All Apps and Add-ons

How to get the Splunk Add-on for Sophos to work with CIM?

splunked38
Communicator

I'm trying to get the Splunk Add-on for Sophos to work with CIM.

The inputs are working fine as the following is returning a result
sourcetype="sophos:threats"

With the tags:
application, endpoint, error

There are several events with the ThreatType=Viruses/spyware

eg (sanitised):

InsertedAt=2015-09-02 11:11:47; EventID=1000478; EventTime=2015-09-02 11:11:45; ActionTakenID=116; ActionTaken=Blocked; UserName=xxx; ScannerTypeID=200; ScannerType=Unknown; StatusID=300; Status=Cleanable; ThreatTypeID=1; ThreatType=Viruses/spyware; ThreatName=Mal/Generic-S; FullFilePath=xxx; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x

However, none of the events returned are tagged as 'malware' (including the Eicar test string). As a result, CIM validation-Malware does not pick anything up.

  1. Is there something special I need to do with the logwriter config before Splunk for Sophos can tag correctly?
  2. Is there anything else I can to do validate the configuration?

Thanks in advance.

0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

View solution in original post

ehaddad_splunk
Splunk Employee
Splunk Employee

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

splunked38
Communicator

@ehaddad,

Makes sense, thanks for that.

The reason why it's not logging is that the log being fed into splunk is the Sophos Log writer 'DefaultThreats' log where EventType is not being logged.

I'm not using the splunk forwarder, that's another story. The logs are coming from the Sophos logwriter:
http://docs.splunk.com/Documentation/AddOns/latest/Sophos/ConfigureSophosEnterprise

The version of the apps are Sophos Enterprise console v5.2.1R2, Sophos Log Writer 5.1

The next challenge is to configure the Sophos Log Writer to log data that can be used for Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...