- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI: How to extract source webserver & malware signature from Sophos Web Activity
Karma1991
Explorer
10-14-2020
11:36 AM
If you have issues where the Sophos sourcetype is not extracting the source webserver & malware signature from web activity events, add this line to pull those events.
I couldn't find a solution for this problem, so here's mine:
"Access was blocked to \"(?<origin>[^\"]+)\" because of \"(?<threat>[^\"]+)\"."
This'll make use of the already created but null fields, origin & threat.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

richgalloway

SplunkTrust
10-14-2020
02:26 PM
To better assist future readers, please reformat this into a question and a separate answer then accept the answer. Please also explain where the added line should be placed.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
