It looks like Sophos' approach to SIEM integration when using Sophos Central (their cloud management offering) is to provide a python script that calls their API and writes new events to a json/cef/kv file, to be ingested by your logging solution of choice.
Has anyone ingested this into Splunk? And integrated the data into ES - via CIM mapping?
Here's the stuff from Sophos: https://community.sophos.com/kb/en-us/125169 (I don't have enough points to post real links)
Hello, I put together a Sophos Central app you can find here: https://splunkbase.splunk.com/app/3612/#/overview
However, there are a few issues that other users have raised. - Let me fix these issues and get a new version released.
I'll update this question when I have done so, and perhaps you might give it a try.
Hi Nick,
For the Sophos Central if is on Sophos cloud is it also can use this TA you have created.
Please advise.
Hey Nick I tried installing your addon and followed your configuration instructions on your github but I am unable to get data to show up. I'm also getting a ton of Python Errors from the addon so I think something could have broken this addon or maybe I'm just doing something wrong. If you would like the log files I'll be happy to provide them to you
Thanks Nick.
I see you mention CIM 4.8's Malware data model. Would you expect data returned by your app to support the Malware Operations dataset - supporting ES' correlation searches for out-of-date definitions etc? And for the Malware Attack events - should it be normalising values for action equal to {allowed, blocked, deferred} only?
We ended up writing our own TA, only tagging events with Malware,Attack where the Sophos category is MALWARE (traditional AV) or RUNTIME_DETECTIONS (HmpaCryptoGuard) - effectively disregarding PUA, WEB in order for them not to count as malware infection events from Splunk ES' perspective.
I don't have access to ES, but that is the intention.
I updated the version on Splunkbase over the weekend which addressed a few issues, but it sounds like you have addressed the issue anyway. ATB!
Hey @gf13578, if @robbie1194 helped you solve your inquiry, don't forget to award karma points and close the question by accepting the answer. 🙂
Hi,
I've never had sophos logs myself but generally I find that there is a relevant TA to help with ingesting data in a CIM compliant format available from Splunkbase.
I found this that may be of use to you - https://splunkbase.splunk.com/app/1854/#/details
I recommend you go have a look and make sure it's for the same product etc.
It might also be an idea to speak with sophos directly as i find whenever I am onboarding logs from a cloud based tool, the customer support portal is normally a good place to start.
Cheers.
Thanks Robbie. I spent some time looking at the TAs already and it looks like they're aimed at customers with an on-prem Sophos server, from which the TA consumes and transforms event data logged by Sophos to various Windows event logs.
It looks like no-one's done any Sophos Central -> Sophos ES integration (or no-one's publicised it)
Ah okay, I understand your issue now.
I would try to make a custom app for your sophos cloud logging
I would make a custom app for your sophos cloud logging.
Inside this app make a bin directory and put the script in there that should pull the data down via their api
Then, assuming that the sophos logs are in the same format in the json file it generates as they are when generated by on-prem sophos, I'd use the config in their TA for field extractions and mapping to CIM etc.
You might need to play about a bit with some of the config in their TA for whatever is in your json but I don't think it'll be too different.
Exactly my plan! I was just hoping not to have to reinvent the wheel.
I've taken a look at their TA's prop.conf and I've imported some sample json data, using the automatic extraction to see what data I have to work with (host name, user, severity etc.)) so hopefully it's not too tricky to map the core fields required by the Malware-related ES searches.
Thanks Robbie.
Good luck!