Blumira’s modern cloud SIEM platform integrates with Sophos XG Firewalls to detect cybersecurity threats and provide an actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Sophos XG Firewall appliance will stream security event logs to the Blumira service for threat detection and actionable response.
Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Obtain the IP address of your Blumira sensor to use when configuring the external service.
To gather the IP address of the sensor:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Configuring the Syslog server
To set up the Sophos XG Firewall to send logs to Blumira’s sensor.
- Log in to your Sophos XG Firewall.
- Go to System Services > Log Settings.
- Click Add to configure a syslog server.
- In the Name box, type a name for the syslog server.
- In the IP Address box, type the IP address of the Blumira sensor.
- In the Port box, type 514.
- Leave the default Facility as DAEMON, facility does not impact the Blumira Sensor generally
- Select the Severity Level as Informational (you may want to move to Debug in the future, but Informational is a good starting point).
- Leave the default Format as Device Standard Format.
- Click Save.
Reference: Sophos Firewall: Add a syslog server
Next, specify which Sophos logs to send to the Blumira sensor:
- Go to System Services > Log Settings
- Select all checkboxes under Syslog unless there is no need or license for one.
- Ensure that the Log Traffic option is selected in the Firewall Rule is selected, otherwise, traffic will not be logged out.
- Click Apply.