Sophos Central Addon for Splunk

Hi,

I am using the Sohpos Central Addon for Splunk to bring in Sophos data into my Indexer.

I notice that the fields in my index=sophos do not much the fields in the Malware datamodels from the "Common Information Model". 

for example, I don't have an action field or dest field. 

What does Sophos mean by "conforms to the CIM 4.x data model" from the following statement? 

##Functionality This app will allow you to select and ingest multiple Sophos Central data sources without the need of an accompanying script. Includes Data from the below endpoints. and conforms to the CIM 4.x data model. * Central Endpoints API * Central Alerts API * Central SIEM Events API

For some context, I am setting up the Infor Sec App InfoSec App for Splunk | Splunkbase and I want to include my sophos logs under the Malware section. 

Any tips here would be greatly 
appreciated.

Parents Reply Children
  • HI Juan, I am not from Sophos but can shed some light on the situation as I am also having a similar issue.

    CIM is Common Information Model found here https://splunkbase.splunk.com/app/1621.

    When Sophos are stating CIM v4 compatible, it means the logs will be classified into event types & tagged in accordance with the standard in v4 of the app.

    The latest version of the CIM app is v5, and the Sophos logs when ingested via ther Sophos Central App (https://splunkbase.splunk.com/app/6186)  are not v5 compatible.

    One of the issues being that the v5 of Malware Data Model in CIM v5 is it requires the tags "Malware" AND "Attack" in order for the Malware DM to summarise the data and standardise the fields.

    I contacted Sophos dev team who said they have no plan in the immediate short term to update the app to be CIM v5 compliant, which leaves us in a tricky situation where those upgrading for the latest features in v5 are actually losing the ability to correlate Sophos Central logs to the CIM data models.

    Hopefully someone at Sophos sees this and can put some weight behind getting the Sophos Central App upgraded to be CIM v5 compliant.

    You can get around this by downloading v4 of the CIM app and running off that, but for some of us who are actively using the latest features such as Endpoint DM, it is not an option to roll back.

    Hope this helps.

    Ben