Splunk Enterprise Security

Sophos Reporting Interface and choosing the correct sourcetypes

davidmonaghan
Explorer

Hi All

I am currently gathering logs from Sophos Enterprise Console 5.1 using the Sophos Reporting Log Writer.

I have installed Splunk_TA_sophos on the Universal Forwarder and Indexer.

Sophos is collecting 2 types logs - DefaultCommonEvents and DefaultThreats

Based on these types of logs, what are the appropriate sourcetypes that I should apply?

This is from SophosLogWriterConfig file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>
    </datafeeds>
</SophosDatafeed>

This is from default inputs.conf file

[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://<SEC_LOG_PATH>\Threats.log]
disabled = 1
sourcetype=sophos:threats

[monitor://<SEC_LOG_PATH>\WebData.log]
disabled = 1
sourcetype=sophos:webdata

[monitor://<SEC_LOG_PATH>\Firewall*.txt]
disabled = 1
sourcetype=sophos:firewall

[monitor://<SEC_LOG_PATH>\AppControl.log]
disabled = 1
sourcetype=sophos:AppControl

[monitor://<SEC_LOG_PATH>\DeviceControl.txt]
disabled = 1
sourcetype=sophos:devicecontrol

[monitor://<SEC_LOG_PATH>\TamperProtection.log]
disabled = 1
sourcetype=sophos:tamperprotection

[monitor://<SEC_LOG_PATH>\DataControl.txt]
disabled = 1
sourcetype=sophos:datacontrol

[monitor://<SEC_LOG_PATH>\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata

Could someone advise which sourcetypes are most appropriate for DefaultCommonEvents and DefaultThreats

0 Karma
1 Solution

davidmonaghan
Explorer

After a bit of experimentation, I believe the following should be correct...

The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.

Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.

Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)

sophos:sec (maps to Change Analysis, Malware, Network Traffic)

Complete Inputs.conf located on the Universal Forwarder

[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats

[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata

[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall

[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl

[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection

[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata

Complete SophosLogWriterConfig.config file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>AppControl.log</outputFilename>
            </logFile>
            <call callID="ApplicationControl">
                <dataSource>EventsApplicationControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DataControl.log</outputFilename>
            </logFile>
            <call callID="DataControl">
                <dataSource>EventsDataControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DataControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DeviceControl.log</outputFilename>
            </logFile>
            <call callID="DeviceControl">
                <dataSource>EventsDeviceControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>Firewall.log</outputFilename>
            </logFile>
            <call callID="Firewall">
                <dataSource>EventsFirewallData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Firewall.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>TamperProtection.log</outputFilename>
            </logFile>
            <call callID="TamperProtection">
                <dataSource>EventsTamperProtectionData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>WebData.log</outputFilename>
            </logFile>
            <call callID="WebData">
                <dataSource>EventsWebData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Web.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>ComputerData.log</outputFilename>
            </logFile>
            <call callID="ThreatInstances">
                <dataSource>ThreatInstances</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
            </call>
        </datafeed>

    </datafeeds>
</SophosDatafeed>

View solution in original post

0 Karma

davidmonaghan
Explorer

After a bit of experimentation, I believe the following should be correct...

The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.

Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.

Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)

sophos:sec (maps to Change Analysis, Malware, Network Traffic)

Complete Inputs.conf located on the Universal Forwarder

[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents

[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats

[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata

[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall

[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl

[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection

[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol

[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata

Complete SophosLogWriterConfig.config file

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
    <connection>
        <!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
    </connection>
        <noOfDays>7</noOfDays>
        <lagTime>1</lagTime>
    <datafeeds>
        <datafeed>
            <tick>1000</tick>           
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultCommonEvents.log</outputFilename>
            </logFile>      
            <logFile logType="WindowsLog">
                <logName>DefaultCommonEvents</logName>
            </logFile>
            <call callID="DefaultCommonEvents">
                <dataSource>EventsCommonData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
            </call>
        </datafeed>
        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DefaultThreats.log</outputFilename>
            </logFile>
            <call callID="DefaultThreats">
                <dataSource>ThreatEventData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Threats.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>AppControl.log</outputFilename>
            </logFile>
            <call callID="ApplicationControl">
                <dataSource>EventsApplicationControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DataControl.log</outputFilename>
            </logFile>
            <call callID="DataControl">
                <dataSource>EventsDataControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DataControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>DeviceControl.log</outputFilename>
            </logFile>
            <call callID="DeviceControl">
                <dataSource>EventsDeviceControlData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>Firewall.log</outputFilename>
            </logFile>
            <call callID="Firewall">
                <dataSource>EventsFirewallData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Firewall.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>TamperProtection.log</outputFilename>
            </logFile>
            <call callID="TamperProtection">
                <dataSource>EventsTamperProtectionData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>WebData.log</outputFilename>
            </logFile>
            <call callID="WebData">
                <dataSource>EventsWebData</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>Web.config</dataConfigurationFile>
            </call>
        </datafeed>

        <datafeed>
            <tick>1000</tick>
            <logFile logType="LogFile">
                <noOfBackupFiles>5</noOfBackupFiles>
                <fileSize>1MB</fileSize>
                <outputLocation>.\Log Files</outputLocation>
                <outputFilename>ComputerData.log</outputFilename>
            </logFile>
            <call callID="ThreatInstances">
                <dataSource>ThreatInstances</dataSource>
                <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
                <dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
            </call>
        </datafeed>

    </datafeeds>
</SophosDatafeed>
0 Karma

lakshman239
Influencer

Hope you have seen these docs. http://downloads.sophos.com/readmes/srlw_51_rneng.html and http://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise . If you have pulled the files to the server where Splunk UF and TA is installed, I would configure the local/inputs.conf with all the above enabled and point to your files as appropriate in dev and and adjust/change as needed. we generally look at threat data.

0 Karma

davidmonaghan
Explorer

Hi @lakshman239, thanks for your reply.

I have followed the instructions in both the linked documents.

What is not clear to me is how LogWiter data sources match to the Splunk_TA_sophos sourcetypes

Based on the below data I'd assume that DefaultThreats maps to sophos:threats but I have no idea what would be appropriate for DefaultCommonEvents

Sophos LogWiter data sources
A. EventsApplicationControlData
B. EventsCommonData
C. EventsDataControlData
D. EventsDeviceControlData (added new data fields)
E. EventsFirewallData
F. EventsTamperProtectionData
G. EventsWebData (added new data fields)
H. ThreatEventData
I. ThreatInstances

Splunk_TA_sophos sourcetypes
A. sophos:sec (maps to Change Analysis, Malware, Network Traffic)
B. sophos:threats
C. sophos:webdata
D. sophos:firewall (maps to Network Traffic)
E. sophos:AppControl
F. sophos:devicecontrol
G. sophos:tamperprotection (maps to Change Analysis)
H. sophos:datacontrol
I. sophos:computerdata (maps to Malware)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...