topic Re: What is sophos:sec? in All Apps and Add-ons

What is sophos:sec?

nickstone — Tue, 29 Sep 2020 11:00:35 GMT

In the docs for the Splunk_TA_sophos app there is reference to "sophos:sec" but the only reference I can find for this in the app is in the transforms or props file.

Can someone confirm its intended function? Is it for the syslog version of the logs? or UTM logs?

When I trace backwards from the Malware datamodel to see what it does; I get to eventtypes and it seems that sophos:sec is paired with most other input sourcetypes which makes me think it is the syslog version.

Anyone worked heavily with this app before?

Re: What is sophos:sec?

rpille_splunk — Tue, 13 Sep 2016 15:19:33 GMT

Per http://docs.splunk.com/Documentation/AddOns/released/Sophos/DataTypes, it is one of the sourcetypes for the Sophos Endpoint Console Server logs and maps data for the Change Analysis, Malware, and Network Traffic CIM models.

Here's the instructions for how to configure the collection for these logs: http://docs.splunk.com/Documentation/AddOns/released/Sophos/Configureinputs#Sophos_Endpoint_Console_Syslog_Logs

Re: What is sophos:sec?

nickstone — Tue, 13 Sep 2016 21:58:28 GMT

Thanks for the quick response, however per my question I have already read those links and they don't say much.

What is the source of sophos:sec data? there is no input and the transforms/props doesnt seem to match anything

Re: What is sophos:sec?

chaker — Fri, 19 May 2017 23:09:43 GMT

If you take a look in the props.conf file, you will see there is a [sophos:sec] stanza, with field aliasing to CIM field names.

I collected the logs using the sourcetypes described in the TA's inputs.conf file, then sourcetype rename them at search time to the sophos:sec sourcetype. You only need to use sophos:sec if you want CIM compliant field names.

Re: What is sophos:sec?

chris_jepeway — Mon, 20 May 2019 22:34:43 GMT

A comment transforms.conf suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear.

Instead, I've used the [(?::){0}sophos:*] trick in props.conf to get those CIM-compatible search-time aliases and lookups to fire.

My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here.