This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows XML event analysis

Hello,

is there a document describing the structure of the xml event logs generated by Sophos?

I'm referring, mainly, to those highlighted fields:

<?xml version="1.0"?>
<Event xmlns="schemas.microsoft.com/.../event">
<System>
<Provider Name="Sophos Anti-Virus"/>
<EventID Qualifiers="8229">6</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-06-18T08:25:34.000000000Z"/>
<EventRecordID>1361139</EventRecordID>
<Channel>Application</Channel>
<Computer>test01.local.pl</Computer>
<Security UserID="S-1-5-19"/>
</System>
<EventData>
<Data>Mal/Phish-A</Data>
<Data>C:\Users\testit01\AppData\Local\Temp\blob00444030211.tmp\i</Data>
<Data>\\?\C:\Users\testit01\AppData\Local\Temp\blob00444030211.tmp\i</Data>
<Data>Virus/Spyware</Data>
<Data>VEA</Data>
<Data>Ein Threat wurde gesperrt und in Quarantäne verschoben.</Data>
<Data>539295806</Data>
</EventData>
</Event>

thanks in advance,

Fausto

This thread was automatically locked due to age.

Parents

0 Yashraj S over 4 years ago

Hi Fausto Saporito

There is no documentation available for this as this is supposed to be investigated by technical support and not by the customers.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Fausto Saporito over 4 years ago in reply to Yashraj S

Hello,

thanks for you reply.

But this reason flabbergasts me and I think this "obscurity" helps nobody (maybe 50 years ago).

regards,

Fausto Saporito
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Fausto Saporito over 4 years ago in reply to Yashraj S

Hello,

thanks for you reply.

But this reason flabbergasts me and I think this "obscurity" helps nobody (maybe 50 years ago).

regards,

Fausto Saporito
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Yashraj S over 4 years ago in reply to Fausto Saporito

Hi Fausto Saporito

I am sorry you feel that way. From the looks of it, it seems that there was an infection prevented and Sophos has detected it and the XML shows the detection name, location of the file and its classification (Virus/Spyware) along with the alert message in German. I would request you to open a support case so that they can provide more information on the aforementioned logs.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Fausto Saporito over 4 years ago in reply to Yashraj S

My needs is to update Splunk Add-On (https://splunkbase.splunk.com/app/4096/) that is very old and not compatible with Splunk 7.2+, so I can get some meaningful information from that log.

There's also another add-on (older than the first one) but it doesn't seem to be able to extract those fields from the aforementioned log.
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago in reply to Fausto Saporito

Hello Fausto,

as far as I can see the add-on supports up to 7.1 though I'd not call it very old (if you can believe the dates less than a year).
I'm more than a little bit confused by your initial post: You show an XML from the Windows Application Event log but the Splunk add-on is for the Sophos Central SIEM API. How are these two related?

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Fausto Saporito over 4 years ago in reply to QC

Hello Christian,

it's not too old, but it's not updated and now we have Splunk 7.3

But you are right that addon is for the SIEM, my original request is related to the other Sophos addon (https://splunkbase.splunk.com/app/1854/) that is related to the Endpoint, too.

This one should parse the XMLWinEventLog, but those tags are not parsed at all, so my request.

regards,

Fausto
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago in reply to Fausto Saporito

Hello Fausto,

AFAIK the XML from the Details → XML View (and it seems this is what you showed) does not contain all of an event's information, in particular the readable message you see in the General view or get when you save the events as XML. But neither has the Windows Event logging changed nor has Sophos introduced new events. Thus as far as extracting and interpreting the fields is concerned the "old" add-on must already have done it - not using Splunk I can't say how. And naturally I can't say what updates are required for 7.3.

Christian
Cancel
Vote Up 0 Vote Down

Cancel