Forum for Sophos Splunk Apps

Hello!

Thank you for the work on this! We currently have a few Lambda functions querying the APIs for each sub-estate we have to get this info ingested into Splunk. It'll be great once this is ready to go so that we don't have to manage 90+ API credentials for all of our sub-estates.

A few comments/requests:

• For endpoints, could you add...
  • Information like assigned products and capabilities to see what software is installed and enabled per-endpoint?
  • Information like isolation to see whether the device is currently isolated?
  • Tenant name under the tenant section in addition to id? It's difficult to like up which device is in which tenant just based on the tenant GUID.
• For events...
  • We see a large difference between what the TA pulls and what we can pull via the API. Should these be the same? We see different event types and counts of similar event types.
  • Could you add...
    • Information on application signing certificates
    • Application hashes (sha256 is what's pulled via the API)
    • Tenant name and id so we know what device is in which tenant
    • Origin information (we see BLOCKLISTED, ML, REPUTATION, and SAV via the API)
    • Threat information to see which threat the event corresponds to a threat
• For alerts, could you add information on
  • User name (when there is one)
  • Computer name (when there is one)
  • IP and MACs of the device generating the alert
  • Threat info
  • Threat_cleanable info (boolean true/false)

What common information model are you hoping each of these corresponds to?

Happy to hop on a call to discuss this!

Thanks,

Paul Reeves

Hello!

Thank you for the work on this! We currently have a few Lambda functions querying the APIs for each sub-estate we have to get this info ingested into Splunk. It'll be great once this is ready to go so that we don't have to manage 90+ API credentials for all of our sub-estates.

A few comments/requests:

• For endpoints, could you add...
  • Information like assigned products and capabilities to see what software is installed and enabled per-endpoint?
  • Information like isolation to see whether the device is currently isolated?
  • Tenant name under the tenant section in addition to id? It's difficult to like up which device is in which tenant just based on the tenant GUID.
• For events...
  • We see a large difference between what the TA pulls and what we can pull via the API. Should these be the same? We see different event types and counts of similar event types.
  • Could you add...
    • Information on application signing certificates
    • Application hashes (sha256 is what's pulled via the API)
    • Tenant name and id so we know what device is in which tenant
    • Origin information (we see BLOCKLISTED, ML, REPUTATION, and SAV via the API)
    • Threat information to see which threat the event corresponds to a threat
• For alerts, could you add information on
  • User name (when there is one)
  • Computer name (when there is one)
  • IP and MACs of the device generating the alert
  • Threat info
  • Threat_cleanable info (boolean true/false)

What common information model are you hoping each of these corresponds to?

Happy to hop on a call to discuss this!

Thanks,

Paul Reeves

Hi Paul, thank for your feedback, we really appreciate the time our customers take to consume these apps and provide such feedback.  These requests all seem reasonable.  I'll add them to the backlog for  our next cycle.  I don't  have any dates on a new version as of yet,  but I'll post to the community when a new version is ready.

To answer your question of mapping to the CIM.  The fields may map to 1:many as a category may fall under endpoint and malware for example.  Here is a list of the below CIM tags we used:

• Alerts
• Authentication
• Data Loss Prevention
• Email
• Endpoint
• Intrusion Detection
• Inventory
• Malware
• Network Resolution (DNS)
• Network Sessions
• Network Traffic
• Updates
• Vulnerabilities
• Web

Lastly, it should be expected that the set between alerts and events would not be a 1:1.  Events is the raw data stream while alerts are a filtered set that we have made the decision that you should be made aware of to help in reducing that workload and event fatigue.