Introducing the RapDev Sophos Integration

October 28, 2021
|
5
min read

Introducing the RapDev Sophos Integration

Endpoint management is a critical security component of any IT organization. When it comes to maintaining your environment's health, tracking the security statuses of your servers and client machines is of utmost importance. With that in mind, I introduce RapDev's Sophos Integration for Datadog. This new Sophos integration enables you to display your endpoints' health status, threat status, and the statuses of the Sophos Services themselves.

Metrics and Service Checks Overview

The Sophos integration has a pretty small set of metrics and service checks it produces. 

      Metrics:
  • rapdev.sophos.endpoint.registered - Submitted with a 1 for each registered endpoint
  • rapdev.sophos.endpoint.last_seen - The time difference between the current time and the last time the endpoint checked into Sophos as reported by the endpoints API
  • rapdev.sophos.endpoint.service_health - Submitted with a 1 for each service running on the specific endpoint
    Service Checks:
  • rapdev.sophos.can_connect - Whether or not the agent running the integration can connect to the API endpoints. 
  • rapdev.sophos.endpoint.overall_health - The health of the endpoint as returned by the Sophos Endpoint API

                                       “Good” = OK

                                       “Suspicious” = WARNING

                                       “Bad” = CRITICAL

                                        Health not reported = UNKNOWN

  • rapdev.sophos.endpoint.service_running - Whether or not the specific service on the endpoint is running or stopped
How the Tags Work

The magic behind the dashboard and the integration function is in how the tags attach to the rapdev.sophos.endpoint.registered metric. The metrics are tagged with the endpoint name, type, platform, os, owner, etc. If this data is not being reported, you will see a “data_missing” value for that specific tag. On top of this, when the “health” data of a specific endpoint is being reported to Sophos, the tag `health:true` is added.  When `health:true` is present on a registered endpoint, the following tags are also appended to the registered endpoint metric:

  • health_status - The overall endpoint health as reported by the Endpoint API. This is similar to the service_check of rapdev.sophos.endpoint.overall_health. Possible values are “good”, “bad”, or “suspicious”
  • threat_status - The status of the present threats on the endpoint. Possible values are “good”, “bad”, or “suspicious”
  • service_summary_status - The overall status of the Sophos services running on the endpoint. Possible values are “good” or “bad”
  • tamper_status - Whether Tamper Protection is turned on for the specific endpoint. Possible values are “true” or “false”

Summing the value of the `rapdev.sophos.endpoint.registered` metric with various tag values produces the various percentages on the dashboard. Let’s look at the “Endpoints in Good Health” query value widget as an example. We take the sum of the number of endpoints with a `health_status:true` divided by the sum of the total number of registered endpoints, then multiply by 100 to get a percentage of the number of endpoints in good health. This same process applies to suspicious health, bad health, threat status, and service summary status. 


Conditional formatting is then applied to the widgets using arbitrary thresholds to show a good/warning/bad status. These can always be modified by cloning the dashboard. You may potentially find a delta in the sum of all the metrics added together for a specific tag set. The reason is some endpoints may not be reporting their health, threat, or service summary status, but are still considered to be registered to the Sophos organization being polled by the integration.

Configuration Options
Verbose Endpoints 

In some cases, you may want to validate the status of the individual Sophos services running on your endpoints. For these cases, I added the `verbose_endpoints` configuration option. Setting this to `true` makes the integration retrieve the services running, and submit both the `rapdev.sophos.endpoint.service_health` metric tagged with the service_status, and the `rapdev.sophos.endpoint.service_running` service_check to allow for different visualizations to be used on dashboards. These metrics are displayed in a table widget on the dashboard, showing the number of endpoints per platform with each Sophos service running and stopped states.


Keep in mind that using this option will increase the number of custom metrics submitted.


Collect Alert Logs

The RapDev Sophos Integration offers a configuration option that collects Sophos Alert Logs from the Alerts API. The logs come from Datadog natively as JSON and contain information like device encryption, out-of-date devices, and non-compliant endpoints if they're missing recovery keys, and more. A log stream exists on the dashboard to show the most recent Sophos logs.


Only use this option if Datadog Logs are a part of your purchased Datadog plan. 


The RapDev Sophos integration brings another critical component of an IT organization’s security compliance into a single pane of glass through Datadog. Being able to visualize and alert on the health of the endpoints reporting to your Sophos organization can help you as a security administrator maintain the overall health of your endpoints before a major security incident takes place. Take out a trial in the Datadog Marketplace today!

written by
Logan Rohloff
Michigan-born but Boston-residing engineer with experience ranging from application management to infrastructure administration and automation, dodgeball national champion