Sophos Cloud Security Provider

Cloud Optix

Version: 1.0

Sophos Cloud Security Provider

Sophos Cloud Optix

July 2019
Version: 1.0

© 2019 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos
and marks mentioned in this document may be the trademarks or registered trademarks of
Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness
or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is
at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1
 About This Course
This course provides technical training on Sophos Cloud Optix, an AI-
powered, next generation cloud infrastructure security platform.
It is designed to provide you with the knowledge of how to integrate Cloud
Optix with supported Public Cloud Providers, Infrastructure as Code
processes, and various service desk platforms, and alerting and logging
platforms.

Course Duration This course should take approximately 2.5 Hours to complete

This course provides technical training on Sophos Cloud Optix, an AI-powered, next generation
cloud infrastructure security platform.
In particular, the training focuses on the integration with various third party services including
Amazon Web Services, Microsoft Azure, and Google Cloud Platform, in order to provide
capabilities including continuous security monitoring and visibility, compliance, remediation,
and DevSecOps (Infrastructure as Code).

It is designed to provide you with the knowledge of how to integrate Cloud Optix with
supported Public Cloud Providers, Infrastructure as Code processes, and various service desk
platforms, and alerting and logging platforms.

The course, including lab exercises, should take approximately 2.5 hours to complete.

2
 Prerequisites
We recommend you have the following knowledge and experience:

• Understanding of Infrastructure as a Service concepts

• Understanding of Cloud Security Posture Management
• Experience with either AWS, Azure, or Google Cloud Platform
• Experience with Security Monitoring and Alerting, or Incident Response
• Understanding of DevOps/Infrastructure as Code concepts
• Understanding of Containers, such as Kubernetes
• General understanding of Compliance or Governance Risk and Compliance (GRC)
standards

We recommend students have the following knowledge and experience:

• Understanding of Infrastructure as a Service concepts

• Understanding of Cloud Security Posture Management
• Experience with either AWS, Azure, or Google Cloud Platform
• Experience with Security Monitoring and Alerting, or Incident Response
• Understanding of DevOps/Infrastructure as Code concepts
• Understanding of Containers, such as Kubernetes
• General understanding of Compliance or Governance Risk and Compliance (GRC) standards

3
 Additional Information

When you see this in the corner you can

find additional information in the notes of
the student handout
Additional information
in the notes

When you see this in the corner you can find additional information in the notes of the student
handout.

4
Course Objectives
Once you complete this course, you will be able to:
Understand and describe the functionality of Cloud Optix

Integrate Cloud Optix with public cloud platforms like AWS, Azure and Google Cloud Platform

Integrate Cloud Optix with Kubernetes and infrastructure as Code environments

Integrate Cloud Optix with service desk ticketing and alerting platforms

Perform initial troubleshooting

Once you have completed this course, you will be able to:

• Understand and describe the functionality of Cloud Optix

• Integrate Cloud Optix with AWS, Azure, and Google Cloud Platform
• Integrate Cloud Optix with Kubernetes and infrastructure as Code environments
• Integrate Cloud Optix with service desk ticketing and alerting platforms
• Perform initial troubleshooting

5
 What is Cloud Optix?
• Cloud Optix is a SaaS, agentless Cloud Security Posture Management
(CSPM) Solution
• CSPM solutions are specifically designed to address key security and
compliance challenges unique to the Public Cloud
• Cloud Optix focuses on helping customers with:

First let’s start off by talking about what cloud Optix actually is. Cloud Optix is a Software as a
Service or SaaS, agentless cloud security posture management solution.

Cloud security posture management solutions are a new type of security tool designed to
address the unique challenges that customers face today when trying to properly secure their
cloud infrastructure and ensure continuous compliance.

To achieve those goals Sophos Cloud Optix uses a three-pronged approach which focuses on
helping customers increase their visibility in these environments.

It provides the tools necessary to ensure that these dynamic ever changing environments are
secured according to governance policies and are in line with any compliance regulations. It also
helps security, operations, and development teams effectively and efficiently respond to
security incidents and remediate issues such as misconfigurations.

6
 Limitations
It is not a CASB Solution
Cloud Access Security Broker solutions sit between a
Cloud consumer and the Cloud service providers to
enforce security

It is not a CAM solution

Cloud Asset Management solutions are used to track
usage of Cloud services to aid in cost management

It is not an Application Security tool

Application Security tools scan customer application
code for vulnerabilities that could lead to exploits

Let’s spend a moment talking about what Cloud Optix is not, as there is some confusion due to
this being a new technology.

Cloud Optix is not a CASB solution. CASB is fairly well established technology that is used to
identify the usage of cloud services or applications, and to then enforce security policies as it
relates to their usage. So essentially, CASB is often used by customers to identify shadow IT
usage, which simply means internal users on premise that are connecting to and using various
Cloud services such as Box, Gsuite, etc… By identifying this usage, organizations can then ensure
that their usage is inline with internal security and compliance policies. So for example they can
control access, or ensure sensitive data is properly controlled.

Cloud Optix is not a Cloud Asset Management solution. CAM solutions are mostly focused on
helping with cost optimization. Optix is also not an application security tool. App sec tools are
used to scan customer code to find vulnerabilities that may lead to exploits. Optix is instead
scanning the Cloud infrastructure to identify vulnerabilities.

In each of these cases there are either overlaps in certain features, or similarities in approach.
The thing to note with Cloud Optix is that it is a fully featured Cloud Security Posture
management solution, designed to help customers maintain a secure cloud posture across
multiple clouds and accounts, and provides teams with the tools needed to effectively
coordinate responses to issues that may arise.

7
 Why did Sophos acquire this technology?
Cloud Environments present new data security challengers which are not fully
addressed with traditional security technology

Cloud Optix helps customers to deploy and maintain secure cloud

infrastructure across multiple accounts and cloud providers

Fits into Sophos’ strategy for Public Cloud and with our wider vision of
Synchronized Security

So why did Sophos acquire this technology? The reason is that public cloud environments
present new and unique data security challenges which traditional security technology cannot
fully address.

What we’re talking about here is the actual security posture of these public cloud
environments, which often span multiple accounts as well as multiple public cloud platforms.

Helping customers visualize and respond to security threats anywhere is a key part of Sophos’
overall strategy.

8
 Evolution of Synchronized Security with Cloud

Security Heartbeat™

Our vision is to provide the best protection and visibility, wherever your data resides

This is our vision and it is called synchronized security.

Synchronized security allows Sophos products to communicate and share contextual security
data which is then used to greatly enhance an organizations overall security posture.

As most organizations have extended into the public cloud, Cloud Optix now provides the
needed visibility into these environments.

9
 Cloud Optix Compliments Existing Solutions

✓ Sophos Cloud Optix ✓ Sophos Cloud Optix ✓ Sophos Cloud Optix

✓ Intercept X for Server ✓ Intercept X for Server ✓ Intercept X for Server
✓ XG Firewall ✓ UTM

Cloud Optix also complements our existing solutions for public cloud security which focus on
providing additional layers of security in the Cloud, by providing options for securing virtual
network perimeters and providing advanced host protection.

Essentially Cloud Optix gives customers the tools they need to ensure their cloud infrastructure
is secure and compliant, and our Next Gen Firewalls and Server workload protection agents add
the suggested security layers which sit on top of the cloud infrastructure.

Please refer to the following CSP modules for more information on these solutions, how to
implement them and how they can help your customers.

10
 Environments and Integrations
Amazon Web Services Microsoft Azure
• Adding and removing accounts • Adding and removing subscriptions
• Troubleshooting • Troubleshooting
• Terraform deployment

Google Cloud Platform Kubernetes

• Adding and removing accounts • Adding and removing service accounts
• Troubleshooting • Troubleshooting

Infrastructure as Code Integrations

• GitHub • Jira • Amazon GuardDuty
• BitBucket • Service Now • Splunk
• Jenkins • Pager Duty • Slack

This module is broken down into the following topics:

For AWS, Azure, GCP and Kubernetes we’ll look at how to deploy, undo a deployment and how
to troubleshoot deployment issues.
We’ll also look at how to use Terraform for AWS deployment purposes.

Next, we’ll look at how to integrate with common DevOps tools like GitHub, BitBucket and
Jenkins in the Infrastructure as Code section of this module.

We’ll close out this module by looking at service integrations with common third party support
tools such as Atlassian Jira, ServiceNow, PagerDuty and Splunk, as well as integration with
teams communication tools in the form of Slack. Lastly, we’ll examine integrations with
platform level security assessment tools in the form of Amazon GuardDuty.

11
 Amazon Web Services
AWS

Adding New Accounts

12
 Adding a New AWS Environment

1 2 3
AWS

Create a user in Setup AWS CLI Download and run

IAM Client deployment scripts

Additional information
in the notes

So, let’s start with AWS and look at how to add an AWS account to your Cloud Optix console.

Adding an AWS account to Cloud Optix is a three step process.

First, we’ll need to create a user in IAM with programmatic access enabled and the appropriate
permissions.

Next, we’ll need to set up the AWS command line client on a local machine to run the
deployment scripts.

Lastly, we’ll download and run the deployment scripts.

Creating a new IAM user

1. Open the AWS console and navigate to IAM

2. Navigate to Users in the left-hand menu
3. Click Add user
4. Enter a name and tick
“Programmatic access”
5. Click Next to set Permissions
6. Select “Add user to group” and click “Create group”
7. Enter a Group name
8. Click Create policy
9. Enter a Name and Description
10. Select the JSON editor tab

13
11. Copy the JSON policy content from the “Permissions needed to add an
AWSenvironment” section in the KB here:
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/
concepts/AWSScriptPermissions.html
12. Click Review Policy
13. Inspect the summary and click Create Policy to continue
14. Switch back to the user creation tab and select the newly created policy from
the list
15. Click Create Group to enter Tags for the user
16. Enter a Key and Key Value if desired
17. Once the desired Tags have been set, click Next to Review the creation of the
user account
18. Check the Review and click Create userto create the new account
19. With the new account is created,note or copy the Access Key ID
20. Click Show to see the Secret access key,then note or copy the key for later
use

Setting up AWS CLI (macOS X)

1. Download the AWS CLI Bundled installer from:

https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
2. Unzip the archive to a local directory
3. Open the Terminal command line
4. Navigate to the local folder containing the unzipped files from step 2
5. Run “sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws” to
install the AWS CLI and create a symlink to the directory
6. Run “aws --version” to verify the application installed correctly
7. Run “aws configure” to sign in to the AWS account we created earlier and will
be using to register the AWS account with Cloud Optix

Setting up AWS CLI (Linux)

AWS CLI is available for most distributions, simply run “ sudo yum install awscli” or
“sudo apt install awscli” to install the package and dependencies.
Alternatively, you can use the method below to install using pip (recommended by
Amazon):

1. Update your package lists (run “sudo yum update” or “sudo apt update”
depending on distribution)
2. Check your system’s Python version by running “python --version”
3. Install pip by running “sudo yum install python-pip” / “sudo apt install
python-pip” if you are running Python 2.x or “sudo yum install python3-pip” /

13
 “sudo apt install python3-pip” if your system has Python 3.x installed.
4. Run “pip install awscli --upgrade --user” or “pip3 install awscli --upgrade --
user” depending on your Python version
5. Run “aws --version” to verify the application installed correctly
6. Run “aws configure” to sign in to the AWS account we created earlier and will
be using to register the AWS account with Cloud Optix

Setting up AWS CLI (Windows)

As mentioned previously, we’ll be setting up the Windows Subsystem for Linux on

Windows 10 to enable the use of a Linux environment with tools such as Bash and
Curl on Windows.

1. Open Powershell as Administrator and run “Enable-WindowsOptionalFeature

-Online -FeatureName Microsoft-Windows-Subsystem-Linux” to install the
optional feature
2. Reboot your machine to complete the install
3. Once your system has rebooted use the instructions here to select your
favorite distro and download it to your machine:
https://docs.microsoft.com/en-us/windows/wsl/install-manual
4. Add the distribution package and install it by running “Add-AppxPackage
<path of your distro bundle>.appx” in the administrative Powershell console
5. Start the newly installed Linux distro to open a bash shell console
6. Install the AWS CLI using the steps for Linux

Download and run the Cloud Optix setup script

1. Open the Cloud Optix console

2. Navigate to the settings item in the left-hand navigation menu and select
Environments
3. Click Add New Environment
4. (Optional) Customize the deployment by clicking “Click here to customize
your AWS installation” under the AWS Account tab
a. Choose an install region from the “Choose default install region”
dropdown menu
b. Enter an existing cloudtrail if you wish to reuse one in the field below
c. Enabling VPC Flow Logs enables Cloud Optix to perform analysis of
traffic inside the AWS account for alerting and topology purposes, but
will cause increased operational spend on AWS – you can choose to
use this service by clicking Yes or No in the “Enable VPC Flow Logs”
section
d. Clicking “Yes” will enable you to further customize the regions in

13
 which you wish to enable flow logs by selecting them from the
dropdown menu
e. Click Generate Install Configuration to generate the required steps to
apply the desired custom configuration
5. Open a bash shell (called Terminal in macOS X) and run the commands
shown in step 2A on the portal
6. Once completed, run the commands shown in step 2B (or the commands
received from the customization in step 4 of this course)

13
 Demonstration

Create a new IAM user

AWS

Let’s take a look at how this all works in this demonstration.

Create IAM

To create a new IAM user, first open the AWS portal and navigate to IAM.

There, select Users from the left-hand menu, then click on the “Add user” button.

Enter a name for the new user, and make sure to tick the “Programmatic access” type in the
Access Type section.

Click “Next” to proceed with the user creation, we do this by setting the user Permissions.

In the permissions screen, select “Add user to group” and click “Create group” to create a new
group for this user.

We recommend creating a new group instead of setting permissions on an individual basis, as

this makes it easier to keep track of user permissions, share permissions and centrally revoked
permissions if needed later.

We then enter a name for the new group and click “Create Policy”.

On the next screen enter a name and description for the new policy, then select the JSON editor
and copy the contents from the linked section in the student handout notes of the Sophos
Cloud Optix knowledge base into the policy editor field.

14
Click “Review policy” and make sure the copied permissions are all accounted for. If
everything looks correct, click “Create Policy” to save the new policy and continue.

Now that the policy has been created, switch back to the user creation tab and select
the newly created policy from the list.

Click “Create Group” and enter any tags you wish to use in the “Add tags” section on
the next screen.

Once done, click “Next” to review the permissions and properties of the new user
you’ve just created.

If the review of the user looks correct, click “Create User” to complete the process.

Make sure to note both the “Access key ID” and “Secret key ID”, as both are required
in later steps of the configuration process.

With the user creation complete, let’s move on to the next step: Setting up AWS CLI

14
 Demonstration

Setting up AWS CLI

AWS

Let’s take a look at how this all works in this demonstration.

Setting up AWS CLI

The deployment of Cloud Optix relies on the availability of the BASH scripting language and curl
in addition to the AWS CLI.

As such, we’ll provide instructions on how to set up AWS CLI on Linux and Mac OSX systems, as
well as how to set up a functional Linux environment inside Windows 10 using the Windows
subsystem for Linux.

Note that, while it is theoretically possible to get the Cloud Optix AWS scripts to run on
Windows, this is not a supported option at the time of writing.

To set up the AWS CLI for MacOS X, we begin by downloading the bundled installer.

Unzip the installer to a local folder, then open the Terminal command line interface.

Navigate to the folder you unzipped the files into and run the command.

Once the setup completes, ensure the process completed successfully and the required patches
have been added to the environment variables. You can check this by running “aws --version”
and see if you receive an output.

If successful, this command will result in the AWS CLI outputting the currently installed version

15
to the terminal window.

If the install completed successfully and the “--version” command worked, proceed
by running “aws configure” to set up the AWS CLI with the credentials of the user
created in the previous setup steps.

Enter the access key, followed by the secret ID of the new user, select the preferred
default region and make sure to change the output of the AWS CLI to JSON.

If you are using Linux, chances are that your preferred distro’s package manager
already has AWS CLI listed in its sources.

In this case, it’s as easy as running “sudo yum install awscli” or “sudo apt install
awscli”, depending on the distribution.

If your distribution does not have awscli listed in the sources for your package
manager, the procedure to install AWS CLI through the platform agnostic Python pip
is as follows:

Start by updating your package manager’s package lists by running either “sudo yum
update” or “sudo apt update”, again, depending on your distribution’s package
manager.

Next, check if Python is installed on your system, and what version you have installed
on your local system by running “python --version”.

In case Python2.x or Python3 is not present on your system, make sure to look up
your distribution’s help for instructions on how to install these packages.

With the presence and version of Python verified, install pip using for Python 2.x by
running either “sudo yum install python-pip” or “sudo apt install python-pip”.

If your system has Python3 installed instead, run either “sudo yum install python3-
pip” or “sudo apt install python3-pip”, depending on your distribution.

With pip installed, you can now install the AWS CLI by running “pip install awscli --
upgrade --user” for Python 2.x systems or “pip3 install awscli --upgrade --user” for
systems running Python3.

Once setup completes, make sure the process completed successfully and the
required patches have been added to the environment variables by running “aws --
version” and see if you receive an output.

15
If successful, this command will result in the AWS CLI outputting the currently
installed version to the terminal window as it did before.

If the install completed successfully and the “--version” command worked, proceed
by running “aws configure” to set up the AWS CLI with the credentials of the user
created in the previous setup steps.

Enter the access key, followed by the secret ID of the new user, select the preferred
default region and make sure to change the output of the AWS CLI to JSON.

As Windows is not currently natively supported for Cloud Optix’s AWS deployment
script, you’ll need to set up the Windows Subsystem for Linux to run the script.

Note that the windows subsystem for Linux is only supported from Windows 10
version 16.09 and upwards.

To enable the WSL, open an administrative Powershell window and run “Enable-
WindowsOptionalFeature –Online -FeatureName Microsoft-Windows-Subsystem-
Linux” to install the feature.

Complete the installation by rebooting your machine.

Once rebooted, use the instructions from the link on the screen to select your
favorite Linux distribution and download it to your local machine.

With the Linux distribution package downloaded, go back to the administrative

Powershell window and run “Add-AppxPackage” followed by the exact path of the file
you just downloaded, then hit Enter.

After setup completes, start your Linux distribution from the Windows start menu
and follow the additional instructions (if any, depending on the selected distribution)
until such point you are presented with a functional BASH console.

Next, follow the steps outlined on the previous slide to install AWS CLI and the
related relevant packages in your new Linux environment.

15
 Demonstration

Adding an AWS Environment

AWS

Let’s take a look at how this all works in this demonstration.

Script:

Add AWS environment

With the user created and AWS CLI set up, all that’s left to do in order to add your AWS account
to your Cloud Optix environment is to run the deployment script.

To do this, start by opening the Cloud Optix console and navigating to the “Environments” item
under “Settings” in the left-hand menu.

Click “Add Environment” to open the “add a new environment” menu, then select the “AWS”
tab.

If you wish to customize the AWS deployment of Cloud Optix, such as when you wish to disable
the use of flow logs, reuse existing cloudtrails or only deploy a particular region inside AWS,
click the “Click here to customize your AWS installation” link and set the desired parameters.

Complete the customizations (if desired, again) by clicking “Generate Install Configuration” to
generate the required commands.

Regardless of whether you chose to customize the installation, proceed by opening a BASH shell
on your OS of choice, copying the instructions in step 2A into the terminal and running them.

16
Now that the deployment script has been downloaded, copy either the instructions in
step 2B or the customized instructions generated previously into the terminal window
and run them.

Follow any additional on-screen instructions and then wait until the script completes.

16
 Amazon Web Services
AWS

Removing Accounts

17
 Removing Accounts

1 Delete environment from the Cloud Optix Console

AWS

2 Run the removal script in the AWS account

Additional information
in the notes

Now that we’ve discussed the steps required to add an AWS environment, let’s examine the
steps required to remove an account.

This process consists of two steps. Firstly, delete the environment from the Cloud Optix console.
You will then run the removal script in the AWS account you wish to remove.

This will complete the process and clean up any settings and components enabled by Cloud
Optix in the AWS account.

Removing environments from the Cloud Optix console

1. Open the Cloud Optix console

2. Navigate to environments (under settings)
3. Click on the red dustbin icon next tothe environment you wish to remove
4. Note the instructions from thepop-up menu as we will needthem later
5. Tick “Please confirm that youwish to continue” and click OK

Download and run the removal script

1. Open a bash shell (Terminal on macOS X)

2. Copy and run the first command from the pop-up we received in step 4 on the previous
slide
3. Once complete, copy and run the secondcommand

18
 Demonstration

Removing an AWS Environment

AWS

Let’s take a look at how this all works in this demonstration.

This process consists of two steps. Firstly, delete the environment from the Cloud Optix console.
You will then run the removal script in the AWS account you wish to remove.

This will complete the process and clean up any settings and components enabled by Cloud
Optix in the AWS account.

This process consists of two steps - first you delete the environment from the Cloud Optix
console, then you’ll need to run the removal script in the AWS account you wish to remove to
complete the process and clean up any settings and components enabled by Cloud Optix in the
AWS account.

As we have covered, the first step in the removal process is to delete the environment from the
Cloud Optix Console.

To do this, navigate to Cloud Optix Console > Environments > Settings

Find the AWS account you wish to remove in the list and click the red dustbin icon to
commence the removal of your data in Cloud Optix. Please note that clicking the dustbin icon
will also open a pop-up menu. This menu contains the scripts and details needed to complete
this process, therefore, you must ensure that you make a note of these details as you WILL need
them.

Select the ‘please confirm that you wish to continue’ checkbox and click OK to complete the

19
process in Cloud Optix.

To view the exact steps you need to take to delete an environment from the Cloud
Optix Console select the additional notes icon.

With the environment removed from Cloud Optix, the next step is to run the removal
script in the AWS account.

To do this, open a BASH shell, then copy and run the script you made a copy of when
deleting the environment from the Cloud Optix Console.

When the command completes downloading the removal script, copy and run the
instructions you made a copy of when deleting the environment from the Cloud Optix
Console.

19
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings

Select the red dustbin icon to remove the environment

IMPORTANT: make a note of the script and details
required to
AWS

compete this process

Additional information
in the notes

As we have covered, the first step in the removal process is to delete the environment from the
Cloud Optix Console.

To do this, navigate to Cloud Optix Console > Environments > Settings

Find the AWS account you wish to remove in the list and click the red dustbin icon to
commence the removal of your data in Cloud Optix. Please note that clicking the dustbin icon
will also open a pop-up menu. This menu contains the scripts and details needed to complete
this process, therefore, you must ensure that you make a note of these details as you WILL need
them.

Select the ‘please confirm that you wish to continue’ checkbox and click OK to complete the
process in Cloud Optix.

Removing environments from the Cloud Optix console

1. Open the Cloud Optix console

2. Navigate to environments (under settings)
3. Click on the red dustbin icon next to the environment you wish to remove
4. Note the instructions from the pop-up menu as we will need them later
5. Tick “Please confirm that you wish to continue” and click OK

20
 Removal Script 2

1 Open a bash shell

(terminal on MacOS X)

2
AWS

Run the removal script

3 Run the instructions

Additional information
in the notes

With the environment removed from Cloud Optix, the next step is to run the removal script in
the AWS account.

To do this, open a BASH shell, then copy and run the script you made a copy of when deleting
the environment from the Cloud Optix Console.

When the command completes downloading the removal script, copy and run the instructions
you made a copy of when deleting the environment from the Cloud Optix Console.

1. Open a bash shell (Terminal on macOS X)

2. Copy and run the first command from the pop-up we received in step 4 on the previous
slide
3. Once complete, copy and run the second
command

21
 Amazon Web Services
AWS

Troubleshooting

With both adding and removing AWS accounts covered, the next thing to discuss is
troubleshooting the onboarding of AWS environments.

22
 Troubleshooting

• Cloud Optix scripts log all output to avidsecure-script-output.log

• The log file is located in the folder the script is located in
• Log contains all events and errors
AWS

• Errors are displayed on • Warnings are displayed

screen during the on screen during the
execution of a script execution of a script
• Errors are displayed in • Warnings are displayed
RED in YELLOW

By default, the Cloud Optix scripts log all output to a file labeled “avidsecure-script-output.log”
located in the folder the script is located in. This file contains all events and errors that took
place and serves as both a tool for Sophos support as well as the engineer doing the
deployment to help determine if the script ran into permissions issues, internet access related
problems or other events that may have caused the deployment to fail.

Input for this log is the script output, which shows these errors and warning on screen during
the execution of the script as well. It uses color coding (when compatible with the Linux distro)
to help easily distinguish between errors (displayed in red) and warning (displayed in yellow).

23
 Troubleshooting

• The rollback script MUST be run BEFORE attempting another

deployment of the AWS account
AWS

• The rollback script is displayed on the Add New Environment page

Additional information
in the notes

Regardless of the cause of the deployment problem, it is imperative to run the rollback script
before attempting another deployment of the AWS account.

The rollback script is displayed in the “Add New Environment” page, in the same section as the
deployment instructions for AWS.

Rollback

In case the deployment script fails (for whatever reason), it is imperative to run the rollback
script after correcting the root cause before attempting another deployment.

This rollback script can be found in the note (yellow box) below step 2B

24
 Amazon Web Services
AWS

Deploying with Terraform

AWS is currently also the only platform for which Cloud Optix supports deployment through a
non-native tool in the form of Terraform.

25
 Deploying with Terraform
1 Navigate to Add New Environment > Settings > AWS Account > Terraform

2 Download the required components using the command in bash shell

3 Unzip and saved the downloaded file as ‘terraform init’

AWS

Optionally customize your deployment or use the default settings running the relevant command in bash
4
shell. IMPORTANT: make a note of the output

5 In the Cloud Optix Console Generate the command using the details you noted in step 4

6 Copy the generated command and run it in bash shell

Additional information
in the notes

The steps needed to deploy an AWS account through Terraform are quite similar to the scripted
deployment steps. You start by navigating to Add New Environment > Settings > AWS Account
> Terraform in the Cloud Optix console. This will provide the command needed to download the
required comments.

Copy the command and run it in a bash shell command. This will download a zipped file. Unzip
the file and save it as ‘terraform init <folder path>.

You can then optionally customize your deployment or select to use the default settings. In both
cases, you will need to copy and run the relevant command in bash shell. Whichever command
you used, it is IMPORTANT that you make a note of the output as you will require this
information to complete the deployment.

Switch back to the Cloud Optix Console and click Generate the command. Here you will input
the details you saved, copy the command returned and run it in a bash shell. This will complete
the deployment process.

Deploying Cloud Optix with Terraform

Cloud Optix can also be deployed with Terraform to configure AWS environments, to further
automation of the deployment process.

The steps for this are as follows:

Deploying with Terraform

26
1. Navigate to the Cloud Optix console and open the environment settings
2. Scroll down to the bottom of the AWS Account tab
3. Open a bash shell and run the commands in step 1 to download the required
components
4. Unzip terraform.zip to a local folder
5. Run “Terraform init <path to folder>” to initialize Terraform
6. (Optional) click on “customize your setup” to modify the deployment
parameters
a. Choose an install region from the “Choose default install region”
dropdown menu
b. Enter an existing cloudtrail if you wish to reuse one in the field below
c. Enabling VPC Flow Logs enables Cloud Optix to perform analysis of
traffic inside the AWS account for alerting and topology purposes, but
will cause increased operational spend on AWS – you can choose to
use this service by clicking Yes or No in the “Enable VPC Flow Logs”
section
d. Clicking “Yes” will enable you to further customize the regions in
which you wish to enable flow logs by selecting them from the
dropdown menu
e. Click Generate Install Configuration to generate the required steps to
apply the desired custom configuration
7. Run the command displayed in step 3 (or the one generated in the previous
step)
8. Once complete, click “Generate the command” in step 4.
9. Enter the output from the Terraform script
a. Enter the account name in the Account Friendly Name field
b. Enter the account ID in the Account ID field
c. Enter the role ARN in the Avid Role ARN field
d. Click Generate command to generate the command needed to
register the AWS account with Cloud Optix
10. Run the command generated in the previous step

26
 Deploying with Terraform

Deploying with Terraform

AWS

This video provides a demonstration of what this looks like.

The steps needed to deploy an AWS account through Terraform are quite similar to the scripted
deployment steps - you start by navigating to the “Add New Environment” page in Cloud Optix’s
settings page again.

There, scroll down on the AWS Account tab until you reach the “Terraform” section.

Open a BASH shell and run the commands in step 1 to download the required components for
Terraform.

Unzip the downloaded file to a local folder, then enter “Terraform init” followed by the path to
the local folder you’ve just unzipped the previously downloaded file in, followed by Enter.

Next, you have to option to customize the deployment by clicking the “customize your setup”
link in the Cloud Optix console, similar to the scripted method.

If you chose to customize the deployment, run the generated command in the BASH shell.

If you’re using the default settings, the next step is to run the command displayed in step 3 in
the BASH shell.

Once the command in the previous step has been completed, make sure to note the output in
the BASH shell as we’ll need this info in the next steps.

27
Back in the Cloud Optix console click the “Generate the command” link in step 4 of
the instructions for Terraform.

Enter the details we received after running the previous script in the appropriate
fields, then click Generate command to create the final command needed to deploy
through Terraform.

Complete the process by copying the generate command and running it in the BASH
shell.

27
 Microsoft Azure
Azure

Adding New Subscriptions

Moving on to Azure, let’s start with the steps required to add an Azure subscription to Cloud
Optix.

28
 Adding a New Azure environment

1 Set up Azure Cloud Shell in your Azure Portal

Azure

2 Download and run the Cloud Optix setup script in the

Azure Cloud Shell

Additional information
in the notes

Unlike the process for AWS, the Azure deployment process is two steps. The first step is only
required for new Azure accounts where Cloud Shell has never been launched previously.

Here, we assume the cloud shell has not been used before. Once you have set up cloud shell
you willl be able to deploy Cloud Optix for your Azure subscription in a similar scripted manner
to AWS.

Set up the Azure Cloud Shell

1. Log in to the Azure portal

2. Click the Cloud Shell icon in the top navigation bar
3. Select the subscription you wish to use with the Cloud Shell and click “Create storage”
to create a storage account to enable Cloud Shell persistent storage
a. (Optional) Click “Show advanced settings” to manually specify a new or existing
resource group, storage account and file share
4. With the resources created, select the Powershell CLI and wait for it to become
available

Download and run the Cloud Optix setup script

1. Sign in to the Azure Portal with a user that has at least the Owner role in the
subscription and has Application Administrator rights in Active Directory
2. Navigate to the Cloud Shell and start a Powershell-based shell
3. Open the Cloud Optix console
4. Navigate to the Settings item in the left-hand navigation menu and select Environments

29
5. Click Add New Environment and open the Azure Subscription tab
6. Copy and run the command in step 2A into the Cloud Shell
7. Once completed, copy and run the command in step 2B in Cloud Shell
a. (Optional) Click the “Enable logs” slider to disable the capturing of
flow logs and audit events (changes to hosts, storage, etc).
8. Select whether you wish to add all subscriptions or a specific one, by
answering “Y” or “N”
a. If you selected “N”, enter the subscription ID you wish to monitor
with Cloud Optix
9. The deployment script will now run through the subscription and create the
required components
10. When the script has completed its tasks, make sure to copy and paste the
URL the script outputs into a new browser tab
11. Sign in with an account that has Administrator rights in your current Azure
AD to authorize Cloud Optix read rights into AD

Note: Step 10 and 11 are only required for Cloud Optix to inventorize and track users
in Azure. These steps can be skipped if you do not wish to use these features.

29
 Microsoft Azure: Adding New Subscriptions
Azure

Adding a New Azure Subscription

Let’s look at this in this quick demonstration.

So, we’re starting with setting up the Azure Cloud Shell in case you’ve never used it on this
subscription previously.

Log in to the Azure Portal and click the Cloud Shell icon - which looks like a “greater than” sign
and a underscore - in the top right navigation icons in the Portal.

Select the subscription you wish to use with the cloud shell and click “Create storage” to set up
persistent storage for your cloud shell environment. If you’re so inclined you can choose to
manually specify whether Azure should use a new or existing resource group, storage account
and file share for this purpose.

Once Azure completes creating the configured resources, make sure to select the Powershell
CLI and wait until it becomes available before proceeding with the deployment instructions on
the next slide.

Make sure that you’re signed in to the Azure subscription with an account that has at least the
Owner role in the subscription and Application Administrator access in the associated Azure AD.

Open the Azure Cloud Shell and start a Powershell-based shell.

Navigate to the Environments section in the Cloud Optix console - under settings - and go to the
Azure Subscription tab.

30
There, copy and execute the command in step 2A into the Azure cloud shell window
to download the deployment script.

Next, copy and run the instructions in step 2B to start the deployment process for
your Azure subscriptions. Note that you have the option to customize the deployment
similar to AWS by clicking the “Enable logs” slider to disable flow logs and audit event
capture in Azure.

Now that the deployment script is running in the Azure Cloud Shell, it will ask which
subscriptions to add to Cloud Optix - the default is all.

If you don’t wish to add all subscriptions currently accessible by the logged in user,
enter “N” for No, and enter the subscription ID or IDs - separated by commas - for the
environments you wish to add.

Once the script completes it will ask you to visit a particular URL to authorize Cloud
Optix’s read-only access in AD, which is needed to inventorize and track users.

This step is optional if you don’t wish Cloud Optix to provide these additional security
features for you.

30
 Microsoft Azure
Azure

Removing Subscriptions

Now that we’ve discussed how to add a new Azure subscription, let’s go over how to remove
one from Cloud Optix as well.

31
 Removing an Existing Environment

1 Delete environment from the Cloud Optix Console

Azure

2 Download and run the removal script in Azure Cloud Shell to

remove the Cloud Optix settings from the Azure subscription

The removal process is largely similar to the process we’ve previously described for AWS
accounts; The first step is to delete the environment from Cloud Optix, followed by running a
script in the subscription that we’ve just removed to clean up the Cloud Optix components.

32
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings

Select the red dustbin icon to remove the environment

IMPORTANT: make a note of the script and details
Azure

required to
compete this process

Additional information
in the notes

The removal steps from Cloud Optix are identical to the ones we described for AWS accounts.
You start by opening the Cloud Optix console, navigating to the environments page under the
settings item on the left-hand menu, selecting the environment you wish to remove from the
list, and then clicking the red dustbin icon.

This will prompt the removal popup with the script instructions like in the AWS example before.
Again, note these instructions somewhere for later reference, then tick Please confirm that you
wish to continue before clicking OK to delete the environment from your Cloud Optix console.

Removing environments from the Cloud Optix console

1. Open the Cloud Optix console

2. Navigate to environments (under settings)
3. Click on the red dustbin icon next to the environment you wish to remove
4. Note the instructions from the pop-up menu as we will need them later
5. Tick “Please confirm that you wish to continue” and click OK

33
 Removal Script 2
1 Sign in to the Azure Portal with a user with admin rights

Copy and run the 1st command. Once completed; Copy and run the
2 2nd command

3 Open Enterprise Application in Azure AD

Azure

Set the application type to ‘All Applications’. Search for Avid and
4 manually delete any instances

5 Open App Registrations > Select All Apps and search for Avid

6 Manually remove any apps called AvidSecure Monitor App

Additional information
in the notes

The scripted removal part of the process is slightly different, though the first steps of the
process are fairly similar. You start by signing in to the Azure Portal with a user account that has
at least the “Owner” role in the subscription and “Application Administrator” rights in the
associated Azure AD.

Navigate to the Azure Cloud Shell and start a Powershell based shell, then copy and paste the
first instruction of step 3 from the pop-up menu we saved previously. Once this command has
completed, copy and run the second instruction to the cloud shell interface.

Now, unlike with the AWS account removal process, there are some manual actions that need
to be performed to make sure any remaining components are removed as well.

Navigate to your Azure Active Directory attached to your subscription, and open the Enterprise
Applications. Set the Application Type to “All” by selecting this option from the application type
dropdown menu, then search for ‘Avid’. Manually delete any objects containing this name.

Navigate out of the Enterprise Applications section of Azure AD and open the App Registrations
in Azure Active Directory. Select ‘All apps’ from the dropdown menu and search for ‘Avid’.
Remove any apps called ‘AvidSecure Monitor App’ manually when found.

This completes the subscription removal process for Azure environments in Cloud Optix.

Download and run the removal script

1. Sign in to the Azure Portal with a user that has at least the Owner role in the

34
 subscription and has Application Administrator rights in Active Directory
2. Navigate to the Cloud Shell and start a Powershell-based shell
3. Copy and run the first command from the pop-up we received in step 3 on
the previous slide
4. Once complete, copy and run the second command
5. Once the script has finished running, navigate to the Azure Active Directory in
your subscription and open the Enterprise Applications
6. Set the application type in the dropdown menu to All applications, click
apply, then use the search bar to search for “Avid”
7. If any applications beginning with this name exist, make sure to manually
delete them
8. Navigate to Azure Active Directory again and open App Registrations
9. Select All apps from the dropdown menu and search for “Avid”
10. If any apps called “AvidSecure Monitor App” exist, make sure to manually
delete them

34
 Microsoft Azure
Azure

Troubleshooting

With both the addition and removal processes discussed, the last thing to cover is how to
troubleshoot the onboarding process for Azure.

35
 Troubleshooting

• Cloud Optix scripts log all output to avidsecure-script-output.log

• The log file is located in the folder the script is located in
• Log contains all events and errors
Azure

• Errors are displayed on • Warnings are displayed

screen during the on screen during the
execution of a script execution of a script
• Errors are displayed in • Warnings are displayed
RED in YELLOW

As with the AWS script before, the Azure onboarding script logs all output to both a file and the
cloud shell console.

The log file is located in the same folder as the script (this is generally the $home folder in the
cloud shell) and labelled “avidsecure-script-output.log”.

Output to console is similar to the AWS case in the sense that it uses yellow to denote warnings
and red to denote errors.

36
 Troubleshooting
• The rollback script MUST be run BEFORE attempting another
deployment of Azure
• The rollback script is found in the yellow box at the top of the Azure
Subscription page in the Add New Environment
Azure

IMPORTANT
Once you have run the rollback script you will need to manually search for and
remove any instances of Avid in your Azure AD

Additional information
in the notes

Another similarity is that, regardless of what caused the initial deployment issue, you’ll have to
run a rollback script before attempting another deployment.

The instructions for this script are located in the yellow box at the top of the Azure Subscription
page in the “Add Environment” menu.

One thing that is markedly different is that after running this script we still recommend you
follow the previously discussed steps of the account removal procedure to make sure no
components or settings remain before running the deployment script again.

37
 Google Cloud Platform
GCP

Adding New Projects

And that completes the module on Azure. Moving on, let’s examine how to add GCP projects to
Cloud Optix.

38
 Adding a New GCP Environment

1 Activate the GCP Cloud Shell in your GCP Account

Download and run the Cloud Optix setup script in the GCP
2 Cloud Shell
GCP

3 Enable delegation for the Cloud Optix service account

4 Authorize API access

Additional information
in the notes

Adding GCP environments has similarities to the process we described for Azure earlier, but
requires some additional steps due to the way Google handles authentication and API access.

We start by activating the GCP cloud shell in the GCP account, in case the shell has never been
used previously, then you download and run the Cloud Optix deployment scripts as with both
AWS and Azure before.

From there however, you’ll need to manually enable delegation for the Cloud Optix account in
GCP as well as setting up authorization to enable API access.

Activate the GCP Cloud Shell

1. Log in to the GCP portal

2. Click the Cloud Shell icon in the right-hand top navigation bar
3. Click “Start Cloud Shell” in the pop-up menu
4. Wait until GCP completes provisioning the resources for the Cloud Shell

Note: Step 3 and 4 only apply for first use of the GCP Cloud Shell. You will only be prompted about this
once, so skip these steps if Cloud Shell has already been activated.

Download and run the Cloud Optix setup script

1. Sign in to the GCP Portal with a user that has at least Admin rights in the GCP project
you wish to add to Cloud Optix
2. Navigate to the Cloud Shell and start a new session

39
3. Open the Cloud Optix console
4. Navigate to the Settings item in the left-hand navigation menu and select
Environments
5. Click Add New Environment and open the GCP tab
6. Copy and run the command in step 2B into the Cloud Shell to download the
script
7. Once completed, copy and run the command in step 2C in Cloud Shell
8. Select whether you wish to add all Projects or a specific one, by answering
“Y” or “N”
a. If you selected “N”, enter the Project ID you wish to monitor with
Cloud Optix
9. Select which project you wish to use as the main project (the main project
houses the service account) by selecting “Y” or “N” for each individual
project in your account
10. Enter the administrative email for your G Suite domain
11. The deployment script will now run through the subscription and create the
required components (roles and services)
12. Once the script is completed you will receive a list of projects for which it
enabled monitoring

Enable delegation for Cloud Optix account

1. Sign in to the GCP Portal with a user that has at least Admin rights in the GCP
account
2. Navigate to IAM & Admin in the left-hand menu and select Service Accounts
3. Select the service account named “Avid-read-account@…”
4. Click the three dots in the Actions column and select Edit
5. Expand “Show Domain-wide delegation”
6. Tick “Enable G Suite Domain-wide Delegation”
7. Enter a product name for the consent screen in the “Product name for the
consent screen” field (e.g. Sophos Cloud Optix for GCP)
8. Copy the Unique ID of the user from the “Unique ID” field and store it for
later use
9. Scroll down the page and click “Save” to store the delegation settings and
return to the Service account overview

Authorize API access for Cloud Optix

1. Sign in to the G Suite Admin console (admin.google.com)

2. Navigate to Security
a. If Security is not visible, click on “More controls” and select it from
there

39
3. Select Advanced Settings
4. Go to the Authentication section and select “Manage third party OAuth”
5. Copy the Unique ID from step 8 of the previous section into the “Client
name” field
6. Copy the scope from step 3K in the Cloud Optix console into the “One or
More API scopes” field
7. Click the Authorize button to authorize API access for Cloud Optix

39
 Google Cloud Platform Adding new projects

Google Cloud Platform

GCP

Adding New Projects

Let’s look at this in this quick demonstration.

To activate the GCP Cloud Shell, log in to the GCP portal, then select the cloud shell icon - which
looks identical to the one we’ve seen on Azure earlier - in the top right-hand navigation bar.

If this is your first time running the cloud shell, click “Start Cloud Shell” in the subsequent pop-
up menu, then wait for GCP to complete provisioning the resources needed for the shell
environment.

As with the Azure cloud shell before, the last two steps are only prompted for first launch of the
shell.

To start adding a new GCP project or projects to Cloud Optix, start by signing in to the GCP
portal with a user who has at least Admin rights in the project or projects you wish to add.

Open the GCP cloud shell and start a new session.

Then, navigate to the “Add New Environment” page in Cloud Optix and open the GCP tab.

Copy and run the command shown in step 2B into the cloud shell to download the deployment
script, and once completed do the same for the command shown in step 2C.

As with Azure before it, the script will now prompt you on whether you wish to add everything
or just specific parts of your GCP deployment to Cloud Optix. Enter Y to add all projects the
current account has access to, or enter N and specify the project ID you wish to add. From

40
there, you’ll need to specify which project will function as the main project for your
GCP environment, as this project will house the service account used by Cloud Optix.

Lastly, enter the administrative email for the G Suite domain your project or projects
are part of.

Once the script finished setting up the components needed for Cloud Optix, you’ll
receive a list of all projects which have now been added.

Next, you need to configure delegation for the Cloud Optix service account the script
created in the previous step, to allow it to access the other projects in the GCP
account.

To do this, start by signing in to the GCP Portal with a user that has at least Admin
privileges in the GCP account, then navigate to IAM & Admin in the left-hand menu
and select Service Accounts.

Locate and select the account starting with “Avid-read-account@...”. Click on the
three dots in the Actions column and select “Edit”.

On the next scree, expand “Show Domain-wide delegation” and tick the “Enable G
Suite domain-wide delegation option” checkbox.

Enter a name for the consent screen in the appropriately labeled field - this will be
relevant later - so make sure to enter something that will help you easily recognize
this account.

Copy the Unique ID of the user from the Unique ID field and store it somewhere safe
as we’ll need this to enable API access later, then scroll down and click on the “Save”
button to store the delegation settings and return to the previous service account
overview.

The final step to add the GCP project or projects to Cloud Optix is to open the G Suite
admin console - admin.google.com - and authorize access to the APIs.

Navigate to Security, which can be found under “More controls” if it isn’t displayed on
the dashboard, then select Advanced Settings.

Go to the Authentication section and select “Manage third party oAuth”, then copy
the unique ID we save for the Cloud Optix Service Account earlier in the “Client
name” field.

40
Navigate back to the Cloud Optix “Add New Environment” page’s GCP tab and copy
the scope displayed in step 3K, then paste it in the “One or more API scopes” field on
the G Suite Security page we’ve jut left.

Click Authorize to finalize the onboarding process for your GCP project or projects in
Cloud Optix.

40
 Google Cloud Platform
GCP

Removing Accounts

With the deployment taken care of, let’s examine how to remove existing GCP projects from
Cloud Optix.

41
 Removing an Existing Environment

1 Delete environment from the Cloud Optix Console

Azure
GCP

2 Download and run the removal script in in GCP Cloud Shell to

remove the Cloud Optix settings from the GCP project(s)

As with AWS and Azure before it, removal is a two step process.

First you delete the environment from Cloud Optix, then you run a removal script to clear the
relevant objects and settings from the project or projects in GCP.

42
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings

Select the red dustbin icon to remove the environment

IMPORTANT: make a note of the script and details
Azure
GCP

required to
compete this process

Additional information
in the notes

The removal steps from Cloud Optix are identical to the ones we described for AWS accounts.
You start by opening the Cloud Optix console, navigating to the environments page under the
settings item on the left-hand menu, selecting the environment you wish to remove from the
list, and then clicking the red dustbin icon.

This will prompt the removal popup with the script instructions like in the AWS example before.
Again, note these instructions somewhere for later reference, then tick Please confirm that you
wish to continue before clicking OK to delete the environment from your Cloud Optix console.

43
 Removal Script 2
1. Sign in to the GCP Portal with a user that has at least Admin rights
1 in the GCP account

2
1. Copy and run the required commands to start the removal process
Azure
GCP

The completed script will provide a list of items the script cannot
3 delete
Commonly the items left are enabled flow logs & enabled API
4 services

Additional information
in the notes

Once you’ve removed the environment from Cloud Optix, go to the GCP Portal and make sure
you’re signed in with a user who had Admin rights in the GCP account.

Open a cloud shell, then copy and run the first command from the pop-up you received in the
previous step.

Once the command has finished downloading the script, copy and run the second command
from the pop-up to start the cleanup process in the removed GCP project(s).

Unlike with AWS and Azure, once this script completes it will give you a list of items it could not
remove automatically due to the inherent rights structure of GCP.

Copy this output somewhere for future reference before continuing.

Given that the most common items left after cleanup are flow logs, we’ll examine how to
disable them manually.
Navigate to the VPC network of your project (under the Networking item in the left-hand
menu), then select a subnet in the VPC for which you want to disable flow logs and click “Edit”.

Scroll down to the “Flow Logs” setting and click the “Off” radiobutton, followed by “Save” to
store the changes.

Click the small back (left-facing) arrow at the top and repeat the previous steps for each subnet
in the VPC.

44
Alternatively, you can use the GCP cloud shell to disable the flow logs
programmatically by running the command on screen for each individual subnet you
wish to disable flow logs on.

Another common item left to manually clean up are API services, as Cloud Optix
relies on several of these services to function correctly.

To manually disable these services, navigate to “API & Services” in the GCP project,
then cross-reference the currently enabled API services with the ones in the saved
output from the script that it could not remove and click on each individual service to
open that service’s settings.

Click the Disable button at the top menu bar to disable the service, then repeat the
previous steps for each service listed in the script’s output.

Download and run the removal script

1. Sign in to the GCP Portal with a user that has at least Admin rights in the GCP
account
2. Open the Cloud Shell
3. Copy and run the first command from the pop-up you received in step 4 on
the previous slide to download the removal script
4. Once complete, copy and run the secondcommand to start the removal
process
5. When the script completes it provides a list of items the script cannot delete
6. The most common things left are enabled flow logs
a. To disable the flow logs, navigate to VPC network (under Networking)
in the left-hand navigation menu and select VPC networks
b. Select each networks in the VPC(s) for which you wish to disable Flow
logs and click Edit
c. Scroll down to Flow Logs and click the “Off” radiobutton
d. Click Save to store the settings
e. Click the left-facing arrow at the top and repeat steps a-d for each
subnet
f. Alternatively, you can run the following command in GCP Cloud Shell
to disable flow logs for individual subnets: gcloud compute
networks subnets update <subnet name> --no-enable-
flow-logs --region <region name>
7. Another common thing left are enabled API services
a. To disable API services you no longer wish to use, navigate to API &
Services in the left-hand navigation menu and select Dashboard
b. Scroll down to the list of APIs and services

44
c. Cross-reference the enabled API services from the removal script
output with the list and click each service you wish to disable to edit
that service’s settings
d. Click the Disable button in the top bar to disable the service
e. Click the left-facing arrow at the top and repeat steps a-d for each
service

44
 Google Cloud Platform
GCP

Troubleshooting

And, as before, the last thing to discuss when it comes to GCP is how to troubleshoot
deployment issues.

45
 Troubleshooting
• Unlike AWS and Azure, the current deployment script for GCP only
logs errors to terminal, not to file.
• Enabling terminal logging in the GCP shell to capture script output to
terminal for future reference is recommended.
GCP

• Errors are displayed on • Warnings are displayed

screen during the on screen during the
execution of a script execution of a script
• Errors are displayed in • Warnings are displayed
RED in YELLOW

Unlike AWS and Azure, the current deployment script for GCP only logs errors to terminal, not
to file.
Sophos recommends enabling terminal logging in the GCP shell to capture script output to
terminal for future reference, should this be required.

The colour scheme used by the script however is consistent with the AWS and Azure scripts -
output in yellow indicates a warning, red indicates an error.

Another difference between GCP and AWS or Azure is that there’s currently no automated
rollback available for a failed deployment.
It is theoretically possible to use the GCP removal script in lieu of a dedicated rollback script,
but Sophos highly recommends opening a ticket with Sophos Support before attempting such a
procedure.

The current recommended method for rollback is to use the script output to determine which
components the script did managed to deploy successfully, then going in to the GCP console to
manually remove these objects and fix the issue that caused the script to stop before retrying to
rerun deployment script.

46
 Kubernetes
Kubernetes

Adding a New Cluster

Moving on from the major public cloud providers Cloud Optix supports, let’s examine how to
add, remove and troubleshoot Kubernetes environments.

47
 Adding a New Kubernetes Cluster Environment

11. Download and run the Cloud Optix setup script

21. Add the Cloud Optix public IP addresses to the authorized networks on the
Kubernetes

Kubernetes master node

NOTE: Cloud Optix currently only supports native Kubernetes. Managed Kubernetes
services (like Amazon’s Elastic Kubernetes Service, Azure Kubernetes Service and
Google Kubernetes Engine) are currently not eligible for monitoring by Cloud Optix.

Additional information
in the notes

The process to onboard a Kubernetes environment in Cloud Optix is quite similar to the steps
we used for the major cloud providers - essentially you download and run a script.

One major difference is that we do require you to go in and manually add the Cloud Optix public
IP addresses to your firewall afterwards, as there’s no reliable way to automate this in scenarios
like on-premise Kubernetes clusters.

Having said that, this is also why Cloud Optix currently only supports native Kubernetes
deployments. Cloud platform Kubernetes services like Google’s GKE and others, while appearing
similar to native Kubernetes, have slightly different API implementations and will not work
correctly with Cloud Optix. As such, they are not supported at the time of writing.

Download and run the Cloud Optix setup script

1. Open the Cloud Optix console

2. Navigate to the settings item in the left-hand navigation menu and select Environments
3. Click Add New Environment
4. Navigate to the Kubernetes Cluster tab
5. Connect to your Kubernetes master node, copy and run the command in step 2A to
download the script
6. Once completed, copy and run the command in step 2B to execute the script and
deploy the Cloud Optix components and settings for Kubernetes

Authorize Cloud Optix public IP addresses

48
Cloud Optix connects to the environment and gathers relevant information from the
Kubernetes cluster through the Kubernetes API Server.

To enable secure communication with the API Server, the script, ran in the previous
section, installs the relevant certificates and authentication.

This in itself is a secure solution, but would require HTTPS access to the API server to
be open to the public internet. As a means of further restricting access to the
Kubernetes API server, best practices recommend using a firewall or similar security
feature (like a Security Group) to block all traffic except from allowed IP addresses
and networks.

As such, it’s required for Cloud Optix to work correctly that the two IP addresses
listed in step 3 of the “Add Environment” section are added to the firewall or security
feature as a whitelisted item.

48
 Kubernetes: Adding a New Cluster
Kubernetes
Azure

Kubernetes: Adding a New Cluster

Let’s look at this in this quick demonstration.

As said in the introduction of this module - the process for adding a Kubernetes cluster to cloud
Optix starts off in familiar fashion. You navigate to the Environments settings in Cloud Optix and
go to the Kubernetes tab.

There, you click the “Add New Environment” button to get the onboarding instructions for your
Kubernetes deployment.

From there, connect to your Kubernetes master node with an administrative account, then copy
and run the command in step 2A of the instructions in the Cloud Optix console.

Once complete, copy and run the command in step 2B to complete the configuration of your
Kubernetes cluster.

Since Cloud Optix cannot account for every possible firewalling configuration used in
combination with Kubernetes, the next and last step needs to be performed manually.

As part of the previous step the script has already deployed and configured secure
communication between your Kubernetes API server and the Cloud Optix IP addresses, but in
order for the communication to actually establish it’s imperative that the local firewall (or
security group, if your Kubernetes cluster is deployed on a public cloud platform) has a rule
allowing bi-directional communication between the Kubernetes API server and the two public
IP addresses listed in step 3 of the Cloud Optix Kubernetes onboarding instructions.

49
 Kubernetes
Kubernetes

Removing Accounts

With deployment discussed, let’s proceed by looking at how to remove an existing Kubernetes
deployment from Cloud Optix.

50
 Removing an Existing Environment

1 Delete environment from the Cloud Optix Console

Kubernetes
Azure

2 Download and run the removal script to remove the Cloud

Optix settings from the Kubernetes Cluster account

To nobodies surprise, probably, these steps are again largely similar to the steps we used for
public cloud platforms - you delete the environment from Cloud Optix, then run a script to
remove the settings on the Kubernetes environment.

Removing environments from the Cloud Optix console

1. Open the Cloud Optix console

2. Navigate to environments (under settings)
3. Click on the red dustbin icon next to the environment you wish to remove
4. Note down the instructions from the pop-up menu as we will need them later
5. Tick “Please confirm that you wish to continue” and click OK

Download and run the removal script

1. Connect to the Kubernetes master node

2. Copy and run the first command from the pop-up we received in step 4 on the previous
slide
3. Once complete, copy and run the second command
4. When this command completes, make sure to remove or block the rule in your local
firewall that allows access from Cloud Optix’ public IP addresses to your Kubernetes API
server

51
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings

Select the red dustbin icon to remove the environment

Kubernetes

IMPORTANT: make a note of the script and details

Azure

required to
compete this process

Additional information
in the notes

So, starting with step one, you navigate to the Environments settings in the Cloud Optix console
and scroll down to the Kubernetes environment you wish to remove.

There, simply click on the red dustbin icon to receive the familiar pop-up menu with removal
instructions.

As before, save these instructions for reference in the next step, then tick the “Please confirm
that you wish to continue” checkbox and click “OK”.

52
 Removal Script 2
1 Connect to the Kubernetes master node

Copy and run the first command from the pop-up we received in step 4 on
2
Kubernetes

the previous slide

Azure

3 Once complete, copy and run the second command

Ensure to remove or block the rule in your local firewall that allows access
4 from Cloud Optix’ public IP addresses to your Kubernetes API server

Additional information
in the notes

Next, connect to the Kubernetes master console with an administrative user, then copy and run
the first command you received in the pop-up’s step number 4.

When the command finishes downloading the script, copy the second command and run it to
remove the Cloud Optix settings and objects from your Kubernetes cluster.

Lastly, make sure to manually remove or disable the firewall rule or rules that you previously
created to allow communication between Cloud Optix and your Kubernetes cluster to complete
the removal process.

1. Connect to the Kubernetes master node

2. Copy and run the first command from the pop-up we received in step 4 on the previous
slide
3. Once complete, copy and run the second
command
4. When this command completes, make sure to remove or block the rule in your local
firewall that allows access from Cloud Optix’ public IP
addresses to your Kubernetes API server

53
Infrastructure as Code

Infrastructure as Code
Adding new repositories

Now that we’ve discussed the supported cloud and compute platforms, let’s move on to
development environments used by DevOps to create the templates that deploy into said
environments.

Sophos Cloud Optix’ Infrastructure as Code (IaC for short) scanning allows the product to
proactively alert of any changes in the current deploy pipeline that may affect existing
environments, by scanning any code that is pushed into popular DevOps environments like
GitHub, BitBucket and Jenkins.

54
 Adding IaC Repositories
Cloud Optix supports three prominent DevOps repositories, each with their
own deployment instructions
Infrastructure as Code

Adding GitHub Adding BitBucket Adding Jenkins

Accounts accounts environments

Sophos Cloud Optix currently support three IaC repositories - GitHub, BitBucket and Jenkins,
and in this module we’ll walk through the instructions to add each of these to your Cloud Optix
console.

55
 Setting Up a GitHub Account
1
1. Log in to the Cloud Optix portal

1. Click add new environment and open the IaC environment tab.
2
2. Click Install the GitHub app from:
Infrastructure as Code

1. Authorize the installation of the Cloud Optix application in your

3 GitHub account.

Additional information
in the notes

Starting with GitHub the process is quite straightforward - you start by signing in to Cloud Optix
and navigating to the Environments menu under settings. There, click the “Add New
Environment” button and open the IaC tab.

From there, scroll down to the GitHub section and click the “Install the GitHub app” link. This
will open a new tab in your browser with GitHub open, prompting to authorize the installation
of the Cloud Optix application in your GitHub account.

If you do not see the “Install” button you’ll need to click “Sign In” first to make sure the app is
installed in your account.

Setting up a GitHub account

1. Log in to the Cloud Optix portal

2. Navigate to the Settings item in the left-hand navigation menu and select Environments
3. Click Add New Environment and open the IaC Environment tab
4. Click the “Install the GitHub app from:” link
5. The GitHub app opens in a new tab
a. If the Install button is not shown in the right-hand corner, click Sign In in the top
right corner
6. Click Install to proceed
7. Enter the Customer ID shown on the deployment page in the Cloud Optix console and
click Configure to proceed and complete the setup
8. (Optional) If you wish to add more repositories for Cloud Optix to scan, open GitHub
and go to Settings

56
a. Navigate to Applications in the left-hand navigation menu
b. Find the AvidSecureDSOApp in the Installed GitHub apps list and click
Configure
c. Select the additional repositories from the “Only select repositories”
list
d. Click Save to save the changes

56
 GitHub
Infrastructure as Code

Setting Up GitHub

Let’s look at a demo!

Github

Starting with GitHub the process is quite straightforward - you start by signing in to Cloud Optix
and navigating to the Environments menu under settings.

There, click the “Add New Environment” button and open the IaC tab.

From there, scroll down to the GitHub section and click the “Install the GitHub app” link.

This will open a new tab in your browser with GitHub open, prompting to authorize the
installation of the Cloud Optix application in your GitHub account.

If you do not see the “Install” button, you’ll need to click “Sign In” first to make sure the app is
installed in your account.

57
 Setting Up a BitBucket Account

1
1. In Cloud Optix navigate to Settings > Environments
Infrastructure as Code

2
1. Click Add New Environment and open the IaC Environment tab

3
1. Click Connect to BitBucket

4
1. Select the account and click Grant access

Additional information
in the notes

Setting up the IaC components for BitBucket is a similar endeavor - Navigate to the
Environments menu in the Cloud Optix console, click “Add New Environment” and navigate to
the IaC tab.

From there, scroll down to the BitBucket section and click the “Connect to BitBucket” button to
open BitBucket in a new tab in your browser.

If you were not previously signed in to BitBucket, you’ll be prompted for your log in credentials,
and from there you’ll get a prompt asking you to select which accounts you wish Cloud Optix to
monitor using the BitBucket app from a dropdown menu. Select the desired account and click
“Grant access” to complete the setup.

Setting up a BitBucket account

1. Log in to the Cloud Optix portal

2. Navigate to the Settings item in the left-hand navigation menu and select Environments
3. Click Add New Environment and open the IaC Environment tab
4. Click the Connect to BitBucket button
5. The BitBucket app opens in a new tab
a. If you weren’t signed in to BitBucket before clicking the button, you’ll be
prompted to sign in
6. Select the account you wish to add from the dropdown menu and click “Grant access”

58
 BitBucket
Infrastructure as Code

Setting Up BitBucket

Let’s look at a demo!

BitBucket

Setting up the IaC components for BitBucket is a similar endeavor - Navigate to the
Environments menu in the Cloud Optix console, click “Add New Environment” and navigate to
the IaC tab.

From there, scroll down to the BitBucket section and click the “Connect to BitBucket” button to
open BitBucket in a new tab in your browser.

If you were not previously signed in to BitBucket, you’ll be prompted for your log in credentials,
and from there you’ll get a prompt asking you to select which accounts you wish Cloud Optix to
monitor using the BitBucket app from a dropdown menu. Select the desired account and click
“Grant access” to complete the setup.

59
 Setting Up Jenkins Integration

11. In Cloud Optix navigate to Settings > Environments

22. Click Add New Environment
Infrastructure as Code

33. Open the IaC Environment tab

44. Select Add code repositories via Jenkins Pipeline
55. Copy the integration script
66. In your Jenkins console navigate to the relevant
Jenkins project

Additional information
in the notes

Jenkins is a bit more involved than GitHub or BitBucket, but it still follows similar steps we’ve
seen before.

You start once again by navigating to the Environments section of the Settings in your Cloud
Optix console, then clicking “Add New Environment” and navigating to the IaC tab.

Here, scroll down to the “Add code repositories via Jenkins pipeline” section to find the relevant
instructions for adding your Jenkins project environment to Cloud Optix.

Copy the integration script, then connect to your Jenkins console and navigate to the relevant
Jenkins project.

Setting up Jenkins Project integration

1. Log in to the Cloud Optix portal

2. Navigate to the Settings item in the left-hand navigation menu and select Environments
3. Click Add New Environment and open the IaC Environment tab
4. Scroll down to the "Add code repositories via Jenkins pipeline" section
5. Copy the integration script
6. Connect to your Jenkins console
7. Navigate to your project in Jenkins

60
8. Click the Configure link on the left
9. Navigate to the Build section
10. Click the Add build step button
11. Select Execute shell from the drop down
12. In the Shell window, add the integration script that you copied earlier
• Ensure that the needed environmental variables are supplied
13. Save the Jenkins Project

60
 Jenkins
Infrastructure as Code

Setting Up Jenkins

Let’s look at a demo!

Jenkins

Jenkins is a bit more involved than GitHub or BitBucket, but it still follows similar steps we’ve
seen before.

You start once again by navigating to the Environments section of the Settings in your Cloud
Optix console, then clicking “Add New Environment” and navigating to the IaC tab.

Here, scroll down to the “Add code repositories via Jenkins pipeline” section to find the relevant
instructions for adding your Jenkins project environment to Cloud Optix.
Copy the integration script, then connect to your Jenkins console and navigate to the relevant
Jenkins project.

61
Infrastructure as Code

Infrastructure as Code
Removing repositories

Now that we’ve discussed adding these IaC repositories, let’s examine how to remove them.

62
 Removing an Existing GitHub Respository

1 Delete environment from the Cloud Optix Console

Infrastructure as Code

2 Remove the App from the GitHub Account

Removing a GitHub repository is a two step process that should sound familiar at this point - we
start by deleting the environment from the Cloud Optix console, then follow that up with the
removal of the app in the GitHub account in question.

63
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings
Infrastructure as Code

Select the red dustbin icon to remove the environment

IMPORTANT: make a note of the script and details
required to
compete this process

Additional information
in the notes

The removal steps from Cloud Optix are identical to the ones we described for AWS accounts.
You start by opening the Cloud Optix console, navigating to the environments page under the
settings item on the left-hand menu, selecting the environment you wish to remove from the
list, and then clicking the red dustbin icon.

This will prompt the removal popup with the script instructions like in the AWS example before.
Again, note these instructions somewhere for later reference, then tick Please confirm that you
wish to continue before clicking OK to delete the environment from your Cloud Optix console.

64
 Removing the App from GitHub 2
1
1. Sign in to the GitHub account

2
1. Navigate to User > Settings
Infrastructure as Code

3
1. Select Applications

1. Find the AvidSecureDSOApp in the Installed GitHub apps list and

4 click Configure

5
1. Scroll down to the Uninstall AvidSecureDSOApp section

6
1. Click Uninstall to remove the Cloud Optix app

Additional information
in the notes

This leaves you with the removal of the app from your GitHub account, which is a manual
process.

That said, the steps are again straightforward. Start by opening your GitHub account, clicking
the top right user icon and selecting Settings.

In the settings menu, open the Applications menu and find the “AvidSecureDSOApp” in the list
of installed applications.

Click Configure and scroll down to the big red “Uninstall AvidSecureDSOApp” button, then
proceed to click said button to remove the app from your account.

Remove the app from GitHub

1. Sign in to the GitHub account

2. Click on the user icon in the top right corner and select Settings
3. Navigate to Applications in the left-hand navigation menu
4. Find the AvidSecureDSOApp in the Installed GitHub apps list and click Configure
5. Scroll down to the “Uninstall AvidSecureDSOApp” section
6. Click “Uninstall” to remove the Cloud Optix app

Module x: Module Title - 65

 Removing an Existing BitBucket Repository

1 Delete environment from the Cloud Optix Console

Infrastructure as Code

2 Remove the app from the BitBucket account

BitBucket uses a similar two step process to GitHub - first remove from Cloud Optix, then
manually remove the app from your BitBucket account.

66
 Removal the App from BitBucket 2
1
1. Sign in to the BitBucket account
Infrastructure as Code

2
1. Navigate to User > BitBucket settings

3
1. Navigate to Apps and Features > Installed Apps

1. Find the Sophos Avid Insights App in the Installed Apps list and
4 click Remove

5
1. Confirm the removal of the app by clicking Remove

Additional information
in the notes

With the removal in Cloud Optix taken care off, all that’s left to do is to log into the BitBucket
account in question, click on the user icon in the bottom left corner and open the Settings
menu.

There, navigate to the Installed Apps menu under Apps and Features, select the “Sophos Avid
Insights” App from the Installed Apps list and click “Remove” in the App settings menu.

Confirm the removal in the pop-up menu by clicking “Remove” to complete the removal
process.

Remove the app from BitBucket

1. Sign in to the BitBucket account

2. Click on the user icon in the bottom left corner and select BitBucket settings
3. Navigate to Installed Apps in the left-hand navigation menu (under Apps and Features)
4. Find the Sophos Avid Insights App in the Installed Apps list and click Remove
5. Confirm the removal of the app by clicking the Remove button in the pop-up menu

67
 Removing an Jenkins Environment

1 Delete environment from the Cloud Optix Console

Infrastructure as Code

2 Remove the Build instructions in the Jenkins pipeline

Removing Jenkins from Cloud Optix is again similar to the previous IaC environments we’ve
looked at.

We start by removing the environment from Cloud Optix, then remove local settings in the
Jenkins Project to complete the removal.

68
 Deleting an Environment 1
Cloud Optix Console > Environments > Settings
Infrastructure as Code

Select the red dustbin icon to remove the environment

IMPORTANT: make a note of the script and details
required to
compete this process

Additional information
in the notes

You again navigate to the Environments settings in Optix, find the relevant Jenkins project you
wish to remove and click the red dustbin icon.

Confirm the removal by ticking the “Please confirm that you wish to continue” checkbox and
clicking “OK” to complete the process in Cloud Optix.

69
 Removing Jenkins Integration 2
1 Connect to your Jenkins console

2 Navigate to the project in Jenkins

Infrastructure as Code

3 Click Configure

Navigate to the Build section that contains the Cloud Optix

4 integration script

5 Click Close to delete the build step

6 Save the Jenkins project

Additional information
in the notes

With the Cloud Optix side of the removal done, open your Jenkins console and navigate to the
relevant Jenkins project.

Click the “Configure” link as with the addition instructions before, then navigate to the Build
section that contains the Cloud Optix script.

Click the small red “X” in the top right corner labelled “close” to delete this build step and then
click “Save” to remove Cloud Optix from the Jenkins build pipeline and complete the removal.

Removing Jenkins Project integration

1. Connect to your Jenkins console

2. Navigate to the project in Jenkins
3. Click the Configure link on the left
4. Navigate to the Build section that contains the Cloud Optix integration script
5. Click the Close button to delete the build step
6. Save the Jenkins project

70
 Troubleshooting

By default, newly added GitHub repositories, BitBucket accounts and Jenkins projects will show
up as “inactive” in Cloud Optix Environments until a “push” event (code commit) is registered for
these repositories.
Infrastructure as Code

IMPORTANT
Always make sure to trigger a “Push” or “Build” action (depending on the
environment) after adding a repository, account or project to make sure the
integration works correctly

Additional information
in the notes

By default, any newly added IaC environment will show up in the Environments list with an
“inactive” status, as Cloud Optix relies on those platforms’ APIs to notify it of any new commit
actions before it can determine if there are new templates to scan.

So, always make sure to trigger a “Push” or “Build” action (depending on the environment) after
adding a repository, account or project to make sure the integration works correctly by
observing the change from “inactive” to “active” in the Cloud Optix console.

71
Integrations - Jira

Integration
Jira

With all the environment types covered, let’s move on to the final section of this training - the
integrations module.
Integrations allow Cloud Optix to share information with external third party solutions and vice
versa, helping security and development teams integrate security alerts from Cloud Optix into
their existing workflows and response procedures.

Kicking off with Jira, let’s examine how to set up and remove integrations for all the supported
integrations in Cloud Optix.

72
 Jira Integration

1 Enable Jira integration

2 Create a role and project permissions for Cloud Optix

GCP

3 Create a user for Cloud Optix

4 Configure Jira integration in Cloud Optix

Integrating Jira is essentially a 4 step process:

1. Enable Jira Integration

2. Create a role and project permissions for Cloud Optix
3. Create a user for Cloud Optix
4. Configure Jira integration in Cloud Optix

Over the next few slides we will look at this process in more detail.

73
 Jira integration Demo
Integrations - Jira

Jira Integration Demo

Let’s look at a demo!

Sophos recommend creating a new role for the Cloud Optix user in Jira as this enables easy
permissions management per project and a more structured privilige assignment method
overall.

To create a new role and assign permissions, start by logging into Jira and opening the global
settings.

From there, select System and navigate to the Project roles.

Find the “Add new project role” section and enter a name and description for the new role,
then click “Add Project Role”.

Return to the projects after creating the role and open the project you wish to use with Cloud
Optix. Navigate to the Project Settings and open the Permissions menu.

In the permissions menu click the “Actions” cogwheel in the top right corner and select “Edit
Permissions”.

Scroll down to the Issue permissions section and click “Edit” next to the “Create issues”
permission, then select the role we’ve previously created in the “Granted to” section and click
“Save”

Repeat these steps for the “Edit” or “Link Issues” permissions as discussed previously.

74
Now that the role has been created and granted the relevant permissions in the
project, the next step is to create a user and assign it to the role.

Start by opening the Jira console again and navigate to “People” under the Project
Settings menu.

Click the “Add people” button, enter the email address you wish to use for the Cloud
Optix user and select the new role from the dropdown menu, then click “Add” to
have Jira generate an invitation for the new user and email it to the address entered.

Open the relevant email box and look for the Jira invitation email, then click the “Join
them now” link in said email.

Click “Sign up for an account” on the log in page, then enter a username and
password for the Cloud Optix Jira user, followed by clicking “Sign Up”.

You may be prompted to complete a CAPTCHA challenge at this point, please

complete it to continue.

Jira will now send a verification email to the Cloud Optix user’s inbox, so look for any
“Please verify your email address” messages from Jira and click the “Verify my email
address” link inside.

Click “Continue” and sign in to the log in page with the password you set in step 8,
then click “Log in” to complete the user creation.

With the user, role and permissions completed, we can move to the Cloud Optix
console to set up the integration.

Navigate to Integrations under the Settings menu and select Jira from the list of
available integrations.

On the next page, enter the URL of the Jira project, followed by the username and
password of the user you’ve previously created, then repeat the password in the next
field.

Next, enter the project key - which can be found in the Details section of your Jira’s
Project Settings menu - and select which alert levels should trigger the creation of
new Jira issues, at which particular Jira priority.

Optionally, you can tick the “Automatic” checkbox to have Jira automatically create

74
tickets when events of the configured severity are first detected by Cloud Optix.

Tick “Enable config” to make sure the integration is active in Jira, then continue…

…by selecting how Cloud Optix should handle issue creation in Jira. “Consolidated”
creates a single ticket for every alert and consolidates the affected resources under
said ticket, whereas “Affect Resources” creates new tickets for each resource affected
by a particular alert and a parent alert ticket that links to the individual affected
resource tickets.

Complete setting up the integration by clicking “Save”.

74
 Enabling Jira Integration
Cloud Optix supports integration with Jira, allowing Cloud Optix to create issue tickets
based on events.
To set up the integration you’ll need the following information:
Integrations - Jira

1 URL of the Jira environment

2 Username and password of a user with “Create issues” rights

3 The Jira project key (of the project you wish to use with Cloud Optix)

Cloud Optix supports integration with Jira, allowing Cloud Optix to create issue tickets based on
events. To set up the integration you’ll need the following information:

1. URL of the Jira environment

2. Username and password of a user with “Create issues” rights*
3. The Jira project key (of the project you wish to use with Cloud Optix)

*Note: If you want Cloud Optix to consolidate alerts under the same ticket and update tickets, it will
need the “Edit Issues” right as well.

If, instead, you want Cloud Optix to create separate issue tickets for each affected resource and link
them to the same parent issue it will need the “Link Issues” permission.

75
 Creating a Role and Project Permissions for Cloud Optix

1
Integrations - Jira

Creating a “Project Role” in Jira

Setting the Issue Permissions required to

2 the Project Role

Additional information
in the notes

Sophos recommend creating a new role for the Cloud Optix user in Jira as this enables easy
permissions management per project and a more structured privilige assignment method
overall.

To create a new role and assign permissions, start by logging into Jira and opening the global
settings.

From there, select System and navigate to the Project roles.

Find the “Add new project role” section and enter a name and description for the new role,
then click “Add Project Role”.

Return to the projects after creating the role and open the project you wish to use with Cloud
Optix. Navigate to the Project Settings and open the Permissions menu.

In the permissions menu click the “Actions” cogwheel in the top right corner and select “Edit
Permissions”.

Scroll down to the Issue permissions section and click “Edit” next to the “Create issues”
permission, then select the role we’ve previously created in the “Granted to” section and click
“Save”

Repeat these steps for the “Edit” or “Link Issues” permissions as discussed previously.

Creating a role and project permissions for Cloud Optix

76
1. Log into Jira and open the Global settings
2. Select System and navigate to ”Project Roles” in the left-hand menu
3. Enter a name and description in the Add Project Role section, then click on
Add Project Role
4. Return to projects and open the project you with to use for Cloud Optix
5. Navigate to the Project Settings in the left-hand menu and select Permissions
6. Click on the Actions (cogwheel) button in the top right corner and select Edit
Permissions
7. Scroll down to the Issue permissions section and click Edit next to the Create
Issues permission
8. Select Project Role in the “Granted to” section and select the role created for
Cloud Optix
9. (Optional) Click Save to store the permission settings and repeat steps 7-8 for
the Edit Issues and Link Issues permissions, depending on preference

76
 Creating a User for Cloud Optix

1 Create a dedicated user account for Cloud Optix using the Jira console
Integrations - Jira

Enter an email address for the Cloud Optix Jira user and select the role
2 created for Cloud Optix

Open the Jira Cloud Optix user’s email inbox and click Join them now
3 link

Click Sign up for an account on the log in page and follow the
4 instructions

Additional information
in the notes

Now that the role has been created and granted the relevant permissions in the project, the
next step is to create a user and assign it to the role.

Start by opening the Jira console again and navigate to “People” under the Project Settings
menu.

Click the “Add people” button, enter the email address you wish to use for the Cloud Optix user
and select the new role from the dropdown menu, then click “Add” to have Jira generate an
invitation for the new user and email it to the address entered.

Open the relevant email box and look for the Jira invitation email, then click the “Join them
now” link in said email.

Click “Sign up for an account” on the log in page, then enter a username and password for the
Cloud Optix Jira user, followed by clicking “Sign Up”.

You may be prompted to complete a CAPTCHA challenge at this point, please complete it to
continue.

Jira will now send a verification email to the Cloud Optix user’s inbox, so look for any “Please
verify your email address” messages from Jira and click the “Verify my email address” link
inside.

Click “Continue” and sign in to the log in page with the password you set in step 8, then click
“Log in” to complete the user creation.

77
Creating a user for Cloud Optix - With the role create and permissions assigned, the
next step is to create a dedicated user account for Cloud Optix.

Creating a User for Cloud Optix

1. Log into Jira and open the project you with to use for Cloud Optix
2. Navigate to the Project Settings and select ”People”
3. Click the “Add people” button in the top-right corner
4. Enter an email address for the designated Cloud Optix Jira user and select the
role created for Cloud Optix from the dropdown menu
5. Click Add to save the user and have Jira generate and send an invitation email
to the entered email address
6. Open the Jira Cloud Optix user’s email inbox, open the generate email and
click the “Join them now link” in the invitation
7. Click ”Sign up for an account” on the log in page
8. Enter the user’s name and a password, followed by Sign up
9. (optional) If challenged, complete the Captcha
10. Return to the Jira Cloud Optix user’s email inbox, open the “Please verify
your email address” message and then click on “Verify my email address”
11. Click Continue on the log in page, enter the password created in step 8 and
click Log in

77
 Configuring the Jira Integration in Cloud Optix

1 Navigate to Settings > Integrations menu and select Jira

Integrations - Jira

Enter the URL of the Jira project, followed by the username and
2 password of the user you’ve previously created

3 Enter the project key

Tick Enable config and select either Consolidated or Affect

4 Resources

Additional information
in the notes

With the user, role and permissions completed, we can move to the Cloud Optix console to set
up the integration.

Navigate to Integrations under the Settings menu and select Jira from the list of available
integrations.

On the next page, enter the URL of the Jira project, followed by the username and password of
the user you’ve previously created, then repeat the password in the next field.

Next, enter the project key - which can be found in the Details section of your Jira’s Project
Settings menu - and select which alert levels should trigger the creation of new Jira issues, at
which particular Jira priority.

Optionally, you can tick the “Automatic” checkbox to have Jira automatically create tickets when
events of the configured severity are first detected by Cloud Optix.

Tick “Enable config” to make sure the integration is active in Jira, then continue…

…by selecting how Cloud Optix should handle issue creation in Jira. “Consolidated” creates a
single ticket for every alert and consolidates the affected resources under said ticket, whereas
“Affect Resources” creates new tickets for each resource affected by a particular alert and a
parent alert ticket that links to the individual affected resource tickets.

Complete setting up the integration by clicking “Save”.

78
Configuring the Jira integration in Cloud Optix

With the role, permissions and user created, the last step is to enable Jira integration
in Cloud Optix.

1. Open the Cloud Optix console

2. Navigate to Integrations (under settings) and select Jira
3. Enter the URL of the Jira project you wish to use
4. Followed by the username or email address created in the previous steps
5. Enter and repeat the password in the next field
6. Enter the project key next (the project key can be found by opening to the
project in Jira, navigating to Project Settings and selecting Details)
7. Next, select which Cloud Optix alert levels should create tickets in Jira, and
howthe Cloud Optix alert priority should be interpreted by Jira
8. (optional) Tick the Automatic box to have Cloud Optix generate Issue tickets
in Jira automatically
9. Tick “Enable config” to enable the Jira integration
10. Lastly, pick how Cloud Optix should create Issue tickets in Jira
a. ”Consolidated” creates a single ticket for each alert with a list of the
affected resources attached. The ticket is updated if resource status
changes
b. ”Affected Resources” creates new Jira tickets for each resource
affected by a Cloud Optix alert, and uses linking to connect the
individual tickets back to a parent alert ticket
11. Click Save to store the settings and start the integration

78
 Removing a Jira Account

Disable the integration in Cloud Optix

Integrations - Jira

Remove the account and role permissions in the Jira project

Delete the role in Jira globally

Removing Jira integration is a mostly manual process, consisting of three main steps.

Those steps are:

1. Disable the integration in Cloud Optix

2. Remove the account and role permissions in the Jira project
3. Delete the role in Jira globally

Over the next few slides we will look at each of these steps in more detail.

79
 Disable Jira Integration in Cloud Optix

1 Open the Cloud Optix console

Integrations - Jira

2 Navigate to Settings > Integrations and select Jira

3 Untick Enable Config

4 Click Save

You start by disabling the integration in Cloud Optix, which, unlike the environments we’ve
previously covered, doesn’t involve removing the integration, but instead disabling it.

To do this, navigate to the Integrations menu of the Settings in Cloud Optix, select Jira from the
list of integrations and untick the “Enable” checkbox.

Click “Save” to disable the integration and remove all Jira actions in Cloud Optix.

Removing Jira integration from Cloud Optix is not possible currently, but it is fairly trivial to
disable the integration:

1. Open the Cloud Optix console

2. Navigate to Integrations (under settings) and select Jira
3. Untick the “Enable Config” box
4. Click Save to update the Jira settings in Cloud Optix and disable the integration

80
 Remove the Cloud Optix Account in Jira
Log in to Jira and open the project you with to
1 use for Cloud Optix

2
Integrations - Jira

Navigate to the Project Settings > People

3 Remove the account created for Cloud Optix

4 Click Remove

With the integration in Cloud Optix disabled, the next steps are to remove the user account in
Jira and then remove the role to remove any permission remnants in the Jira environment.

Starting with the user, log in to Jira and navigate to the Project settings of the project used for
Cloud Optix. There, open “People”, navigate to the account used by Cloud Optix and click
“Remove”.

Confirm the removal of the user in the pop-up menu by clicking “Remove” again and delete the
user.

Remove the Cloud Optix account in Jira

The following steps are optional, but recommended best practice for environment cleanup:

1. Log in to Jira and open the project you with to use for Cloud Optix
2. Navigate to the Project Settings and select ”People”
3. Navigate to the account created for Cloud Optix and click “Remove”
4. Confirm the removal of the account by clicking the “Remove” button on the pop-up

81
 Remove the Cloud Optix Role in Jira

1 Log in to Jira and open the Global settings

Integrations - Jira

2 Navigate to System > Project Roles

3 Delete the Cloud Optix role

4 Click Delete

From there, the last step is to remove the role, which we can find in Jira under the Global
settings in the Project Roles menu of the System settings.

There, navigate to the role you’ve previously created for Cloud Optix and click “Delete”.
Complete the role deletion and Cloud Optix integration removal by confirming the deletion of
the role by clicking “Delete” again in the next menu.

Remove the Cloud Optix role in Jira

1. Log in to Jira and open the Global settings

2. Select System and navigate to Project Roles in the left-hand menu
3. Navigate to the Cloud Optix role and click on “Delete”
4. Confirm deletion of the role by clicking the “Delete” button in the next menu

82
Integrations - Slack

Integration
Slack

Slack is another popular integration option for Cloud Optix, so let’s explore how to add and
remove Slack channels in Cloud Optix.

83
 Slack Integration

1 2 3 4
Integrations - Slack

Add a Slack Add a Slack

Enable Slack Removing a
Channel: Cloud Channel: Slack
Integration Slack Channel
Optix Settings Settings

To enable Slack integration we’ll need to navigate to the Integrations section in the Cloud Optix
settings menu again and select Slack from the available integrations list.

This will open the log in page for Slack, where, after logging in, you can specify the desired Slack
workspace to use with Optix.

Click Continue to get an overview of the permissions needed by Cloud Optix to set up the
integration with Slack. After reviewing these permissions, click Authorize and return to Cloud
Optix to set up the Cloud Optix side of the integration.

Over the next few slides we will look at each of these steps.

84
 Enabling Slack Integration

1. Select Slack from the available integrations list

Integrations - Slack

2. Specify the desired Slack workspace to use with Optix

3. Review the required permissions and click Authorize

4. Return to Cloud Optix

Additional information
in the notes

To enable Slack integration we’ll need to navigate to the Integrations section in the Cloud Optix
settings menu again and select Slack from the available integrations list.

This will open the log in page for Slack, where, after logging in, you can specify the desired Slack
workspace to use with Optix.

Click “Continue” to get an overview of the permissions needed by Cloud Optix to set up the
integration with Slack. After reviewing these permissions, click “Authorize” and return to Cloud
Optix to set up the Cloud Optix side of the integration.

Enabling Slack integration

1. Log in to your Slack workspace with the desired account

2. In a separate browser tab log in to your Cloud Optix account
3. Navigate to Settings
4. Click on Integrations (either in the menu or the Integrations panel)
5. Cloud Optix will take you to the sign in page for Slack
6. Enter your Workspace name and click Continue
7. Review the requested permissions then click Authorize
8. Return to the Cloud Optix tab

85
 Adding a Slack Channel – Cloud Optix Settings

1 Navigate to Settings > Integrations

Integrations - Slack

2 Enter the desired Slack Channel Name

3 Select the desired Alert Levels

4 Tick Enable Config

With Slack setup complete, navigate back to the Integrations menu in Cloud Optix and select
Slack again.

There, specify the Slack channel name you wish to use for Cloud Optix in the “Channel Name”
field, followed by the Alert levels you wish to export to slack by ticking the appropriate Alert
Level check boxes.

Make sure “Enable config” is checked to enable the integration in Optix and click “Save” to
complete the Cloud Optix side of the setup.

Adding a Slack channel – Cloud Optix settings

Once Slack is enabled you may then add a channel

1. Navigate to Settings -> Integrations

2. Enter the desired Slack Channel Name
3. Select the desired Alert Levels
4. Enter Enable Config to enable it

86
 Adding a Slack Channel – Slack Settings

Log in to your Slack workspace & click

1 on the channel name
Integrations - Slack

2 Click + Add an app

Locate the Cloud Optix app and click

3 Add

4 Selected alerts will appear in Slack

The final steps of the integration require you to log back in to Slack and opening the slack
workspace you previously selected for use with Cloud Optix.

Once there, click on the channel name you specified in Cloud Optix in the previous step and
click on “+ Add an app”.

Locate the Sophos Cloud Optix app in the list of apps and click “Add” to complete the process
and have the selected alert levels be created in the Slack channel.

Adding a Slack channel – Slack settings

The final step is to add the Cloud Optix app to the channel

1. Log in to your Slack workspace

2. Click on the channel name under Channels
3. Click on + Add an app
4. Locate the Cloud Optix app and click Add
5. Selected alerts will then appear in Slack

87
 Removing a Slack Channel in Slack
Integrations - Slack

1. Log in to Slack Workspace

2. Navigate to Apps > Cloud Optix
3. Select Cloud Optix and select Settings
4. Click Remove App

To remove the Slack integration from Optix, start by logging in to your Slack workspace and
navigate to the Apps in the left-hand menu.

There, locate and click on the Cloud Optix icon, open the settings and scroll to the end of the
page to find the big red “Remove App” button.

Click the button, then proceed to the Cloud Optix console.

Removing a Slack channel

If a Slack integration is no longer required or needs to be changed to a different workspace.

1. Log in to your Slack workspace

2. Click on Cloud Optix in the left hand menu under Apps
3. Click on the Cloud Optix icon
4. Click on Settings
5. Scroll to the end of the page and click on Remove App

88
 Removing a Slack Channel in Cloud Optix
Integrations - Slack

1. Log in to Cloud Optix

2. Navigate to Settings > Integrations
3. Select Slack > Delete
4. Confirm deletion

In Cloud Optix, navigate to the Integrations menu under Settings, select Slack from the list and
click the “Delete” button at the bottom of the page.

Confirm the deletion of the Slack integration by clicking “Ok” in the pop-up menu.

Removing a Slack channel – Cloud Optix Side

1. Log in to your Cloud Optix account

2. Navigate to Settings -> Integrations
3. Select Slack
4. Click on Delete
5. Confirm the deletion by clicking “Ok” in the pop-up menu.

89
Integrations - ServiceNow

Integration
ServiceNow

ServiceNow is another popular service delivery tool, and as such Cloud Optix has the ability to
integration with this solution.

90
 ServiceNow Integration
Integrations - ServiceNow

Create a user
Configure
Enable for Sophos Assign a role Create an
ServiceNow
ServiceNow Cloud Optix to the new assignment
integration in
Integration in user group
Cloud Optix
ServiceNow

For ServiceNow Integration there are five main steps.

1. Enable ServiceNow integration

2. Create a user for Sophos Cloud Optix in ServiceNow
3. Assign a role to the new user
4. Create an assignment group
5. Configure ServiceNow integration in Cloud Optix

We will talk through each of these steps over the next few slides.

91
 Enabling ServiceNow Integration
1 Create a user for Sophos Cloud Optix in ServiceNow

2
Integrations - ServiceNow

Assign a role to the new user

3 Create an Assignment Group

4 Configure ServiceNow in Sophos Cloud Optix

5 Verify the integration is working

As with Jira, the steps required to integrate with ServiceNow are a bit more involved than the
Slack setup and they follow a similar workflow.

Enabling ServiceNow integration

1. Create a user for Sophos Cloud Optix in ServiceNow

2. Assign a role to the new user
3. Create an "Assignment Group" in "ServiceNow"
4. Configure the ServiceNow integration in Sophos Cloud Optix
5. Verify that the integration is working
6. Troubleshooting

92
 Create a User for Sophos Cloud Optix
Integrations - ServiceNow

1. Log into ServiceNow

2. Create a new user for Cloud Optix

3. Select “Web service access only”

You start the setup by creating a user for Cloud Optix in ServiceNow.

To do this, log in to ServiceNow and navigate to System administration -> User administration
and finally Users.

There, click “Create new user” to create a new user for Cloud Optix, and make sure to select
“Web service access only” as this user will not require interactive logon with ServiceNow to
function correctly.

ServiceNow - Create a user for Sophos Cloud Optix

1. Log into ServiceNow

2. Navigate to System Administration -> User Administration -> Users
3. Create a new user for Cloud Optix
4. Select “Web service access only”

93
 Assign a Role to the New User

1
Log into ServiceNow
Integrations - ServiceNow

2
Select the Cloud Optix user

3
Navigate to Roles > Edit

4
Assign a role to the user/ create a new role

After you’ve created the user, assign the required privileges by locating and selecting the newly
created user in the User menu, then navigating to Roles and clicking “Edit”.

Create a new role or assign an existing role you wish to reuse for the Cloud Optix user, then click
“Save” to store the configuration.

ServiceNow – Assign a role to the new user

1. Log in to ServiceNow
2. Navigate to System Administration -> User Administration -> Users
3. Select the Cloud Optix user
4. Navigate to Roles -> Edit
5. Assign a role to the user or create a new role

94
 Create an Assignment Group

Navigate to System
Assign the Cloud
Administration >
Integrations - ServiceNow

Login to ServiceNow Optix to a group for

User Administration
ticket assignment
> Groups

Next, you’ll want to make sure you add the Cloud Optix user to a group in ServiceNow. To do
this, navigate to System administration -> User Administration and open Groups.

There, create a new group or open an existing group to add the Cloud Optix user to for ticket
assignment.

ServiceNow – Create an Assignment Group

1. Log in to ServiceNow
2. Navigate to System Administration -> User Administration -> Groups
3. Assign the Cloud Optix user to an existing group or create a new group for ticket
assignment

95
 Configure ServiceNow Integration in Cloud Optix

1. Log in to Sophos Cloud Optix

Integrations - ServiceNow

2. Navigate to Settings > Integrations > ServiceNow >

Enter credentials

3. Select the desired Alert Levels

4. Select Enable Config

Additional information
in the notes

With the configuration in ServiceNow taken care of, return to the Cloud Optix console and
navigate to the Integrations menu.

Select ServiceNow from the list and enter the ServiceNow URL, followed by the username and
password for the user you’ve just created in ServiceNow.

Next, select which Alert levels should be communicated from Cloud Optix to ServiceNow and
tick “Automatic” if you’d prefer Cloud Optix to automatically create tickets in ServiceNow for
any new events matching the configured Alert levels.

Finally, make sure “Enabled” is checked before clicking “Save” to complete the ServiceNow
integration

Cloud Optix – Configure ServiceNow Integration

1. Log in to Sophos Cloud Optix

2. Navigate to Settings -> Integrations -> ServiceNow
3. Enter the ServiceNow URL, Username and Password
4. Select the desired Alert Levels
5. (optional) Tick Automatic to have CloudOptix automatically create tickets for events
matching the selected alert levels
6. Select Enable Config to enable it

96
 Troubleshooting

Troubleshooting the ServiceNow integration

Integrations - ServiceNow

Additional information
in the notes

Integration with ServiceNow has a few distinct error messages that can help you troubleshoot
non-working integrations.

The most common issues are either a mistyped URL, username or password, followed by a
missing group assignment in ServiceNow for the username entered in the Cloud Optix
configuration.

Both items will generate clear errors at the top of the integration menu that will help direct
your troubleshooting attention to the relevant item.

Troubleshooting the ServiceNow integration:

1. An issue with either the ServiceNow URL (or its format), the username (or its permissions in
ServiceNow) or the password

2. An issue with assignment group entered incorrectly or missing in ServiceNow

97
 Disable the ServiceNow Integration

Login to Cloud Optix and navigate to Settings > Integrations

Integrations - ServiceNow

Select ServiceNow

Deselect Enable Config

Click Save

Clean up the user, role and group created in ServiceNow

As with Jira before it, there’s no direct removal option for ServiceNow in Cloud Optix, but it
does allow you to disable the integration.

To do this, simply navigate to the integrations menu again, select ServiceNow and untick
“Enable Config” followed by Save.

For there, Sophos recommends you go back into ServiceNow and remove the user, group and
role (if applicable, if you reused existing groups and roles that are still in use you’d only need to
remove the user) to prevent permissions clutter in ServiceNow that may lead to future security
issues.

Disable the ServiceNow integration

1. Log in to your Cloud Optix account

2. Navigate to Settings -> Integrations
3. Select ServiceNow
4. Deselect Enable Config and click Save
5. (Recommended) Clean up the user, role and group created in ServiceNow to prevent
permission and credential clutter.

98
Integrations - Splunk

Integration
Splunk

Splunk is a popular SIEM solution used by many teams to keep track of live security and other
issues, so it makes sense for Cloud Optix to integrate with this solution.

99
 Splunk Integration
Integrations - Splunk

1 Create a HEC token

2 Configure Splunk integration in Cloud Optix

Enabling Splunk integration is a two step process. Firstly create the HEC token needed for Cloud
Optix to authenticate with Splunk, then set up the integration in Cloud Optix.

Over the next couple of slides we will look at each of these steps.

100
 Create a HEC Token

Navigate to Settings
Select New Token >
> Data Inputs > Select Global
Enable All Tokens Create a new token
HTTP Event Settings
for Cloud Optix
Integrations - Splunk

Collector (HEC)

To create a HEC token, start by logging in to your Splunk environment, navigating to the Data
Inputs menu in Settings and opening “HTTP Event Collector (HEC)”.

Click on Global Settings and enable “All Tokens” then save the changes.

From there, click on “New Token” and fill out the required fields to create a new HEC token for
Cloud Optix to use. Make sure to review the settings before clicking “Save” to complete the
creation of the token.

Splunk – Create a HEC Token

1. Log in to Splunk
2. Navigate to Settings -> Data Inputs -> HTTP Event Collector (HEC)
3. Click on “Global Settings” and enable “All Tokens”. Save this modification
4. Click on “New Token” -> Create a new token for Cloud Optix
5. Review and save the settings

101
 Configure Splunk Integration in Cloud Optix

Navigate to Enter the Select Enable

Settings > Splunk URL Select Enable Select Enable Sophos Cloud
and HEC Config Alerts
Integrations - Splunk

Integrations Optix Logs

Token

Next, open the Cloud Optix console and navigate to the Integrations menu.

Select Splunk from the list, then enter the Splunk URL and HEC token you’ve created in the
previous step.

Next, select the desired Alert levels Cloud Optix should communicate to Splunk, then tick
“Enable config” to enable the Splunk integration.

Then, determine if Cloud Optix should log Cloud Optix Alerts, Cloud Optix operational logs or
both to Splunk by ticking the “Enable Alerts” and “Enable Sophos Cloud Optix Logs”
respectively.

Lastly, decide if Cloud Optix should consolidate affected resources as part of the alerts in
Splunk, or if it should report each individual affect resource as a new alert by picking between
“Consolidated” and “AffectedResources”.

Click “Save” to complete the configuration of the Splunk integration.

Cloud Optix – Configure Splunk Integration

1. Log in to Sophos Cloud Optix

2. Navigate to Settings -> Integrations -> Splunk
3. Enter the Splunk URL
4. Enter the HEC Token
5. Select the desired Alert Levels

102
6. Select Enable Alerts to push Alerts to Splunk
7. Select Enable Cloud Optix Logs to send audit events for Cloud Optix to Splunk
8. Select Enable Config to enable it

102
 Disable Splunk Integration

In Sophos Cloud Optix navigate to Settings >

Integrations > Splunk
Integrations - Splunk

Deselect Enable Config

Click Save

Login to Splunk and remove the HEC token

Removing Splunk integration from Cloud Optix works identical to Jira and ServiceNow - we can’t
outright delete the service, but you can disable the integration by going back into the Splunk
settings under Integrations and unticking “Enable Config”.

As with ServiceNow before it, Sophos recommends also removing any authorization settings
configured in Splunk - particularly the HEC token you’ve created earlier - for security purposes.

Disable Splunk Integration

1. Log in to Sophos Cloud Optix

2. Navigate to Settings -> Integrations -> Splunk
3. Untick Enable Config
4. Click Save to disable the integration with Splunk
5. (Recommended) Log in to Splunk and remove the previously created HEC token to
retract the previous authorization

103
Integrations - PagerDuty

Integration
PagerDuty

PagerDuty is another popular tool used by various teams, it allows the tracking of issues and the
ability to track resolution progress.

104
 PagerDuty Integration
1 Enable PagerDuty integration
Integrations - PagerDuty

2 Create a service for Cloud Optix

3 Create an API key for Cloud Optix

4 Enable Incident Priority

5 Create a user for Cloud Optix

The steps to integrate PagerDuty are:

1. Enable PagerDuty integration

2. Create a service for Cloud Optix
3. Create an API key for Cloud Optix
4. Enable incident priority
5. Create a user for Cloud Optix

105
 Adding IaC Repositories
Cloud Optix supports integration with PagerDuty, allowing Cloud Optix to create incidents
based on alerts.
To set up the integration you will need the following information:
Integrations - PagerDuty

The URL of the PagerDuty account to be used

A valid username (Incidents will be created in this user’s name)

A valid PagerDuty API Key

The Service Name as configured in PagerDuty

Cloud Optix supports integration with PagerDuty, allowing Cloud Optix to create incidents based
on alerts. To set up the integration you’ll need the following information:

1. The URL of the PagerDuty account to be used

2. A valid username (Incidents will be created in this user’s name)
3. A valid PagerDuty API Key
4. The Service Name as configured in PagerDuty

106
 Create a Service for Cloud Optix
Integrations - PagerDuty

• Navigate to Configuration > Services

• Select + Add Services
• Enter a name for the Cloud Optix Service
• Click Add Service

Additional information
in the notes

Starting with the service creation, log in to the PagerDuty console, navigate to the Configuration
menu in the top menu bar and open Services.

There, click “+ Add Services”, then enter a name and description to use for Cloud Optix in the
following menu’s General Settings section.

Select “Use our API directly” and select “Events API v2” from the dropdown menu, then enter
the name of the event source you want to use in the “Integration Name” field.

Optionally you can modify the Incident escalation policy, response play and incident timeouts
for the service in the following section, followed by Alert Grouping settings if you wish
PagerDuty to automatically group alerts created by Cloud Optix.

Click “Add Service” to save the changes and return to the previous menu.

As with all external services, PagerDuty requires a service to be created for the external service
(Cloud Optix in our case) to enable communication, the steps for which are:

1. Log in to the PagerDuty console

2. Navigate to the Configuration menu in the top menu bar and select Services
3. Click “+ Add Services”
4. Enter a name and description for the Cloud Optix service in the respective fields under
General Settings
5. Select “Use our API directly” and select “Events API v2” from the dropdown menu
6. Enter the incident source to use in the Integration Name field

107
7. (Optional) Modify the Incident to reflect the desired escalation policy,
response play and incident timeouts
8. (Optional) Modify the Alert Grouping to determine how PagerDuty should
automatically group alerts, if at all
9. Click “Add Service” to save the changes and return to the settings menu

107
 Create an API Key for Cloud Optix

• Navigate to Configuration > API Access

Integrations - PagerDuty

• Select + Create New API Key

• Enter a description for the API Key
• Click Create Key
• Securely store the API key value

Next, you’ll need to generate the actual API key to use for the Cloud Optix service you just
created.

To do this, navigate to the Configuration menu in PagerDuty again and open “API Access”. There,
click “+ Create new API key” and enter a description for the key in the subsequent menu.

Click “Create Key” to create the new API key and make sure to copy and safely store the new
key for future reference.

Create an API key for Cloud Optix in PagerDuty

With the service set up, we’ll need an API key to allow Cloud Optix to connect with PagerDuty.

1. Log in to the PagerDuty console

2. Navigate to the Configuration menu in the top menu bar and select “API Access”
3. Click “+ Create New API Key”
4. Enter a Description for the API key and click “Create Key”
5. Safely store the API key value in the next popup

108
 Enable Incident Priority
Integrations - PagerDuty

• Navigate to Configuration > Incident Priorities

• Click Enable Incident Priority Levels
• Enter a description for priority levels
• Click Save

One often overlooked configuration item for PagerDuty is enabling Incident Priority, resulting in
an error condition where Cloud Optix can’t map its alert levels to appropriate Incident Priority
values in PagerDuty.

To enable Incident Priority in PagerDuty open the Configuration menu and select “Incident
Priorities”.

In the following menu click “Enable” to enable Incident Priorities, then set a description for the
various Incident Priority colours followed by clicking “Save” to store these settings.

Enabling Incident Priority in PagerDuty

Since Cloud Optix maps alert levels to Incident Priority levels it’s important to enable Incident
Priorities in PagerDuty before setting up the integration.

1. Log in to the PagerDuty console

2. Navigate to the Configuration menu in the top menu bar and select “Incident Priorities”
3. Click “Enable Incident Priority Levels”
4. (optional) Enter a description for the various priority levels and pick a custom colour
5. Click “Save” to store the priority level settings

109
 Create a User for Cloud Optix

• Navigate to Configuration > Users

• Navigate to Invite your team > Add Users
Integrations - PagerDuty

• Enter a name and email address for the user

• Set the Base Role to Responder
• Click Add
• Click Send Invitations
• Accept the invitation
• Complete user registration

The last step in PagerDuty is to create the user used by Cloud Optix.

Go to configuration and select Users, then click the “Add Users” button in the “Invite your
team” section.

Enter a name and email address for the new user, then make sure to set the base role to
“Responder” and Click “Add” followed by “Send Invitations” to generate and send the invitation
email.

Open the inbox of the configured email address and look for any new emails containing “… -
someone - has invited you to PagerDuty”.

Open this email and accept the invitation by clicking the “Accept Invitation” button, then
complete the user creation by entering a password and phone number for the new user.

Creating a user for Cloud Optix in PagerDuty

The last step before we can enable integration with PagerDuty is to create a user account for
Cloud Optix.

1. Log in to the PagerDuty console

2. Navigate to the Configuration menu in the top menu bar and select “Users”
3. Click “Add Users” in the Invite your team section
4. Enter a name and email address for this user.
5. Set the Base Role to Responder and click Add

110
6. Click “Send Invitations”
7. Open the recipient’s email inbox and find the new email with subject
“[PagerDuty] … has invited you to PagerDuty”
8. Click “Accept Invitation”
9. Complete the user registration by entering a password and phone number

110
 Enable PagerDuty Integration in Cloud Optix

• Navigate to Integrations > PagerDuty

Integrations - PagerDuty

• Enter the email address of the user create

• Enter the API Key
• Set the Base Role to Responder
• Click Add and click Send Invitations
• Enter the name used for the Cloud Optix Service
• Select Enable Config and click Save

With all the prerequisites configured we can enable PagerDuty integration in Cloud Optix.

Next, set which Alert levels Cloud Optix should communicate to PagerDuty and to which
particular Incident Priority they should be mapped in PagerDuty.

Tick the “Automatic” checkbox to have Cloud Optix automatically create PagerDuty incidents if
desired, then make sure to tick Enable Config to enable the integration before clicking Save to
complete the setup.

Enable PagerDuty integration

1. Open the Cloud Optix console

2. Navigate to Integrations (under settings) and select PagerDuty
3. Enter the URL of your PagerDuty team
4. Enter the email address of the user created for Cloud Optix
5. Enter the API key from the popup
6. Enter the name used for the Cloud Optix service in PagerDuty
7. (optional) Select which alert levels Cloud Optix should report to PagerDuty and to
which Priority Level they should be mapped
8. (optional) Tick “Automatic” to enable automatic creation of Incidents from Cloud Optix
alerts
9. Make sure “Enable Config” is ticked to enable the integration
10. Click Save

111
 Disabling PagerDuty Integration
Integrations - PagerDuty

Disable Remove the

PagerDuty Cloud Optix Remove the Remove the
Integration in user in API Key Service
Cloud Optix PagerDuty

As with the other services before, disabling PagerDuty integration consists of first disabling the
service in Cloud Optix, followed by manual cleanup of the configuration and objects in
PagerDuty.

Disabling PagerDuty integration and removing the created objects is a four step process:

• Disable the integration in Cloud Optix

• Remove the user in PagerDuty
• Remove the API key
• Remove the Service

112
 Disabling PagerDuty Integration in Cloud Optix
Integrations - PagerDuty

• In Cloud Optix navigate to Settings > Integrations > PagerDuty

• Deselect Enable Config
• Save the changes

As with the other services, it’s not possible to outright delete the PagerDuty settings.

Disabling the service works - and is configured - similar to the other services we discussed such
as Jira. Simply navigate to the Integrations in your Cloud Optix console, select PagerDuty form
the list, uncheck the “Enable Config” checkbox and click “Save” to disable the service
integration in Cloud Optix.

Removing the PagerDuty integration from Cloud Optix is not possible currently, similar to Jira,
but it can be disabled in similar fashion:

Disabling PagerDuty Integration in Cloud Optix

1. Open the Cloud Optix console

2. Navigate to Integrations (under settings) and select “PagerDuty”
3. Untick the “Enable Config” box
4. Click “Save” to update the PagerDuty settings in Cloud Optix and disable the integration

113
 Remove the Cloud Optix user in PagerDuty
Integrations - PagerDuty

• In PagerDuty navigate to Configuration > Users

• Delete the created account for Cloud Optix
• Click OK

With that done, let’s make sure to clean up any remnants of the integration in PagerDuty itself.

Start by logging in to PagerDuty and navigating to the Users in the Configuration menu.

Find the user account created for Cloud Optix, and click Delete in the action column to remove
the account. Click “OK” in the subsequent confirmation pop-up to finish the account removal.

The following steps are optional, but recommended best practice for environment cleanup:

Remove the Cloud Optix user in PagerDuty

1. Log in to PagerDuty
2. Navigate to the Configuration menu in the top menu bar and select Users
3. Navigate to the account created for Cloud Optix and click Delete in theActions column
4. Confirm the removal of the account by clicking the OK button on the pop-up

114
 Remove the Cloud Optix API Key in PagerDuty
Integrations - PagerDuty

• In PagerDuty navigate to Configuration > API Access

• Select Cloud Optix API Key > Remove
• Click OK

With the user account removed, the next thing to do is remove the API key you created for the
Cloud Optix service in PagerDuty.

Navigate to the Configuration menu and open API Access, then select the API Key you created
for Cloud Optix from the list.

Click Remove and confirm the removal in the pop-up to revoke the API key.

Remove the Cloud Optix API key in PagerDuty

1. Log in to PagerDuty
2. Navigate to the Configuration menu in the top menu bar and select API Access
3. Navigate to the Cloud Optix API key and click Remove
4. Confirm deletion of the key by clicking the
OK button in the pop-up menu

115
 Remove the Cloud Optix service in PagerDuty
Integrations - PagerDuty

• In PagerDuty navigate to Configuration > Services

• Select Cloud Optix service > Delete Service
• Click OK

With the user and API key removed, the only remaining configuration for Cloud Optix in
PagerDuty is the service you created in the first step of setting up the integration.

To remove it, go to the Configuration in PagerDuty and open Services.

Locate the Cloud Optix service, click the small cogwheel icon and select “Delete Service” from
the dropdown menu.

Confirm the removal by clicking “OK” in the pop-up to complete the cleanup process.

Remove the Cloud Optix service in PagerDuty

1. Log in to PagerDuty
2. Navigate to the Configuration menu in the top menu bar and select Services
3. Navigate to the Cloud Optix service and click the small cog icon
4. Select Delete Service from the dropdown menu
5. Confirm deletion of the key by clicking the OK button in the pop-up menu

116
Integrations – GuardDuty

Integration
Amazon GuardDuty

The last integration discussed in this module is Amazon GuardDuty, and it stands out from the
others in the sense that it is not a support or issue tracking solution like the others, but instead
is a continuous threat detection service for AWS accounts and workloads.

117
 Enable Amazon GuardDuty

Login to AWS console with a IAM account with appropriate rights

Integrations – GuardDuty

Navigate to Services >Amazon GuardDuty

Click Enable GuardDuty

GuardDuty is enabled on a per-account, per-region basis in AWS which is explained in

detail in this guide: http://docs.aws.amazon.com/console/guardduty/guardduty

GuardDuty is enabled per account and on a per-region basis in AWS, and the general steps to
enable the service are quite simple.

Make sure that you’re logged in as a user with appropriate IAM permissions, navigate to the
GuardDuty menu in your AWS console, then click Enable GuardDuty. Note that this is a
summary of the procedure and lacks details on important items such as the exact IAM
permissions required.

Sophos recommends using the links to the resources on the slide to read up on this service, the
associated costs and the specifics of enabling the service before proceeding to enable it in your
account.

Enabling Amazon GuardDuty

For the intents and purposes of this training we’ll summarize the process as explained in this
guide: http://docs.aws.amazon.com/console/guardduty/guardduty

1. Log in to your AWS console with a IAM account with appropriate rights
(see:https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#gu
ardduty_enable-gd)
2. Navigate to the Services menu in the top left and select Amazon GuardDuty
3. Click Enable GuardDuty

118
 Enable Amazon GuardDuty Integration in Cloud Optix

1 Navigate to Integrations > Amazon GuardDuty

Integrations – GuardDuty

2 Launch a bash shell with AWS CLI installed

3 Run the command

4 Once setup Cloud Optix can create issues, tickets and more

Additional information
in the notes

With GuardDuty enabled, navigate to the Integrations menu in Cloud Optix, select Amazon
GuardDuty from the list and then launch a bash shell (as discussed in the first module of this
training) with AWS CLI installed and a user with the permissions shown in the yellow box below
step 4 of the integration instructions signed in.

Then, copy and run the command shown in step 3A of the instructions in the Cloud Optix
console, followed by the command shown in step 3B once the previous command finishes
downloading the script.

Once the script completes your GuardDuty information will be processed by Cloud Optix along
with the product’s native alerting functionality.

With the integration set up you’ll find that Cloud Optix can now also create issues, tickets, etc…
in any service delivery tool like Jira already integrated with the system, providing even more of a
“single pane of glass” experience.

Enabling Amazon GuardDuty integration in Cloud Optix:

1. Open the Cloud Optix console

2. Navigate to Integrations (under settings) and
select Amazon GuardDuty
3. Launch a bash shell (as described in the AWS Environment section of this course)
4. Make sure the user signed in to the AWS CLI has at least the IAM permissions shown in
the yellow box below step 4 of the installation instructions.
a. See the AWS IAM user creation instructions in the AWS environment section if

119
 you need to create a new IAM policy for these permissions.
5. Copy and run the command shown in step 3A in the Cloud Optix console
6. Once completed, copy and run the script in Step 3B.
7. Hit enter to start the script
8. Once the script is completed your GuardDuty integration has been set up and
GuardDuty alerts will now be integrated into Cloud Optix alerting and
posture assessment.*

* If any other integrations are enabled (Jira, Slack, ServiceNow, PagerDuty, Splunk)
Cloud Optix will use the existing integration settings to also create tickets for
GuardDuty in the linked services.

119
 Troubleshooting
• Cloud Optix scripts log all output to avidsecure-script-output.log
• The log file is located in the folder the script is located in
• Log contains all events and errors
Integrations – GuardDuty

• Errors are displayed on • Warnings are displayed

screen during the on screen during the
execution of a script execution of a script
• Errors are displayed in • Warnings are displayed
RED in YELLOW

Unlike the AWS and Azure deployment scripts the GuardDuty

integration script has no built-in roll-back option

When it comes to troubleshooting the AWS GuardDuty script functions nearly identical to the
“new environment” script we’ve examined previously.

Output is logged both to file - in a file called avidsecure-script-output.log, placed in the same
folder as the script - as well as the console, in which case it will mark warning events with a
yellow colour and error events with red.

Unlike the AWS and Azure deployment scripts however the GuardDuty integration script has no
built-in roll-back option.

Any issues that have caused the script to fail can be found in the logs or output and addressed,
but Sophos highly recommends opening a support ticket with Sophos Support before
attempting to run the integration script again to make sure everything is cleaned up correctly
before retrying.

120
 TRAINING FEEDBACK

Feedback is always welcome

Please email [email protected]

Feedback on our courses is always welcome – please email us at [email protected]

with your comments.

121
Course Review
Now that you have completed this course, you should be able to:

Discuss the functionality of Cloud Optix

Demonstrate how to integrate cloud platforms with Cloud Optix

Demonstrate how to integrate Cloud Optix with Kubernetes and infrastructure as Code
environments

Integrate Cloud Optix with service desk ticketing and alerting platforms

Perform initial troubleshooting

On completion of this course, you should now be able to perform the actions shown here.
Please take a moment to review these.

If you are not confident that you have met these objectives, please review the material covered
in this course.

122
Next Steps
Now that you have completed this course, you should:

Complete the assessment You have 1 hour to complete You have 4 attempts to
in the training portal the assessment pass the assessment

Now that you have completed this course, you should complete the assessment in the training
portal.

You will have 1 hour to complete the assessment from when you launch it, and you have 4
attempts to pass the assessment.

123
124