All Apps and Add-ons

What is sophos:sec?

Path Finder

In the docs for the Splunk_TA_sophos app there is reference to "sophos:sec" but the only reference I can find for this in the app is in the transforms or props file.

Can someone confirm its intended function? Is it for the syslog version of the logs? or UTM logs?

When I trace backwards from the Malware datamodel to see what it does; I get to eventtypes and it seems that sophos:sec is paired with most other input sourcetypes which makes me think it is the syslog version.

Anyone worked heavily with this app before?

0 Karma

Splunk Employee
Splunk Employee

Per, it is one of the sourcetypes for the Sophos Endpoint Console Server logs and maps data for the Change Analysis, Malware, and Network Traffic CIM models.

Here's the instructions for how to configure the collection for these logs:

Path Finder

Thanks for the quick response, however per my question I have already read those links and they don't say much.

What is the source of sophos:sec data? there is no input and the transforms/props doesnt seem to match anything

0 Karma


If you take a look in the props.conf file, you will see there is a [sophos:sec] stanza, with field aliasing to CIM field names.

I collected the logs using the sourcetypes described in the TA's inputs.conf file, then sourcetype rename them at search time to the sophos:sec sourcetype. You only need to use sophos:sec if you want CIM compliant field names.

0 Karma

New Member

A comment transforms.conf suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear.

Instead, I've used the [(?::){0}sophos:*] trick in props.conf to get those CIM-compatible search-time aliases and lookups to fire.

My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here.

0 Karma
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...