Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create sophos-endpoint-security #96

Merged
merged 9 commits into from
Feb 8, 2024
Merged
1 change: 1 addition & 0 deletions rule-packs/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ module.exports.CriticalAssets = require("./critical-assets.json");
module.exports.ToxicCombinations = require("./toxic-combinations.json");
module.exports.DeviceManagement = require("./device-management.json");
module.exports.IntegrationMonitoring = require("./integration-monitoring.json");
module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json");
154 changes: 154 additions & 0 deletions rule-packs/sophos-endpoint-security
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
#start-sophos-endpoint-misconfigurations
[
{
"name": "sophos-misconfigured-endpoints-1",
"description": "This will query for endpoints that do not have a Sophos EDR agent installed.",
"queries": [
{
"name": "query0",
"query": "FIND Device !PROTECTS << sophos_endpoint",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-2",
"description": "This will query for endpoints that are missing a relationship with a user. This will help determine potential rogue devices",
"queries": [
{
"name": "query0",
"query": "Find sophos_endpoint that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-3",
"description": "This query is looking for devices that do not have tamper-protection enabled. Tamper Protection is a feature that prevents unauthorized users and certain types of known malware from uninstalling Sophos security software or turning it off through the Sophos interface.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint with tamperProtectionEnabled != true ",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-4",
"description": "This query is looking for endpoints with an unexpected lockdown status. Any status locked, notInstalled, unavailable,uninstalled is considered unexpected.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint with lockdownStatus != ("installing" or "registering" or "starting" or "stopping" or "unlocked")",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-5",
"description": "This query is looking for endpoints with an unexpected update status. This includes any endpoint with a status of notInstalled.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint with updateStatus != ("upToDate" or "updating" or "rebootRequired")",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-6",
"description": "This query will look for endpoints with with unusual listening ports enabled. This will help in determining potential rogue devices or devices of risk.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_device with portsEnabled != "443"",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-7",
"description": "This query will look for endpoints that do not have a policyType assigned. The following are appropriate policyTypes: threat-protection, peripheral-control, application-control, data-loss-prevention, web-control, agent-updating, windows-firewall, device-encryption, server-threat-protection, server-peripheral-control, server-application-control, server-web-control, server-lockdown, server-data-loss-prevention, server-agent-updating, server-windows-firewall, server-file-integrity",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint WITH policyType = undefined",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-8",
"description": "This query will return any endpoints with an out of date policyType",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint WHERE policyType != undefined AND policyTypeUpToDate != true",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-9",
"description": "This query will return endpoints that have an unencrypted status.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint with encryption != true",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
]
#end-sophos-endpoint-misconfigurations
#start-sophos-user-app-misconfigurations
[
{
"name": "sophos-misconfigured-endpoints-1",
"description": "This will query Sophos platform users that are potentially inactive but haven't been deactivated.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_user that has a updatedAt > 30 days",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-endpoints-2",
"description": "This will use the permissionSet fields to determine service/user permissions to ensure that separation of duties is established.",
"queries": [
{
"name": "query0",
"query": "FIND sophos_user WITH sophos_role that has permissionSet = defined",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
{
"name": "sophos-misconfigured-app-1",
"description": "This query will alert on applications that do not have a protected status of true. ",
"queries": [
{
"name": "query0",
"query": "FIND sophos_endpoint_protection WHERE protected != true",
"version": "v1"
}
]
"alertLevel": "MEDIUM"
},
]
#end-sophos-user-app-misconfigurations
#start-sophos-incident-response
#end-sophos-incident-response
Loading