Sophos Central Addon for Splunk

Is this community responsive at all? 

HI Juan, I am not from Sophos but can shed some light on the situation as I am also having a similar issue.

CIM is Common Information Model found here https://splunkbase.splunk.com/app/1621.

When Sophos are stating CIM v4 compatible, it means the logs will be classified into event types & tagged in accordance with the standard in v4 of the app.

The latest version of the CIM app is v5, and the Sophos logs when ingested via ther Sophos Central App (https://splunkbase.splunk.com/app/6186)  are not v5 compatible.

One of the issues being that the v5 of Malware Data Model in CIM v5 is it requires the tags "Malware" AND "Attack" in order for the Malware DM to summarise the data and standardise the fields.

I contacted Sophos dev team who said they have no plan in the immediate short term to update the app to be CIM v5 compliant, which leaves us in a tricky situation where those upgrading for the latest features in v5 are actually losing the ability to correlate Sophos Central logs to the CIM data models.

Hopefully someone at Sophos sees this and can put some weight behind getting the Sophos Central App upgraded to be CIM v5 compliant.

You can get around this by downloading v4 of the CIM app and running off that, but for some of us who are actively using the latest features such as Endpoint DM, it is not an option to roll back.

Hope this helps.

Ben

Hi Juan, I have put an update on but it has been flagged as "innapropriate", not sure why. Hopefully a moderator approves it and it should shed some light on the issue.

Also, whilst I wait for the moderator to approve the comment...

The fields in the index=sophos will not match the fields in the datamodel.

Once the data is CIM compliant, you will be able to run the following on your Splunk instance...

| datamodel Malware search summariesonly=t

^this search will show you the normalised fields, however, it won't work currently unless you are running CIM v4 I would presume.

I will try writing it again as I would actually like Sophos to address this sooner rather than later.

CIM is common information model. You can find it on Splunkbase. Latest version is v5.

The data that is pulled in via the Sophos Central App is only v4 compliant.

The Malware DM in v5 requires tagging of the data with "Malware" & "Attack".

Therefore, the data model will not see the Sophos Central data if you are running CIM v5.

Ideally, Sophos would update the app to be CIM v5 compliant, as many of us who are using the newer features of v5 cannot rollback.

Ben, thank you for validating my concerns.  I did start to do field aliases and convert some of the fields I want to the Malware Data model. However, Sophos really needs to make this Complient to v5. I would like to spend my time elsewhere. 

Hi Juan, would you be able to share the field aliases you have used?

I need to do pretty much the exact same piece of work so would be good to discuss.

Final comment.

You can achieve CIM v5 compatibility with the following config files packaged into an app.

I must stress, this is a temporary work around and isn't particularly neat, it is also specific to the use cases I need it to do. However, it should get the job done until an official update is pushed out.

The main issue I had is that there is no "action" field in the new logs, so it's tough to understand if the log has been blocked, prevented, defferred, allowed etc. Ended up evaluating it off of the type field. Some of the other evals are specific to the use cases, but would be useful for context in the DM summaries.

I packaged these up and pushed to Splunk Cloud, but it would work on Enterprise I think as well.

props.conf

[sophos_events]
FIELDALIAS-dest = "location" ASNEW dest
FIELDALIAS-group = "group" ASNEW category
EVAL-action = if(type IN("Event::Endpoint::HmpaExploitPrevented", "Event::Endpoint::CoreDismissed", "Event::Endpoint::CorePuaClean"), "blocked", "allowed")
EVAL-signature = coalesce(threat, name)
EVAL-src_user = mvfilter(source!="sophos_event_input")

tags.conf

[eventtype=sophos_central_endpoint_blocked]
attack = enabled

[eventtype=sophos_malicious_traffic_detected]
attack = enabled

[eventtype=sophos_running_malware_detected]
attack = enabled

[eventtype=sophos_threat_detected]
attack = enabled

[eventtype=sophos_hmpa_detected_malware]
attack = enabled

[eventtype=sophos_malware_status]
attack = enabled

[eventtype=sophos_required_reboot]
attack = enabled

[eventtype=sophos_requires_manual_cleanup]
attack = enabled

[eventtype=sophos_scan_required_to_complete_cleanup]
attack = enabled

[eventtype=sophos_scan_malware_cleaned_up]
attack = enabled

[eventtype=sophos_deleted_malware]
attack = enabled

[eventtype=sophos_malware_locally_cleared]
attack = enabled

[eventtype=sophos_malicious_traffic_detection_locally_cleared]
attack = enabled

[eventtype=sophos_running_malware_locally_cleared]
attack = enabled

[eventtype=sophos_malware_marked_as_resolved]
attack = enabled

[eventtype=sophos_outbreak_marked_as_resolved]
attack = enabled

[eventtype=sophos_cryptoguard_detected_ransomware]
attack = enabled

[eventtype=sophos_cryptoguard_unblocked_process]
attack = enabled

[eventtype=sophos_cryptoguard_unblocked_access_to_network_shares]
attack = enabled

[eventtype=sophos_cryptoguard_detected_ransomware_attack_from_this_device]
attack = enabled

[eventtype=sophos_safe_browsing_detected]
attack = enabled

[eventtype=sophos_hmpa_activites]
attack = enabled

[eventtype=sophos_malicious_behavior_prevented]
attack = enabled

[eventtype=sophos_hmpa_exploit_prevented]
attack = enabled

[eventtype=sophos_hmpa_guard]
attack = enabled

[eventtype=sophos_credential_theft_attempt_resolved]
attack = enabled

[eventtype=sophos_privilege_escalation_exploit_resolved]
attack = enabled

[eventtype=sophos_application_hijacking_prevented]
attack = enabled

[eventtype=sophos_core_detection]
attack = enabled

[eventtype=sophos_cleanup_failed_status]
attack = enabled

[eventtype=sophos_core_cleanup]
attack = enabled

[eventtype=sophos_endpoint_hmpa_pua_detected]
attack = enabled
malware = enabled

[eventtype=sophos_endpoint_core_pua_detected]
attack = enabled
malware = enabled

[eventtype=sophos_endpoint_threat_pua_cleanup_failed_status]
attack = enabled
malware = enabled

[eventtype=sophos_endpoint_thread_pua_cleanedup]
attack = enabled
malware = enabled

[eventtype=sophos_pua_cleaned_up]
attack = enabled
malware = enabled

[eventtype=sophos_pua_dismissed]
attack = enabled
malware = enabled