Splunk Enterprise Security
Highlighted

How can I incorporate Sophos Central data in Splunk ES?

Communicator

It looks like Sophos' approach to SIEM integration when using Sophos Central (their cloud management offering) is to provide a python script that calls their API and writes new events to a json/cef/kv file, to be ingested by your logging solution of choice.

Has anyone ingested this into Splunk? And integrated the data into ES - via CIM mapping?

Here's the stuff from Sophos: https://community.sophos.com/kb/en-us/125169 (I don't have enough points to post real links)

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Hi,

I've never had sophos logs myself but generally I find that there is a relevant TA to help with ingesting data in a CIM compliant format available from Splunkbase.

I found this that may be of use to you - https://splunkbase.splunk.com/app/1854/#/details

I recommend you go have a look and make sure it's for the same product etc.

It might also be an idea to speak with sophos directly as i find whenever I am onboarding logs from a cloud based tool, the customer support portal is normally a good place to start.

Cheers.

Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Thanks Robbie. I spent some time looking at the TAs already and it looks like they're aimed at customers with an on-prem Sophos server, from which the TA consumes and transforms event data logged by Sophos to various Windows event logs.

It looks like no-one's done any Sophos Central -> Sophos ES integration (or no-one's publicised it)

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Ah okay, I understand your issue now.

I would try to make a custom app for your sophos cloud logging

I would make a custom app for your sophos cloud logging.

Inside this app make a bin directory and put the script in there that should pull the data down via their api

Then, assuming that the sophos logs are in the same format in the json file it generates as they are when generated by on-prem sophos, I'd use the config in their TA for field extractions and mapping to CIM etc.

You might need to play about a bit with some of the config in their TA for whatever is in your json but I don't think it'll be too different.

Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Exactly my plan! I was just hoping not to have to reinvent the wheel.

I've taken a look at their TA's prop.conf and I've imported some sample json data, using the automatic extraction to see what data I have to work with (host name, user, severity etc.)) so hopefully it's not too tricky to map the core fields required by the Malware-related ES searches.

Thanks Robbie.

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Good luck!

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Splunk Employee
Splunk Employee

Hey @gf13578, if @robbie1194 helped you solve your inquiry, don't forget to award karma points and close the question by accepting the answer. 🙂

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Ultra Champion

Hello, I put together a Sophos Central app you can find here: https://splunkbase.splunk.com/app/3612/#/overview

However, there are a few issues that other users have raised. - Let me fix these issues and get a new version released.
I'll update this question when I have done so, and perhaps you might give it a try.

Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Communicator

Thanks Nick.

I see you mention CIM 4.8's Malware data model. Would you expect data returned by your app to support the Malware Operations dataset - supporting ES' correlation searches for out-of-date definitions etc? And for the Malware Attack events - should it be normalising values for action equal to {allowed, blocked, deferred} only?

We ended up writing our own TA, only tagging events with Malware,Attack where the Sophos category is MALWARE (traditional AV) or RUNTIME_DETECTIONS (HmpaCryptoGuard) - effectively disregarding PUA, WEB in order for them not to count as malware infection events from Splunk ES' perspective.

0 Karma
Highlighted

Re: How can I incorporate Sophos Central data in Splunk ES?

Ultra Champion

I don't have access to ES, but that is the intention.
I updated the version on Splunkbase over the weekend which addressed a few issues, but it sounds like you have addressed the issue anyway. ATB!

0 Karma