Sophos XG Firewall Add-on For Splunk maps the data collected to the Network Traffic CIM data model of Splunk. Please see the below table for a complete reference list.
|
Source type |
CIM Data Model |
Event Field |
Data Model Field |
|
sophos:xg:event |
Authentication |
auth_mechanism |
authentication_method |
|
user_name |
user |
||
|
src_ip |
src |
||
|
status |
action |
||
|
dst_ip |
dest |
||
|
sophos:xg:anti_spam |
|
sender |
orig_src |
|
recipient |
orig_recipient |
||
|
email_size |
size |
||
|
src_ip |
src |
||
|
dst_ip |
dest |
||
|
src_host |
src_user_domain |
||
|
dst_host |
recipient_domain |
||
|
sophos:xg:anti_virus |
|
user_name |
user |
|
sender |
orig_src |
||
|
recipient |
orig_recipient |
||
|
email_size |
size |
||
|
src_host |
src_user_domain |
||
|
dst_host |
recipient_domain |
||
|
src_ip |
src |
||
|
dst_ip |
dest |
||
|
sophos:xg:event |
|
user_name |
user |
|
sender |
orig_src |
||
|
recipient |
orig_recipient |
||
|
email_size |
size |
||
|
src_host |
src_user_domain |
||
|
src_ip |
src |
||
|
dst_ip |
dest |
||
|
sophos:xg:firewall |
Network Traffic |
device_name |
dvc |
|
duration |
duration |
||
|
in_interface |
src_interface |
||
|
src_mac |
src_mac |
||
|
dst_mac |
dest_mac |
||
|
src_ip |
src_ip |
||
|
dst_ip |
dest_ip |
||
|
protocol |
transport |
||
|
dst_port |
dest_port |
||
|
packets_sent |
packets_out |
||
|
packets_received |
packets_in |
||
|
bytes_sent |
bytes_out |
||
|
bytes_received |
bytes_in |
||
|
dst_trans_ip |
dest_translated_ip |
||
|
dst_trans_port |
dest_translated_port |
||
|
src_zone |
src_zone |
||
|
dst_zone |
dest_zone |
||
|
src_trans_ip |
src_translated_ip |
||
|
sophos:xg:event |
Network Sessions |
dst_ip |
dest_ip |
|
user_name |
user |
||
|
sophos:xg:system_health |
Performance |
user |
cpu_user_percent |
|
total_memory |
mem |
||
|
free |
mem_free |
||
|
used |
mem_used |
||
|
sophos:xg:anti_virus |
Web |
bytes_received |
bytes_in |
|
bytes_sent |
bytes_out |
||
|
dst_ip |
dest |
||
|
dst_port |
dest_port |
||
|
src_ip |
src |
||
|
http_status |
status |
||
|
domain |
url_domain |
||
|
user_name |
user |
||
|
sophos:xg:content_filtering |
Web |
bytes_received |
bytes_in |
|
bytes_sent |
bytes_out |
||
|
http_category |
category |
||
|
dst_ip |
dest |
||
|
dst_port |
dest_port |
||
|
content_type |
http_content_type |
||
|
src_ip |
src |
||
|
http_status |
status |
||
|
domain |
url_domain |
||
|
user_name |
user |
