All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the Splunk Add-on for Sophos to work with CIM?

splunked38
Communicator
‎09-02-2015 07:45 AM

I'm trying to get the Splunk Add-on for Sophos to work with CIM.

The inputs are working fine as the following is returning a result
sourcetype="sophos:threats"

With the tags:
application, endpoint, error

There are several events with the ThreatType=Viruses/spyware

eg (sanitised):

InsertedAt=2015-09-02 11:11:47; EventID=1000478; EventTime=2015-09-02 11:11:45; ActionTakenID=116; ActionTaken=Blocked; UserName=xxx; ScannerTypeID=200; ScannerType=Unknown; StatusID=300; Status=Cleanable; ThreatTypeID=1; ThreatType=Viruses/spyware; ThreatName=Mal/Generic-S; FullFilePath=xxx; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x

However, none of the events returned are tagged as 'malware' (including the Eicar test string). As a result, CIM validation-Malware does not pick anything up.

  1. Is there something special I need to do with the logwriter config before Splunk for Sophos can tag correctly?
  2. Is there anything else I can to do validate the configuration?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ehaddad_splunk
Splunk Employee
Splunk Employee
‎09-02-2015 05:22 PM

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

View solution in original post

Reply
Solved! Jump to solution
Solution

ehaddad_splunk
Splunk Employee
Splunk Employee
‎09-02-2015 05:22 PM

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

Reply
Solved! Jump to solution

splunked38
Communicator
‎09-03-2015 12:57 AM

@ehaddad,

Makes sense, thanks for that.

The reason why it's not logging is that the log being fed into splunk is the Sophos Log writer 'DefaultThreats' log where EventType is not being logged.

I'm not using the splunk forwarder, that's another story. The logs are coming from the Sophos logwriter:
http://docs.splunk.com/Documentation/AddOns/latest/Sophos/ConfigureSophosEnterprise

The version of the apps are Sophos Enterprise console v5.2.1R2, Sophos Log Writer 5.1

The next challenge is to configure the Sophos Log Writer to log data that can be used for Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...