Hi Nick,

For the Sophos Central  if is on Sophos cloud is it also can use this TA you have created.

Please advise.

Hey Nick I tried installing your addon and followed your configuration instructions on your github but I am unable to get data to show up. I'm also getting a ton of Python Errors from the addon so I think something could have broken this addon or maybe I'm just doing something wrong. If you would like the log files I'll be happy to provide them to you

Thanks Nick.

I see you mention CIM 4.8's Malware data model. Would you expect data returned by your app to support the Malware Operations dataset - supporting ES' correlation searches for out-of-date definitions etc? And for the Malware Attack events - should it be normalising values for action equal to {allowed, blocked, deferred} only?

We ended up writing our own TA, only tagging events with Malware,Attack where the Sophos category is MALWARE (traditional AV) or RUNTIME_DETECTIONS (HmpaCryptoGuard) - effectively disregarding PUA, WEB in order for them not to count as malware infection events from Splunk ES' perspective.

I don't have access to ES, but that is the intention.
I updated the version on Splunkbase over the weekend which addressed a few issues, but it sounds like you have addressed the issue anyway. ATB!

Thanks Robbie. I spent some time looking at the TAs already and it looks like they're aimed at customers with an on-prem Sophos server, from which the TA consumes and transforms event data logged by Sophos to various Windows event logs.

It looks like no-one's done any Sophos Central -> Sophos ES integration (or no-one's publicised it)

Ah okay, I understand your issue now.

I would try to make a custom app for your sophos cloud logging

I would make a custom app for your sophos cloud logging.

Inside this app make a bin directory and put the script in there that should pull the data down via their api

Then, assuming that the sophos logs are in the same format in the json file it generates as they are when generated by on-prem sophos, I'd use the config in their TA for field extractions and mapping to CIM etc.

You might need to play about a bit with some of the config in their TA for whatever is in your json but I don't think it'll be too different.

Exactly my plan! I was just hoping not to have to reinvent the wheel.

I've taken a look at their TA's prop.conf and I've imported some sample json data, using the automatic extraction to see what data I have to work with (host name, user, severity etc.)) so hopefully it's not too tricky to map the core fields required by the Malware-related ES searches.

Thanks Robbie.

Good luck!