Please post Questions, Feedback and Issues related to the Sophos Splunk Apps here within a new topic if an existing topic doesn't already exist.
Thank you for the work on this! We currently have a few Lambda functions querying the APIs for each sub-estate we have to get this info ingested into Splunk. It'll be great once this is ready to go so that we don't have to manage 90+ API credentials for all of our sub-estates.
A few comments/requests:
What common information model are you hoping each of these corresponds to?
Happy to hop on a call to discuss this!
Hi Paul, thank for your feedback, we really appreciate the time our customers take to consume these apps and provide such feedback. These requests all seem reasonable. I'll add them to the backlog for our next cycle. I don't have any dates on a new version as of yet, but I'll post to the community when a new version is ready.
To answer your question of mapping to the CIM. The fields may map to 1:many as a category may fall under endpoint and malware for example. Here is a list of the below CIM tags we used:
Lastly, it should be expected that the set between alerts and events would not be a 1:1. Events is the raw data stream while alerts are a filtered set that we have made the decision that you should be made aware of to help in reducing that workload and event fatigue.