Sophos XG Firewall Add-on For Splunk maps the data collected to the Network Traffic CIM data model of Splunk. Please see the below table for a complete reference list.
Source type
CIM Data Model
Event Field
Data Model Field
sophos:xg:event
Authentication
auth_mechanism
authentication_method
user_name
user
src_ip
src
status
action
dst_ip
dest
sophos:xg:anti_spam
Email
sender
orig_src
recipient
orig_recipient
email_size
size
src_host
src_user_domain
dst_host
recipient_domain
sophos:xg:anti_virus
sophos:xg:firewall
Network
Traffic
device_name
dvc
duration
in_interface
src_interface
src_mac
dst_mac
dest_mac
dest_ip
protocol
transport
dst_port
dest_port
packets_sent
packets_out
packets_received
packets_in
bytes_sent
bytes_out
bytes_received
bytes_in
dst_trans_ip
dest_translated_ip
dst_trans_port
dest_translated_port
src_zone
dst_zone
dest_zone
src_trans_ip
src_translated_ip
Sessions
sophos:xg:system_health
Performance
cpu_user_percent
total_memory
mem
free
mem_free
used
mem_used
Web
http_status
domain
url_domain
sophos:xg:content_filtering
http_category
category
content_type
http_content_type