From b01265f455a21ef75981b4320c38c96669718950 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:21:24 -0700 Subject: [PATCH 1/9] Create sophos-endpoint-security Initial barebones build. Will updated further once integration goes into beta --- rule-packs/sophos-endpoint-security | 166 ++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 rule-packs/sophos-endpoint-security diff --git a/rule-packs/sophos-endpoint-security b/rule-packs/sophos-endpoint-security new file mode 100644 index 0000000..b883b8a --- /dev/null +++ b/rule-packs/sophos-endpoint-security @@ -0,0 +1,166 @@ +#start-sophos-endpoint-misconfigurations +[ + { + "name": "sophos-misconfigured-endpoints-1", + "description": "This will query for endpoints that do not have sophos edr installed.", + "queries": [ + { + "name": "query0", + "query": "FIND Device !PROTECTS << sophos_endpoint", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-2", + "description": "This will query for endpoints that are missing a relationship with a user. This will help determine potential rogue devices", + "queries": [ + { + "name": "query0", + "query": "Find sophos_sensor that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-3", + "description": "This query is looking for devices that do not have tamper-protection enabled. Tamper Protection is a feature that prevents unauthorized users and certain types of known malware from uninstalling Sophos security software or turning it off through the Sophos interface.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint with tamperProtectionEnabled != true ", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-4", + "description": "This query is looking for endpoints with an unacceptable lockdown status. Any status locked, notInstalled, unavailable,uninstalled is considered unacceptable", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint with lockdownStatus != ("installing" or "registering" or "starting" or "stopping" or "unlocked")", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-5", + "description": "This query is looking for endpoints with an unacceptable update status. This includes any endpoint with a status of notInstalled.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint with updateStatus != ("upToDate" or "updating" or "rebootRequired")", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-6", + "description": "This query will look for endpoints with misconfigured ports. This will help in determining potential rogue devices or devices of risk.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_device with portsEnabled != "443"", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "domain-expires-in-30-days", + "description": "Find registered domain names with an expiration date within 30 days from now and not set to auto-renew.", + "queries": [ + { + "name": "query0", + "query": "Find Domain with expiresOn < date.now+30days and autoRenew!=true", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-7", + "description": "This query will look for endpoints that do not have a policyType assigned. The following are appropriate policyTypes: threat-protection, peripheral-control, application-control, data-loss-prevention, web-control, agent-updating, windows-firewall, device-encryption, server-threat-protection, server-peripheral-control, server-application-control, server-web-control, server-lockdown, server-data-loss-prevention, server-agent-updating, server-windows-firewall, server-file-integrity", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint WHERE policyType = undefined", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-8", + "description": "This query will return any endpoints with an out of date policyType", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint WHERE policyType != undefined AND policyTypeUpToDate != true", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-9", + "description": "This query will return endpoints that have an unencrypted status.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_enpoint with encryption != true", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, +] +#end-sophos-endpoint-misconfigurations +#start-sophos-user-app-misconfigurations +[ + { + "name": "sophos-misconfigured-endpoints-1", + "description": "This will query users that are potentially inactive but haven't been deactivated.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_user that has a updatedAt > 30 days", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-endpoints-2", + "description": "This will use the permissionSet fields to determine service/user permissions to ensure that separation of duties is established.", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_user that has a updatedAt > 30 days", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, + { + "name": "sophos-misconfigured-app-1", + "description": "This query will alert on applications that do not have a protected status of true. ", + "queries": [ + { + "name": "query0", + "query": "FIND sophos_endpoint_protection WHERE protected != true", + "version": "v1" + } + ] + "alertLevel": "MEDIUM" + }, +] +#end-sophos-user-app-misconfigurations +#start-sophos-incident-response +#end-sophos-incident-response From ec9c47d3279eb4ab792584b7bfb85da21431df8b Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Tue, 30 Jan 2024 15:25:39 -0700 Subject: [PATCH 2/9] updates to index --- rule-packs/index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/rule-packs/index.js b/rule-packs/index.js index 65ad76d..8b58a6e 100644 --- a/rule-packs/index.js +++ b/rule-packs/index.js @@ -12,3 +12,4 @@ module.exports.CriticalAssets = require("./critical-assets.json"); module.exports.ToxicCombinations = require("./toxic-combinations.json"); module.exports.DeviceManagement = require("./device-management.json"); module.exports.IntegrationMonitoring = require("./integration-monitoring.json"); +module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json"); \ No newline at end of file From 89f23ff9c74fbfd4865280ca0969dc5634226bf6 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 7 Feb 2024 20:37:20 -0700 Subject: [PATCH 3/9] Update sophos-endpoint-security --- rule-packs/sophos-endpoint-security | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/rule-packs/sophos-endpoint-security b/rule-packs/sophos-endpoint-security index b883b8a..575ee4e 100644 --- a/rule-packs/sophos-endpoint-security +++ b/rule-packs/sophos-endpoint-security @@ -2,7 +2,7 @@ [ { "name": "sophos-misconfigured-endpoints-1", - "description": "This will query for endpoints that do not have sophos edr installed.", + "description": "This will query for endpoints that do not have a Sophos EDR agent installed.", "queries": [ { "name": "query0", @@ -18,7 +18,7 @@ "queries": [ { "name": "query0", - "query": "Find sophos_sensor that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user", + "query": "Find sophos_endpoint that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user", "version": "v1" } ] @@ -38,7 +38,7 @@ }, { "name": "sophos-misconfigured-endpoints-4", - "description": "This query is looking for endpoints with an unacceptable lockdown status. Any status locked, notInstalled, unavailable,uninstalled is considered unacceptable", + "description": "This query is looking for endpoints with an unexpected lockdown status. Any status locked, notInstalled, unavailable,uninstalled is considered unexpected.", "queries": [ { "name": "query0", @@ -50,7 +50,7 @@ }, { "name": "sophos-misconfigured-endpoints-5", - "description": "This query is looking for endpoints with an unacceptable update status. This includes any endpoint with a status of notInstalled.", + "description": "This query is looking for endpoints with an unexpected update status. This includes any endpoint with a status of notInstalled.", "queries": [ { "name": "query0", @@ -62,7 +62,7 @@ }, { "name": "sophos-misconfigured-endpoints-6", - "description": "This query will look for endpoints with misconfigured ports. This will help in determining potential rogue devices or devices of risk.", + "description": "This query will look for endpoints with with unusual listening ports enabled. This will help in determining potential rogue devices or devices of risk.", "queries": [ { "name": "query0", @@ -72,18 +72,6 @@ ] "alertLevel": "MEDIUM" }, - { - "name": "domain-expires-in-30-days", - "description": "Find registered domain names with an expiration date within 30 days from now and not set to auto-renew.", - "queries": [ - { - "name": "query0", - "query": "Find Domain with expiresOn < date.now+30days and autoRenew!=true", - "version": "v1" - } - ] - "alertLevel": "MEDIUM" - }, { "name": "sophos-misconfigured-endpoints-7", "description": "This query will look for endpoints that do not have a policyType assigned. The following are appropriate policyTypes: threat-protection, peripheral-control, application-control, data-loss-prevention, web-control, agent-updating, windows-firewall, device-encryption, server-threat-protection, server-peripheral-control, server-application-control, server-web-control, server-lockdown, server-data-loss-prevention, server-agent-updating, server-windows-firewall, server-file-integrity", @@ -114,7 +102,7 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_enpoint with encryption != true", + "query": "FIND sophos_endpoint with encryption != true", "version": "v1" } ] @@ -126,7 +114,7 @@ [ { "name": "sophos-misconfigured-endpoints-1", - "description": "This will query users that are potentially inactive but haven't been deactivated.", + "description": "This will query Sophos platform users that are potentially inactive but haven't been deactivated.", "queries": [ { "name": "query0", @@ -142,7 +130,7 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_user that has a updatedAt > 30 days", + "query": "FIND sophos_user WITH sophos_role that has permissionSet = defined", "version": "v1" } ] From 6876d3683982d57aaffe1e18ba30a8011a2d1302 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 7 Feb 2024 20:40:49 -0700 Subject: [PATCH 4/9] Update index.js --- rule-packs/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rule-packs/index.js b/rule-packs/index.js index 8b58a6e..5ed5453 100644 --- a/rule-packs/index.js +++ b/rule-packs/index.js @@ -12,4 +12,4 @@ module.exports.CriticalAssets = require("./critical-assets.json"); module.exports.ToxicCombinations = require("./toxic-combinations.json"); module.exports.DeviceManagement = require("./device-management.json"); module.exports.IntegrationMonitoring = require("./integration-monitoring.json"); -module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json"); \ No newline at end of file +module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json"); From 29084333f699734f72326668a1274c9a7a84072d Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 7 Feb 2024 21:23:52 -0700 Subject: [PATCH 5/9] Update sophos-endpoint-security change syntax issue --- rule-packs/sophos-endpoint-security | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rule-packs/sophos-endpoint-security b/rule-packs/sophos-endpoint-security index 575ee4e..0a8dbc9 100644 --- a/rule-packs/sophos-endpoint-security +++ b/rule-packs/sophos-endpoint-security @@ -78,7 +78,7 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_endpoint WHERE policyType = undefined", + "query": "FIND sophos_endpoint WITH policyType = undefined", "version": "v1" } ] From 77203e9ecd60ad613975faddb3b43f8f5f4fa290 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 8 Feb 2024 10:14:36 -0700 Subject: [PATCH 6/9] Update and rename sophos-endpoint-security to sophos-endpoint-security.json testing possible build fix --- .../{sophos-endpoint-security => sophos-endpoint-security.json} | 1 - 1 file changed, 1 deletion(-) rename rule-packs/{sophos-endpoint-security => sophos-endpoint-security.json} (99%) diff --git a/rule-packs/sophos-endpoint-security b/rule-packs/sophos-endpoint-security.json similarity index 99% rename from rule-packs/sophos-endpoint-security rename to rule-packs/sophos-endpoint-security.json index 0a8dbc9..5d47c64 100644 --- a/rule-packs/sophos-endpoint-security +++ b/rule-packs/sophos-endpoint-security.json @@ -1,4 +1,3 @@ -#start-sophos-endpoint-misconfigurations [ { "name": "sophos-misconfigured-endpoints-1", From 7775cdc513d2fc192e7eac4f46df6d84a0e9729b Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 8 Feb 2024 10:18:05 -0700 Subject: [PATCH 7/9] Update sophos-endpoint-security.json --- rule-packs/sophos-endpoint-security.json | 1 + 1 file changed, 1 insertion(+) diff --git a/rule-packs/sophos-endpoint-security.json b/rule-packs/sophos-endpoint-security.json index 5d47c64..0a8dbc9 100644 --- a/rule-packs/sophos-endpoint-security.json +++ b/rule-packs/sophos-endpoint-security.json @@ -1,3 +1,4 @@ +#start-sophos-endpoint-misconfigurations [ { "name": "sophos-misconfigured-endpoints-1", From 8eacce68d3f0903d8077e65562330b1601eddf95 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 8 Feb 2024 10:20:01 -0700 Subject: [PATCH 8/9] Update sophos-endpoint-security.json update --- rule-packs/sophos-endpoint-security.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/rule-packs/sophos-endpoint-security.json b/rule-packs/sophos-endpoint-security.json index 0a8dbc9..d604c6a 100644 --- a/rule-packs/sophos-endpoint-security.json +++ b/rule-packs/sophos-endpoint-security.json @@ -1,4 +1,3 @@ -#start-sophos-endpoint-misconfigurations [ { "name": "sophos-misconfigured-endpoints-1", @@ -108,10 +107,6 @@ ] "alertLevel": "MEDIUM" }, -] -#end-sophos-endpoint-misconfigurations -#start-sophos-user-app-misconfigurations -[ { "name": "sophos-misconfigured-endpoints-1", "description": "This will query Sophos platform users that are potentially inactive but haven't been deactivated.", @@ -149,6 +144,3 @@ "alertLevel": "MEDIUM" }, ] -#end-sophos-user-app-misconfigurations -#start-sophos-incident-response -#end-sophos-incident-response From d2b52629bf0e5e44bf5bf6ed49cc4a075044baf3 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 8 Feb 2024 10:25:56 -0700 Subject: [PATCH 9/9] Update sophos-endpoint-security.json " -> ' added commas before alertLevel removed comma on 145 --- rule-packs/sophos-endpoint-security.json | 32 ++++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/rule-packs/sophos-endpoint-security.json b/rule-packs/sophos-endpoint-security.json index d604c6a..2f8410a 100644 --- a/rule-packs/sophos-endpoint-security.json +++ b/rule-packs/sophos-endpoint-security.json @@ -8,7 +8,7 @@ "query": "FIND Device !PROTECTS << sophos_endpoint", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -20,7 +20,7 @@ "query": "Find sophos_endpoint that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -32,7 +32,7 @@ "query": "FIND sophos_endpoint with tamperProtectionEnabled != true ", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -41,10 +41,10 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_endpoint with lockdownStatus != ("installing" or "registering" or "starting" or "stopping" or "unlocked")", + "query": "FIND sophos_endpoint with lockdownStatus != ('installing' or 'registering' or 'starting' or 'stopping' or 'unlocked')", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -53,10 +53,10 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_endpoint with updateStatus != ("upToDate" or "updating" or "rebootRequired")", + "query": "FIND sophos_endpoint with updateStatus != ('upToDate' or 'updating' or 'rebootRequired')", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -65,10 +65,10 @@ "queries": [ { "name": "query0", - "query": "FIND sophos_device with portsEnabled != "443"", + "query": "FIND sophos_device with portsEnabled != '443'", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -80,7 +80,7 @@ "query": "FIND sophos_endpoint WITH policyType = undefined", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -92,7 +92,7 @@ "query": "FIND sophos_endpoint WHERE policyType != undefined AND policyTypeUpToDate != true", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -104,7 +104,7 @@ "query": "FIND sophos_endpoint with encryption != true", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -116,7 +116,7 @@ "query": "FIND sophos_user that has a updatedAt > 30 days", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -128,7 +128,7 @@ "query": "FIND sophos_user WITH sophos_role that has permissionSet = defined", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" }, { @@ -140,7 +140,7 @@ "query": "FIND sophos_endpoint_protection WHERE protected != true", "version": "v1" } - ] + ], "alertLevel": "MEDIUM" - }, + } ]