Merge pull request #46 from sophos/modified-the-siem-api-to-communica…

…te-with-legacy-siem-service
sophos · Jun 23, 2021 · 6e7ca6c · 6e7ca6c
2 parents c1ee81a + 8388542
commit 6e7ca6c
Show file tree

Hide file tree

Showing 15 changed files with 1,862 additions and 947 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,17 @@
+# v2.0.0
+1. New JWT-based authentication for the SIEM API
+- You can now use Sophos Central public [API credentials](https://developer.sophos.com/getting-started) to sync alerts and events from the SIEM API.
+- Add `client_id` and `client_secret` to config.ini.
+- API tokens are still supported but deprecated. This authentication mechanism will be removed in a future release.
+2. Better support for partners and enterprise customers
+- You can now use API credentials created from Partner Admin or Enterprise Admin in config.ini. You must identify the tenant from which to sync alerts and events by setting the `tenant_id` configuration parameter.
+- When using tenant-level API credentials, `tenant_id` is optional as it is automatically determined from the API credentials.
+3. State file consolidated
+- We have added a new JSON state file to capture the last sync time for alerts and events. 
+- Configure the path to the state file in config.ini.
+4. Drop support for Python 2.x
+- You now need Python 3.5+ to use this tool.
+
 # v1.1.0
 ## New Features
 1. ****Added a “datastream” text identifier to each object in the API output to distinguish between events and alerts****

diff --git a/README.md b/README.md
@@ -13,23 +13,30 @@ Any issue discovered using the script should be reported to Sophos Support.
 
 The script in this directory allows you to use the Sophos Central API to get data into your SIEM solution.
 
-Access to the APIs requires an access token that can be setup in the Sophos Central UI by going to System Settings from the navigation bar and then selecting API Token Management. From this page, you can click the Add Token button to create a new token.
+Access to the APIs requires an access token or API Credentials that can be setup in the Sophos Central UI by going to System Settings from the navigation bar and then selecting API Token Management or API Credentials. From this page, you can click the Add Token button to create a new token.
 Here is more information available on how to setup API Token: https://community.sophos.com/kb/en-us/125169
 
 You can view API Swagger Specification by accessing API Access URL from the access token created under Api Token Management in Sophos Central UI.
 
 
 ### Installation ###
 
-Download and extract from [here](https://github.com/sophos/Sophos-Central-SIEM-Integration/archive/v1.1.0.zip) for the latest release.
+Download and extract from [here](https://github.com/sophos/Sophos-Central-SIEM-Integration/archive/v2.0.0.zip) for the latest release.
 For older version, please consult the Releases section below.
 For changes to the API, please consult the API Updates section below.
-The script requires Python 2.7.9+ to run.
+The script requires Python 3.5+ to run.
 
 #### Releases ####
 
 See [changelog](CHANGELOG.md) for full details.
 
+
+##### [v2.0.0](https://github.com/sophos/Sophos-Central-SIEM-Integration/archive/v2.0.0.zip) #####
+* New JWT-based authentication for the SIEM API
+* Better support for partners and enterprise customers
+* State file consolidated
+* Drop support for Python 2.x
+
 ##### [v1.1.0](https://github.com/sophos/Sophos-Central-SIEM-Integration/archive/v1.1.0.zip) #####
 * CSA-2918: Adding text identifier to distinguish between an 'Event' and 'Alert'
 * CSA-2917: Fixing issue with double alert reporting
@@ -58,11 +65,14 @@ config.ini is a configuration file that exists by default in the siem-scripts fo
 ##### Here are the steps to configure the script:
 1. Open config.ini in a text editor.
 2. Under 'API Access URL + Headers' in the config file, copy and paste the API Access URL + Headers block from the Api Token Management page in Sophos Central.
+3. Under Client ID and Client Secret in the config file, copy and paste the API Credentials from the API Token Management page in Sophos Central.
+4. Under Customer tenant id in the config file, you can mention the tenant id for which you want to fetch alerts and events.
 
 ##### Optional configuration steps:
 1. Under json, cef or keyvalue, you could choose the preferred output of the response i.e. json, cef or keyvalue.
 2. Under filename, you can specify the filename that your output would be saved to. Options are syslog, stdout or any custom file name. Custom files are created in a folder named log.
 3. If you are using syslog then under syslog properties in the config file, configure address, facility and socktype.
+4. under state_file_path, specify the full or relative path to the cache file (with a ".json" extension)
 
 
 ### Running the script
@@ -73,7 +83,7 @@ For more options and help on running the script run 'python siem.py -h'
 
 ### License
 
-Copyright 2016 Sophos Limited
+Copyright 2016-2021 Sophos Limited
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 You may obtain a copy of the License at:  http://www.apache.org/licenses/LICENSE-2.0