, { "scope": 0, "value": "n/a" } ] } }, "66fa4fd6fb47d262a0241d9c": { "className": "dataIngest", "comment": "", "creationTime": 1666076152.0, "customData": { "@timestamp": "%%data[var][lastSeen]%%", "assettype": "%%data[var][assettype]%%", "category": "%%data[var][category]%%", "description": "%%data[var][description]%%", "endpoint_id": "%%data[var][endpoint_id]%%", "event_id": "%%data[var][event_id]%%", "event_type": "%%data[var][event_type]%%", "host": "%%data[var][host]%%", "pipeline": "sophos_events", "severity": "%%data[var][severity]%%", "src_ip": "%%data[var][src_ip]%%", "tenant_id": "%%data[var][tenant_id]%%", "user": "%%data[var][user]%%", "user_id": "%%data[var][user_id]%%" }, "dataField": "", "enabled": true, "hosts": [ "127.0.0.1" ], "lastUpdateTime": 1727680901.3691037, "log": false, "logData": false, "logicString": "", "name": "Send Sophos Central Events", "port": 10000, "protocol": "tcp", "serverPool": {}, "systemCrashHandler": false, "timeout": 5, "useEpoch": false, "varDefinitions": {} }, "66fa506dfb47d262a0241f0c": { "className": "action", "comment": "", "creationTime": 1679925189.0, "enabled": true, "lastUpdateTime": 1727680901.4180675, "log": false, "logData": false, "logicString": "", "name": "Variable Definitions", "systemCrashHandler": false, "varDefinitions": { "assettype": { "scope": 0, "value": "%%data[event][endpoint_type]%%" }, "category": { "scope": 0, "value": "%%lower(data[event][group])%%" }, "description": { "scope": 0, "value": "%%lower(data[event][name])%%" }, "event_id": { "scope": 0, "value": "%%data[event][id]%%" }, "event_type": { "scope": 0, "value": "%%lower(data[event][type])%%" }, "issuetype": { "scope": 0, "value": "Security Event" }, "lastSeen": { "scope": 0, "value": "%%datetimeToEpoch(split(data[event][when],\".\",0),\"%Y-%m-%dT%H:%M:%S\")%%" }, "severity": [ { "if": "if data[event][severity] != None", "scope": 0, "value": "%%data[event][severity]%%" }, { "scope": 0, "value": "None" } ], "summary": { "scope": 0, "value": "Sophos Central Alert - %%event[group]%% - %%lower(data[event][location])%% - %%lower(split(data[event][source],\"\\\\\",1))%%" } } }, "66fa5022fb47d262a0241e43": { "className": "subFlow", "comment": "", "creationTime": 1708682316.8635404, "customEventsList": true, "customEventsValue": false, "enabled": true, "eventsList": [ { "created-at": "%%var[local][lastSeen]%%", "description": "%%var[local][description]%%", "event-id": "%%var[local][event_id%%", "issuetype": "%%var[local][issuetype]%%", "json": "%%data[event]%%", "link": "None", "priority": "%%var[local][severity]%%", "source": "Sophos Central", "sub-source": "%%var[local][category]%%", "summary": "%%var[local][summary]%%" } ], "eventsValue": "", "lastUpdateTime": 1727680901.4692554, "log": false, "logData": false, "logicString": "", "maxRetries": 0, "mergeFinalDataValue": false, "mergeFinalEventValue": false, "name": "Send to Jira", "retryDelay": 0, "subFlowBackwardsCompatibility": 0.0, "systemCrashHandler": false, "triggerID": "65e9b7f3a99cd3546d69dcdf", "useNewDataTemplate": false, "varDefinitions": {} } }, "trigger": { "66fa4fd6fb47d262a0241d99": { "className": "sophosSIEMEvents", "client_id": "client-id", "client_secret": "ENC j1 +34uDBOMod+sC7zxZuPCRw== QJ/vOGg2iQgoVCtge7fZEA== ZASaNja3G1la/US7rex35+UWY1SmO7j/YTT5Js6D3n7KkNgveHtHUpG3TpxlJGys/yORKnNuOSTAc+v+51UU4x0RC9u7XAzAfKnwrnceW+Ga4pNXZ7MlJzoMMMIeoV+s1du+EicFGwldhbICSb/IFXjiqHYRqLaZAGGRvvovPxLbJV9o0ZHkRsYXU4ZmtJ8YJjKl1BL6qht0YE/zRVpojazVEolA2vURDIwll39CqJIkp7tCbkKj9lv8YuqDjTYYG3M/jpGOOD0YgCB40kMSfSFwzYuUaesby62lIBoNuY9d5mNmcNZ1CUqguNNKoRxBxT6jOB7AjnCeKUHJPrdHvA== +Y2XGA==", "comment": "", "concurrency": 0, "creationTime": 1680633822.0, "enabled": true, "executionSnapshotFullData": false, "failOnActionFailure": true, "lastUpdateTime": 1727680901.444154, "logicString": "", "maxDuration": 180, "name": "Sophos SIEM Events", "nextCursor": "VjJfQ1VSU09SfDIwMjQtMDktMzBUMDc6MTM6MzUuNTUyWg==", "onActionCrash": "", "onEnd": "", "onTriggerCrash": "", "onTriggerKilled": "", "organization_id": "", "schedule": "", "tenant_id": "", "varDefinitions": {} } } }