Is there a way to test if the Add-on for Sophos is...

splunked38 · ‎09-04-2015

Hi,

Splunk Add-on for Sophos is working well, however, I'm not sure if it's extracting all the fields. Using this as an example:

InsertedAt=2015-09-03 14:40:05; EventID=xxxxx; EventTime=2015-09-03 13:21:21; ActionID=101; Action=None; UserName=xxx\xxx; ScanTypeID=200; ScanType=Unknown; StatusID=300; Status=Cleanable; EventTypeID=2; EventType=Adware or PUA; EventName=xxxx; FullFilePath=C:\path\filename.exe; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x

Looking in transforms.conf for the Splunk Add-on, the stanza reads:

[sophos_threat_file_path_and_file_name]
REGEX = FullFilePath=\"(.+?)\\([^\\]+?)\"\;
FORMAT = file_path::$1 file_name::$2

FullFilePath is then separated into file_path and file_name, however there are two issues:
1. Path extractions do not seem to work (does not appear to split into file_path, file_name, could be the missing double quotes in the event?)
2. Sophos also conducts memory scans and uses FullFilePath to state this as 'User Memory'

The same problem is happening for the event time, there's no double quote in the event:

TIME_PREFIX = EventTime="

Is there a way to test if this is actually working?

ehaddad_splunk · ‎09-04-2015

when you run search against sophos data, do you see any file_path and file_name fields extracted? how about events timestamp, does it match what's in the raw event EventTime field?

Is there a way to test if the Add-on for Sophos is actually extracting all fields?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!