Sophos Community
Sophos Community
  • Site
  • User
  • Site
  • Search
  • User
  • Community & Product Forums
    • Sophos Endpoint
    • Sophos Firewall
    • Sophos Central
    • Sophos Factory
    • Sophos Mobile
    • Sophos Cloud Optix
    • Sophos Sensor
    • Sophos Switch
    • Sophos Wireless
    • Sophos Email
    • UTM Firewall
  • Community Blogs & Events
    • Sophos Community Blog
    • Community Security Blog
    • Product Documentation Blog
    • Application Control
  • Getting Started
  • Sophos Partners
    • Sophos Partners Group
  • Member Recognition
    • Community Leaderboards
  • More
  • Cancel
Sophos Integrations
Sophos Integrations
Integrations Splunk apps for Sophos
  • Release Notes & News
  • Integrations
  • Forums
  • Early Access Programs
  • Sophos MSP Program
  • Ideation
  • Members
  • More
  • Cancel
  • New
Sophos Integrations requires membership for participation - click to join
  • -Third Party Integrations
    • +ConnectWise Automate.
    • +Datto RMM
    • N-Able N-Central
    • +NinjaRMM
    • +Sophos integration with Kaseya VSA
    • -Splunk apps for Sophos
      • Splunk Add on for Sophos Central
      • Splunk Add on for Sophos Next-Gen Firewall
    • SynchroMSP
  • Central Partner - Customer CSV

Splunk apps for Sophos

Sophos now offers and supports two Splunk data add-on apps, as well as a dashboard app for visualizing the data across products.

*Note: These installers are provided to our partners and customers "as is" for improving their business processes and conducting threat hunting.  

By using any of the below software, you agree to the Sophos API & Plugins Terms of Use. You also acknowledge that Sophos processes personal data in accordance with the Sophos Privacy Policy.

  • Sophos Firewall Ingestor via syslog forward
  • Sophos Central Data Ingestor
    • Ingests data across
      • Central Endpoints API
      • Central Alerts API
      • Central SIEM Events API
  • Sophos Dashboard App to select data sources and provide insightful dashboards across Central Data, Firewall data, or both if using both Add-ons.
    • Download from Splunkbase.

Note: You must have at least one TA ingestor Add-on as a prerequisite to using the dashboard application.

Dashboard Overview

Threat Dashboard - Use this dashboard to understand threat trends and view threats by type, severity and Source IP over time

  • Correlate data between Central and (XG) Firewall if using both TA Add-ons.

Firewall Overview - Quickly determine usage trends of your firewall device with widgets such as Interface Usage and Web Sessions over time.

 

Web - Provides a snapshot view of web trends and usage over time

Firewall Top 10 - See top trends across application and traffic usage

 

Traffic - Provides a deeper dive into traffic analysis and visualization

Users - View and filter user interactions by time, group, name and IP address

VPN - View VPN trends such as Usage Over Time, Connection Types, and Web Categories accessed via VPN

Installation & Configuration

The dashboard App may be downloaded from Splunkbase.

  • There are configurations on setup to allow you to select dashboard feed from Sophos Central for Endpoint and Alert data, or our Next-Gen firewalls or both.

Note: Once the application is installed you must tell the application what data indexes it should be using as the source from where to display the data.

  • Navigate to "Settings" and click on "Advanced Search"

  • Click on "Search Macros"

  • Select the desired Sophos Search macro for either Sophos Central or Sophos Firewall

  • Enter the name of the index in use within the description field
    • Note: the default value is: index=main

  • Press "Save"

Help & Support

Please post feedback or inquiries to our Feedback forum or email: apis @ sophos.com

  • Splunk Central
  • Splunk Sophos Central
  • Splunk Sophos XG
  • splunk
  • Splunk XG
  • Share
  • History
  • More
  • Cancel
Unfiltered HTML
  • Getting started
  • Legal
  • Privacy
  • Cookies

© 1997 - 2023 Sophos Ltd. All rights reserved.