All Apps and Add-ons

How to get the Splunk Add-on for Sophos to work with CIM?

splunked38
Communicator

I'm trying to get the Splunk Add-on for Sophos to work with CIM.

The inputs are working fine as the following is returning a result
sourcetype="sophos:threats"

With the tags:
application, endpoint, error

There are several events with the ThreatType=Viruses/spyware

eg (sanitised):

InsertedAt=2015-09-02 11:11:47; EventID=1000478; EventTime=2015-09-02 11:11:45; ActionTakenID=116; ActionTaken=Blocked; UserName=xxx; ScannerTypeID=200; ScannerType=Unknown; StatusID=300; Status=Cleanable; ThreatTypeID=1; ThreatType=Viruses/spyware; ThreatName=Mal/Generic-S; FullFilePath=xxx; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x

However, none of the events returned are tagged as 'malware' (including the Eicar test string). As a result, CIM validation-Malware does not pick anything up.

  1. Is there something special I need to do with the logwriter config before Splunk for Sophos can tag correctly?
  2. Is there anything else I can to do validate the configuration?

Thanks in advance.

0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

View solution in original post

ehaddad_splunk
Splunk Employee
Splunk Employee

In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.

splunked38
Communicator

@ehaddad,

Makes sense, thanks for that.

The reason why it's not logging is that the log being fed into splunk is the Sophos Log writer 'DefaultThreats' log where EventType is not being logged.

I'm not using the splunk forwarder, that's another story. The logs are coming from the Sophos logwriter:
http://docs.splunk.com/Documentation/AddOns/latest/Sophos/ConfigureSophosEnterprise

The version of the apps are Sophos Enterprise console v5.2.1R2, Sophos Log Writer 5.1

The next challenge is to configure the Sophos Log Writer to log data that can be used for Splunk.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...