All Apps and Add-ons

What is sophos:sec?

nickstone
Path Finder

In the docs for the Splunk_TA_sophos app there is reference to "sophos:sec" but the only reference I can find for this in the app is in the transforms or props file.

Can someone confirm its intended function? Is it for the syslog version of the logs? or UTM logs?

When I trace backwards from the Malware datamodel to see what it does; I get to eventtypes and it seems that sophos:sec is paired with most other input sourcetypes which makes me think it is the syslog version.

Anyone worked heavily with this app before?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Per http://docs.splunk.com/Documentation/AddOns/released/Sophos/DataTypes, it is one of the sourcetypes for the Sophos Endpoint Console Server logs and maps data for the Change Analysis, Malware, and Network Traffic CIM models.

Here's the instructions for how to configure the collection for these logs: http://docs.splunk.com/Documentation/AddOns/released/Sophos/Configureinputs#Sophos_Endpoint_Console_...

nickstone
Path Finder

Thanks for the quick response, however per my question I have already read those links and they don't say much.

What is the source of sophos:sec data? there is no input and the transforms/props doesnt seem to match anything

0 Karma

chaker
Contributor

If you take a look in the props.conf file, you will see there is a [sophos:sec] stanza, with field aliasing to CIM field names.

I collected the logs using the sourcetypes described in the TA's inputs.conf file, then sourcetype rename them at search time to the sophos:sec sourcetype. You only need to use sophos:sec if you want CIM compliant field names.

0 Karma

chris_jepeway
New Member

A comment transforms.conf suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear.

Instead, I've used the [(?::){0}sophos:*] trick in props.conf to get those CIM-compatible search-time aliases and lookups to fire.

My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...