Sophos Central Addon for Splunk

Hi,

I am using the Sohpos Central Addon for Splunk to bring in Sophos data into my Indexer.

I notice that the fields in my index=sophos do not much the fields in the Malware datamodels from the "Common Information Model". 

for example, I don't have an action field or dest field. 

What does Sophos mean by "conforms to the CIM 4.x data model" from the following statement? 

##Functionality This app will allow you to select and ingest multiple Sophos Central data sources without the need of an accompanying script. Includes Data from the below endpoints. and conforms to the CIM 4.x data model. * Central Endpoints API * Central Alerts API * Central SIEM Events API

For some context, I am setting up the Infor Sec App InfoSec App for Splunk | Splunkbase and I want to include my sophos logs under the Malware section. 

Any tips here would be greatly 
appreciated.

Parents Reply Children
No Data