Sophos now offers and supports two Splunk data add-on apps, as well as a dashboard app for visualizing the data across products.
*Note: These installers are provided to our partners and customers "as is" for improving their business processes and conducting threat hunting.
- Sophos Firewall Ingestor via syslog forward
- Sophos Central Data Ingestor
- Ingests data across
- Central Endpoints API
- Central Alerts API
- Central SIEM Events API
- Ingests data across
- Sophos Dashboard App to select data sources and provide insightful dashboards across Central Data, Firewall data, or both if using both Add-ons.
- Download from Splunkbase.
Note: You must have at least one TA ingestor Add-on as a prerequisite to using the dashboard application.
Threat Dashboard - Use this dashboard to understand threat trends and view threats by type, severity and Source IP over time
- Correlate data between Central and (XG) Firewall if using both TA Add-ons.
Firewall Overview - Quickly determine usage trends of your firewall device with widgets such as Interface Usage and Web Sessions over time.
Web - Provides a snapshot view of web trends and usage over time
Firewall Top 10 - See top trends across application and traffic usage
Traffic - Provides a deeper dive into traffic analysis and visualization
Users - View and filter user interactions by time, group, name and IP address
VPN - View VPN trends such as Usage Over Time, Connection Types, and Web Categories accessed via VPN
Installation & Configuration
The dashboard App may be downloaded from Splunkbase.
- There are configurations on setup to allow you to select dashboard feed from Sophos Central for Endpoint and Alert data, or our Next-Gen firewalls or both.
Note: Once the application is installed you must tell the application what data indexes it should be using as the source from where to display the data.
- Navigate to "Settings" and click on "Advanced Search"
- Click on "Search Macros"
- Select the desired Sophos Search macro for either Sophos Central or Sophos Firewall
- Enter the name of the index in use within the description field
- Note: the default value is: index=main
- Press "Save"
Help & Support
Please post feedback or inquiries to our Feedback forum or email: apis @ sophos.com