This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows XML event analysis

Hello,

is there a document describing the structure of the xml event logs generated by Sophos?

I'm referring, mainly, to those highlighted fields:

<?xml version="1.0"?>
<Event xmlns="schemas.microsoft.com/.../event">
<System>
<Provider Name="Sophos Anti-Virus"/>
<EventID Qualifiers="8229">6</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-06-18T08:25:34.000000000Z"/>
<EventRecordID>1361139</EventRecordID>
<Channel>Application</Channel>
<Computer>test01.local.pl</Computer>
<Security UserID="S-1-5-19"/>
</System>
<EventData>
<Data>Mal/Phish-A</Data>
<Data>C:\Users\testit01\AppData\Local\Temp\blob00444030211.tmp\i</Data>
<Data>\\?\C:\Users\testit01\AppData\Local\Temp\blob00444030211.tmp\i</Data>
<Data>Virus/Spyware</Data>
<Data>VEA</Data>
<Data>Ein Threat wurde gesperrt und in Quarant&#xE4;ne verschoben.</Data>
<Data>539295806</Data>
</EventData>
</Event>

 

thanks in advance,

Fausto



This thread was automatically locked due to age.
Parents Reply
  • Hello Fausto,

    as far as I can see the add-on supports up to 7.1 though I'd not call it very old (if you can believe the dates less than a year).
    I'm more than a little bit confused by your initial post: You show an XML from the Windows Application Event log but the Splunk add-on is for the Sophos Central SIEM API. How are these two related?

    Christian

Children
  • Hello Christian,

    it's not too old, but it's not updated and now we have Splunk 7.3

    But you are right that addon is for the SIEM, my original request is related to the other Sophos addon (https://splunkbase.splunk.com/app/1854/) that is related to the Endpoint, too.

    This one should parse the XMLWinEventLog, but those tags are not parsed at all, so my request.

    regards,

    Fausto

  • Hello Fausto,

    AFAIK the XML from the DetailsXML View (and it seems this is what you showed) does not contain all of an event's information, in particular the readable message you see in the General view or get when you save the events as XML. But neither has the Windows Event logging changed nor has Sophos introduced new events. Thus as far as extracting and interpreting the fields is concerned the "old" add-on must already have done it - not using Splunk I can't say how. And naturally I can't say what updates are required for 7.3.

    Christian