I installed the "Splunk Add-on for Microsoft Cloud Services" app and it broke the Sophos scripts from downloading logs.
I saw this error in the _internal index:
ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" ValueError: unknown url type: __REST_CREDENTIAL__#Splunk_TA_microsoft-cloudservices#configs/conf-splunk_ta_ms_o365_server_ucc_system_snapshot
I disabled the app and Sophos scripts worked again.
After digging I found out that this app and others has their credentials global and not limited to their own app. A bit sloppy.
I fix this for the Sophos app I added a check to make sure the returned data is from sophos. So far works great.
Edit both files "sophos_alerts.py" and "sophos_events.py"
for i, c in entities.items():
if "central.sophos.com" in c['realm']: <----- add this line
return c['realm'],c['username'], c['clear_password']
raise Exception("No credentials have been found")
Thanks for the note on this - you are correct!
I had overlooked this on 1.0.2, although my working copy has a fix.
I'll look to incorporate your suggestion too, as an additional control.