From 075aa0e284430d597dd3f8be669bfcd85ad8090e Mon Sep 17 00:00:00 2001
From: Stefan Waldvogel <75188231+StefanAustin@users.noreply.github.com>
Date: Wed, 18 Jun 2025 14:24:05 -0500
Subject: [PATCH 1/5] Update Sophos Central Content Pack.htm

---
 Content/Content Packs/Sophos Central Content Pack.htm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Content/Content Packs/Sophos Central Content Pack.htm b/Content/Content Packs/Sophos Central Content Pack.htm
index 69eb6ca..f4fb412 100644
--- a/Content/Content Packs/Sophos Central Content Pack.htm	
+++ b/Content/Content Packs/Sophos Central Content Pack.htm	
@@ -90,7 +90,8 @@ <h3>Configuring a Sophos Central Input</h3>
             </li>
         </ol>
         <p>If the input does not start automatically, select <i>Start Input</i> to begin retrieving and processing messages from the configured Sophos Central server.</p>
-        <h2>Log Format Example</h2>
+        <p>This pack rewrites the message field to reduce license utilization. To get the full message, set the "Store full message" in the input settings to true.</p>
+            <h2>Log Format Example</h2>
         <MadCap:codeSnippet>
             <MadCap:codeSnippetCopyButton />
             <MadCap:codeSnippetBody MadCap:useLineNumbers="False" MadCap:lineNumberStart="1" MadCap:continue="False" xml:space="preserve">{"type":"Event::Endpoint::CoreDetection","origin":"SAV","created_at":"2025-01-24T11:32:22.544Z","source_info":{"ip":"192.168.40.176"},"customer_id":"aabbccdd-1234-5678-abcd-ef1234567890","severity":"medium","endpoint_id":"10a1a0aa-aa10-10aa-1010-a01a1aaa01a0","endpoint_type":"computer","user_id":"671565c8eeddce2b21c52a24","threat":"Mal/Kryptik-DL","when":"2025-01-24T11:32:11.870Z","appSha256":"43670ae43df9e361fa15f09f611da32db104ee207ed5af3e7e7f098ad82a68e0","source":"DESKTOP-JDVP7LN\Test234","location":"DESKTOP-JDVP7LN","id":"cc29ad5d-3e42-20da-8790-03f87f291fa6","group":"MALWARE","name":"Malware detected: 'Mal/Kryptik-DL' at 'C:\Users\Test234\Downloads\43670ae43df9e361fa15f09f611da32db104ee207ed5af3e7e7f098ad82a68e0'"}
@@ -153,4 +154,4 @@ <h3>Threat Events</h3>
             <img src="../Resources/Images/Sophos Central Content Pack/hostname.png" />
         </p>
     </body>
-</html>
\ No newline at end of file
+</html>

From a4e30b7e1ac4eb350276df1575c691d84b26e731 Mon Sep 17 00:00:00 2001
From: Annie Zempel <annie.zempel@graylog.com>
Date: Thu, 26 Jun 2025 11:43:35 -0800
Subject: [PATCH 2/5] minor formatting

---
 .../Sophos Central Content Pack.htm              | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Content/Content Packs/Sophos Central Content Pack.htm b/Content/Content Packs/Sophos Central Content Pack.htm
index f4fb412..fdb02b7 100644
--- a/Content/Content Packs/Sophos Central Content Pack.htm	
+++ b/Content/Content Packs/Sophos Central Content Pack.htm	
@@ -7,11 +7,7 @@
         <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
         <p>Sophos Central is a cloud-based unified security management platform that delivers centralized administration, threat detection, and policy enforcement across a range of security services encompassing network, endpoint, server, mobile, and email security. This content pack extracts fields from Sophos Central Endpoint Protection telemetry and event messages and normalizes them to align with the Graylog schema.</p>
         <h2>Supported Version(s)</h2>
-        <ul>
-            <li>
-                <p>Sophos Central is a continuously updated managed service that does not feature version numbers. This pack was built and tested for integration with the Sophos Central SIEM Integration v1 API. In addition, parsing is designed around Sophos Central events sourced from Windows endpoints. Events from other OS platforms such as macOS may be supported, but not fully tested.</p>
-            </li>
-        </ul>
+        <p>Sophos Central is a continuously updated managed service that does not feature version numbers. This pack was built and tested for integration with the Sophos Central SIEM Integration v1 API. In addition, parsing is designed around Sophos Central events sourced from Windows endpoints. Events from other OS platforms such as macOS may be supported, but not fully tested.</p>
         <h2>Requirements</h2>
         <ul>
             <li>
@@ -90,8 +86,12 @@ <h3>Configuring a Sophos Central Input</h3>
             </li>
         </ol>
         <p>If the input does not start automatically, select <i>Start Input</i> to begin retrieving and processing messages from the configured Sophos Central server.</p>
-        <p>This pack rewrites the message field to reduce license utilization. To get the full message, set the "Store full message" in the input settings to true.</p>
-            <h2>Log Format Example</h2>
+        <p>
+            <section class="infoBox">
+                <div class="content"><b>Hint:</b> This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
+            </section>
+        </p>
+        <h2>Log Format Example</h2>
         <MadCap:codeSnippet>
             <MadCap:codeSnippetCopyButton />
             <MadCap:codeSnippetBody MadCap:useLineNumbers="False" MadCap:lineNumberStart="1" MadCap:continue="False" xml:space="preserve">{"type":"Event::Endpoint::CoreDetection","origin":"SAV","created_at":"2025-01-24T11:32:22.544Z","source_info":{"ip":"192.168.40.176"},"customer_id":"aabbccdd-1234-5678-abcd-ef1234567890","severity":"medium","endpoint_id":"10a1a0aa-aa10-10aa-1010-a01a1aaa01a0","endpoint_type":"computer","user_id":"671565c8eeddce2b21c52a24","threat":"Mal/Kryptik-DL","when":"2025-01-24T11:32:11.870Z","appSha256":"43670ae43df9e361fa15f09f611da32db104ee207ed5af3e7e7f098ad82a68e0","source":"DESKTOP-JDVP7LN\Test234","location":"DESKTOP-JDVP7LN","id":"cc29ad5d-3e42-20da-8790-03f87f291fa6","group":"MALWARE","name":"Malware detected: 'Mal/Kryptik-DL' at 'C:\Users\Test234\Downloads\43670ae43df9e361fa15f09f611da32db104ee207ed5af3e7e7f098ad82a68e0'"}
@@ -154,4 +154,4 @@ <h3>Threat Events</h3>
             <img src="../Resources/Images/Sophos Central Content Pack/hostname.png" />
         </p>
     </body>
-</html>
+</html>
\ No newline at end of file

From 25a4c1ee5f61edb82752255e7f282978df4ac740 Mon Sep 17 00:00:00 2001
From: Stefan Waldvogel <75188231+StefanAustin@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:08:27 -0500
Subject: [PATCH 3/5] Update SFOS 19.5 Content Pack.htm

Added a hint for message shortage
---
 Content/Content Packs/SFOS 19.5 Content Pack.htm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Content/Content Packs/SFOS 19.5 Content Pack.htm b/Content/Content Packs/SFOS 19.5 Content Pack.htm
index 5f1fc75..ce12f99 100644
--- a/Content/Content Packs/SFOS 19.5 Content Pack.htm	
+++ b/Content/Content Packs/SFOS 19.5 Content Pack.htm	
@@ -79,7 +79,9 @@ <h2>Sophos XG/XGS Firewall Message Processing</h2>
             <li>
                 <p>Extraction of fields, normalization, and enrichment of SFOS log messages.</p>
             </li>
-            <li>The message field will be replaced by a shorter message to reduce license utilization. Activate the <code class="linecode">full_message</code> option in the input if needed.</li>
+            <section class="infoBox">
+                <div class="content"><b>Hint:</b> This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
+            </section>
         </ul>
         <ul>
             <li>
@@ -242,4 +244,4 @@ <h2>Sophos XG/XGS Firewall Message Processing</h2>
             </tbody>
         </table>
     </body>
-</html>
\ No newline at end of file
+</html>

From a0d253b23e53ba7a35e880764cbdaa50d32b04ec Mon Sep 17 00:00:00 2001
From: Stefan Waldvogel <75188231+StefanAustin@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:34:11 -0500
Subject: [PATCH 4/5] Update SFOS 19.5 Content Pack.htm

removed space
---
 Content/Content Packs/SFOS 19.5 Content Pack.htm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Content/Content Packs/SFOS 19.5 Content Pack.htm b/Content/Content Packs/SFOS 19.5 Content Pack.htm
index ce12f99..b2a5677 100644
--- a/Content/Content Packs/SFOS 19.5 Content Pack.htm	
+++ b/Content/Content Packs/SFOS 19.5 Content Pack.htm	
@@ -80,7 +80,7 @@ <h2>Sophos XG/XGS Firewall Message Processing</h2>
                 <p>Extraction of fields, normalization, and enrichment of SFOS log messages.</p>
             </li>
             <section class="infoBox">
-                <div class="content"><b>Hint:</b> This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
+                <div class="content"><b>Hint:</b>This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
             </section>
         </ul>
         <ul>

From 8851290f60c3d11d1e95621bf334ae3908a52fb6 Mon Sep 17 00:00:00 2001
From: Stefan Waldvogel <75188231+StefanAustin@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:34:40 -0500
Subject: [PATCH 5/5] Update Sophos Central Content Pack.htm

removed space
---
 Content/Content Packs/Sophos Central Content Pack.htm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Content/Content Packs/Sophos Central Content Pack.htm b/Content/Content Packs/Sophos Central Content Pack.htm
index fdb02b7..0034180 100644
--- a/Content/Content Packs/Sophos Central Content Pack.htm	
+++ b/Content/Content Packs/Sophos Central Content Pack.htm	
@@ -88,7 +88,7 @@ <h3>Configuring a Sophos Central Input</h3>
         <p>If the input does not start automatically, select <i>Start Input</i> to begin retrieving and processing messages from the configured Sophos Central server.</p>
         <p>
             <section class="infoBox">
-                <div class="content"><b>Hint:</b> This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
+                <div class="content"><b>Hint:</b>This pack rewrites the message field to reduce license utilization. To get the full message, set <i>Store full message</i> in the input settings to true.</div>
             </section>
         </p>
         <h2>Log Format Example</h2>
@@ -154,4 +154,4 @@ <h3>Threat Events</h3>
             <img src="../Resources/Images/Sophos Central Content Pack/hostname.png" />
         </p>
     </body>
-</html>
\ No newline at end of file
+</html>