Sophos Central Addon for Splunk

Hi,

I am using the Sohpos Central Addon for Splunk to bring in Sophos data into my Indexer.

I notice that the fields in my index=sophos do not much the fields in the Malware datamodels from the "Common Information Model". 

for example, I don't have an action field or dest field. 

What does Sophos mean by "conforms to the CIM 4.x data model" from the following statement? 

##Functionality This app will allow you to select and ingest multiple Sophos Central data sources without the need of an accompanying script. Includes Data from the below endpoints. and conforms to the CIM 4.x data model. * Central Endpoints API * Central Alerts API * Central SIEM Events API

For some context, I am setting up the Infor Sec App InfoSec App for Splunk | Splunkbase and I want to include my sophos logs under the Malware section. 

Any tips here would be greatly 
appreciated.

Parents
  • I will try writing it again as I would actually like Sophos to address this sooner rather than later.

    CIM is common information model. You can find it on Splunkbase. Latest version is v5.

    The data that is pulled in via the Sophos Central App is only v4 compliant.

    The Malware DM in v5 requires tagging of the data with "Malware" & "Attack".

    Therefore, the data model will not see the Sophos Central data if you are running CIM v5.

    Ideally, Sophos would update the app to be CIM v5 compliant, as many of us who are using the newer features of v5 cannot rollback.

  • Ben, thank you for validating my concerns.  I did start to do field aliases and convert some of the fields I want to the Malware Data model. However, Sophos really needs to make this Complient to v5. I would like to spend my time elsewhere. 

Reply Children
  • Hi Juan, would you be able to share the field aliases you have used?

    I need to do pretty much the exact same piece of work so would be good to discuss.

  • Final comment.

    You can achieve CIM v5 compatibility with the following config files packaged into an app.

    I must stress, this is a temporary work around and isn't particularly neat, it is also specific to the use cases I need it to do. However, it should get the job done until an official update is pushed out.

    The main issue I had is that there is no "action" field in the new logs, so it's tough to understand if the log has been blocked, prevented, defferred, allowed etc. Ended up evaluating it off of the type field. Some of the other evals are specific to the use cases, but would be useful for context in the DM summaries.

    I packaged these up and pushed to Splunk Cloud, but it would work on Enterprise I think as well.

    props.conf

    [sophos_events]
    FIELDALIAS-dest = "location" ASNEW dest
    FIELDALIAS-group = "group" ASNEW category
    EVAL-action = if(type IN("Event::Endpoint::HmpaExploitPrevented", "Event::Endpoint::CoreDismissed", "Event::Endpoint::CorePuaClean"), "blocked", "allowed")
    EVAL-signature = coalesce(threat, name)
    EVAL-src_user = mvfilter(source!="sophos_event_input")

    tags.conf

    [eventtype=sophos_central_endpoint_blocked]
    attack = enabled

    [eventtype=sophos_malicious_traffic_detected]
    attack = enabled

    [eventtype=sophos_running_malware_detected]
    attack = enabled

    [eventtype=sophos_threat_detected]
    attack = enabled

    [eventtype=sophos_hmpa_detected_malware]
    attack = enabled

    [eventtype=sophos_malware_status]
    attack = enabled

    [eventtype=sophos_required_reboot]
    attack = enabled

    [eventtype=sophos_requires_manual_cleanup]
    attack = enabled

    [eventtype=sophos_scan_required_to_complete_cleanup]
    attack = enabled

    [eventtype=sophos_scan_malware_cleaned_up]
    attack = enabled

    [eventtype=sophos_deleted_malware]
    attack = enabled

    [eventtype=sophos_malware_locally_cleared]
    attack = enabled

    [eventtype=sophos_malicious_traffic_detection_locally_cleared]
    attack = enabled

    [eventtype=sophos_running_malware_locally_cleared]
    attack = enabled

    [eventtype=sophos_malware_marked_as_resolved]
    attack = enabled

    [eventtype=sophos_outbreak_marked_as_resolved]
    attack = enabled

    [eventtype=sophos_cryptoguard_detected_ransomware]
    attack = enabled

    [eventtype=sophos_cryptoguard_unblocked_process]
    attack = enabled

    [eventtype=sophos_cryptoguard_unblocked_access_to_network_shares]
    attack = enabled

    [eventtype=sophos_cryptoguard_detected_ransomware_attack_from_this_device]
    attack = enabled

    [eventtype=sophos_safe_browsing_detected]
    attack = enabled

    [eventtype=sophos_hmpa_activites]
    attack = enabled

    [eventtype=sophos_malicious_behavior_prevented]
    attack = enabled

    [eventtype=sophos_hmpa_exploit_prevented]
    attack = enabled

    [eventtype=sophos_hmpa_guard]
    attack = enabled

    [eventtype=sophos_credential_theft_attempt_resolved]
    attack = enabled

    [eventtype=sophos_privilege_escalation_exploit_resolved]
    attack = enabled

    [eventtype=sophos_application_hijacking_prevented]
    attack = enabled

    [eventtype=sophos_core_detection]
    attack = enabled

    [eventtype=sophos_cleanup_failed_status]
    attack = enabled

    [eventtype=sophos_core_cleanup]
    attack = enabled

    [eventtype=sophos_endpoint_hmpa_pua_detected]
    attack = enabled
    malware = enabled

    [eventtype=sophos_endpoint_core_pua_detected]
    attack = enabled
    malware = enabled

    [eventtype=sophos_endpoint_threat_pua_cleanup_failed_status]
    attack = enabled
    malware = enabled

    [eventtype=sophos_endpoint_thread_pua_cleanedup]
    attack = enabled
    malware = enabled

    [eventtype=sophos_pua_cleaned_up]
    attack = enabled
    malware = enabled

    [eventtype=sophos_pua_dismissed]
    attack = enabled
    malware = enabled