Please post Questions, Feedback and Issues related to the Sophos Splunk Apps here within a new topic if an existing topic doesn't already exist.
It will be added the possibility to add multiple API key for differente sub-estates to the configuration menu?
In our case we have two sub-estates so to collect all the logs from the sophos central console we need to add two pairs of API key, and as of now is not possible.
Hi Giovanni, thank you for your inquiry. Is it safe to assume you have a parent enterprise account that both of these sub-estates are linked to? If that is indeed the case, you can generate the API credentials from the parent account and retrieve data for all of your sub-estates from the single credential.
Thank you for the work on this! We currently have a few Lambda functions querying the APIs for each sub-estate we have to get this info ingested into Splunk. It'll be great once this is ready to go so that we don't have to manage 90+ API credentials for all of our sub-estates.
A few comments/requests:
What common information model are you hoping each of these corresponds to?
Happy to hop on a call to discuss this!
Hi Paul, thank for your feedback, we really appreciate the time our customers take to consume these apps and provide such feedback. These requests all seem reasonable. I'll add them to the backlog for our next cycle. I don't have any dates on a new version as of yet, but I'll post to the community when a new version is ready.
To answer your question of mapping to the CIM. The fields may map to 1:many as a category may fall under endpoint and malware for example. Here is a list of the below CIM tags we used:
Lastly, it should be expected that the set between alerts and events would not be a 1:1. Events is the raw data stream while alerts are a filtered set that we have made the decision that you should be made aware of to help in reducing that workload and event fatigue.