Splunk Enterprise Security

Sophos Reporting Interface and choosing the correct sourcetypes

davidmonaghan
Explorer

Hi All

I am currently gathering logs from Sophos Enterprise Console 5.1 using the Sophos Reporting Log Writer.

I have installed Splunk_TA_sophos on the Universal Forwarder and Indexer.

Sophos is collecting 2 types logs - DefaultCommonEvents and DefaultThreats

Based on these types of logs, what are the appropriate sourcetypes that I should apply?

This is from SophosLogWriterConfig file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>
    </datafeeds>
</SophosDatafeed>

This is from default inputs.conf file

[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://<SEC_LOG_PATH>\Threats.log]
disabled = 1
sourcetype=sophos:threats

[monitor://<SEC_LOG_PATH>\WebData.log]
disabled = 1
sourcetype=sophos:webdata

[monitor://<SEC_LOG_PATH>\Firewall*.txt]
disabled = 1
sourcetype=sophos:firewall

[monitor://<SEC_LOG_PATH>\AppControl.log]
disabled = 1
sourcetype=sophos:AppControl

[monitor://<SEC_LOG_PATH>\DeviceControl.txt]
disabled = 1
sourcetype=sophos:devicecontrol

[monitor://<SEC_LOG_PATH>\TamperProtection.log]
disabled = 1
sourcetype=sophos:tamperprotection

[monitor://<SEC_LOG_PATH>\DataControl.txt]
disabled = 1
sourcetype=sophos:datacontrol

[monitor://<SEC_LOG_PATH>\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata

Could someone advise which sourcetypes are most appropriate for DefaultCommonEvents and DefaultThreats

0 Karma
1 Solution

davidmonaghan
Explorer

After a bit of experimentation, I believe the following should be correct...

The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.

Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.

Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)

sophos:sec (maps to Change Analysis, Malware, Network Traffic)

Complete Inputs.conf located on the Universal Forwarder

[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats

[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata

[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall

[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl

[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection

[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata

Complete SophosLogWriterConfig.config file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>AppControl.log</outputFilename>
            </logFile>
            <call callID="ApplicationControl">
                <dataSource>EventsApplicationControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DataControl.log</outputFilename>
            </logFile>
            <call callID="DataControl">
                <dataSource>EventsDataControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DataControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DeviceControl.log</outputFilename>
            </logFile>
            <call callID="DeviceControl">
                <dataSource>EventsDeviceControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>Firewall.log</outputFilename>
            </logFile>
            <call callID="Firewall">
                <dataSource>EventsFirewallData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Firewall.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>TamperProtection.log</outputFilename>
            </logFile>
            <call callID="TamperProtection">
                <dataSource>EventsTamperProtectionData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>WebData.log</outputFilename>
            </logFile>
            <call callID="WebData">
                <dataSource>EventsWebData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Web.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>ComputerData.log</outputFilename>
            </logFile>
            <call callID="ThreatInstances">
                <dataSource>ThreatInstances</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
            </call>
        </datafeed>

    </datafeeds>
</SophosDatafeed>

View solution in original post

0 Karma

davidmonaghan
Explorer

After a bit of experimentation, I believe the following should be correct...

The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.

Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.

Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)

sophos:sec (maps to Change Analysis, Malware, Network Traffic)

Complete Inputs.conf located on the Universal Forwarder

[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats

[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata

[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall

[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl

[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection

[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata

Complete SophosLogWriterConfig.config file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>AppControl.log</outputFilename>
            </logFile>
            <call callID="ApplicationControl">
                <dataSource>EventsApplicationControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DataControl.log</outputFilename>
            </logFile>
            <call callID="DataControl">
                <dataSource>EventsDataControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DataControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DeviceControl.log</outputFilename>
            </logFile>
            <call callID="DeviceControl">
                <dataSource>EventsDeviceControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>Firewall.log</outputFilename>
            </logFile>
            <call callID="Firewall">
                <dataSource>EventsFirewallData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Firewall.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>TamperProtection.log</outputFilename>
            </logFile>
            <call callID="TamperProtection">
                <dataSource>EventsTamperProtectionData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>WebData.log</outputFilename>
            </logFile>
            <call callID="WebData">
                <dataSource>EventsWebData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Web.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>ComputerData.log</outputFilename>
            </logFile>
            <call callID="ThreatInstances">
                <dataSource>ThreatInstances</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
            </call>
        </datafeed>

    </datafeeds>
</SophosDatafeed>
0 Karma

lakshman239
Influencer

Hope you have seen these docs. http://downloads.sophos.com/readmes/srlw_51_rneng.html and http://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise . If you have pulled the files to the server where Splunk UF and TA is installed, I would configure the local/inputs.conf with all the above enabled and point to your files as appropriate in dev and and adjust/change as needed. we generally look at threat data.

0 Karma

davidmonaghan
Explorer

Hi @lakshman239, thanks for your reply.

I have followed the instructions in both the linked documents.

What is not clear to me is how LogWiter data sources match to the Splunk_TA_sophos sourcetypes

Based on the below data I'd assume that DefaultThreats maps to sophos:threats but I have no idea what would be appropriate for DefaultCommonEvents

Sophos LogWiter data sources
A. EventsApplicationControlData
B. EventsCommonData
C. EventsDataControlData
D. EventsDeviceControlData (added new data fields)
E. EventsFirewallData
F. EventsTamperProtectionData
G. EventsWebData (added new data fields)
H. ThreatEventData
I. ThreatInstances

Splunk_TA_sophos sourcetypes
A. sophos:sec (maps to Change Analysis, Malware, Network Traffic)
B. sophos:threats
C. sophos:webdata
D. sophos:firewall (maps to Network Traffic)
E. sophos:AppControl
F. sophos:devicecontrol
G. sophos:tamperprotection (maps to Change Analysis)
H. sophos:datacontrol
I. sophos:computerdata (maps to Malware)

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...