Hi, team, I am new to Sophos, and now working to load Sophos log data into a SIEM platform.
Currently the logs loaded are sth like:
ThreatInstanceID: "538983" ThreatType: "1" FirstDetectedAt: "2022-09-27 19:11:05.0" ThreatSubType: "0" Priority: "500" ThreatLocalID: "d8683c36833b586447b873fda829bab" ThreatLocalIDSource: "NameFilenameFilepathCIMD5" ThreatName: "Troj/Lnk-I" FullFilePathCheckSum: "66f887417dc16ca11e44c31328eeec9" FullFilePath: "C:\Google\GoogleUpdate.lnk" FileNameOffset: "10" FileVersion: "" CheckSum: "" ActionSubmittedAt: "1900-01-01 00:00:00.0" DealtWithAt: "2022-09-27 19:11:26.0" CleanUpable: "true" IsFragment: "false" IsRebootRequired: "false" Outstanding: "false" Status: "50" InsertedAt: "2022-09-27 18:56:58.15" Name: "171283_CMMWS_1" LastLoggedOnUser: "171283_CMMWS_1\Administrator" IPAddressText: "172.19.204.28" DomainName: "WORKGROUP" OperatingSystem: "33" ServicePack: "Service Pack 1"
The question is how to know whether the detected Troj/Lnk-l showed above had been successfully cleaned or not?
Not sure about the 'cleanupable", "status" field, or there are additional fields missed to load?
Many thanks!
Edited tags
[edited by: Gladys at 7:48 AM (GMT -7) on 3 Oct 2022]
