Sophos now offers and supports two Splunk data add-on apps, as well as a dashboard app for visualizing the data across products.
|
*Note: These installers are provided to our partners and customers "as is" for improving their business processes and conducting threat hunting. By using any of the below software, you agree to the Sophos API & Plugins Terms of Use. You also acknowledge that Sophos processes personal data in accordance with the Sophos Privacy Policy. |
- Sophos Firewall Ingestor via syslog forward
- Sophos Central Data Ingestor
- Ingests data across
- Central Endpoints API
- Central Alerts API
- Central SIEM Events API
- Ingests data across
- Sophos Dashboard App to select data sources and provide insightful dashboards across Central Data, Firewall data, or both if using both Add-ons.
- Download from Splunkbase.
Note: You must have at least one TA ingestor Add-on as a prerequisite to using the dashboard application.
Dashboard Overview
Threat Dashboard - Use this dashboard to understand threat trends and view threats by type, severity and Source IP over time
- Correlate data between Central and (XG) Firewall if using both TA Add-ons.
Firewall Overview - Quickly determine usage trends of your firewall device with widgets such as Interface Usage and Web Sessions over time.
Web - Provides a snapshot view of web trends and usage over time
Firewall Top 10 - See top trends across application and traffic usage
Traffic - Provides a deeper dive into traffic analysis and visualization
Users - View and filter user interactions by time, group, name and IP address
VPN - View VPN trends such as Usage Over Time, Connection Types, and Web Categories accessed via VPN
Installation & Configuration
The dashboard App may be downloaded from Splunkbase.
- There are configurations on setup to allow you to select dashboard feed from Sophos Central for Endpoint and Alert data, or our Next-Gen firewalls or both.
Note: Once the application is installed you must tell the application what data indexes it should be using as the source from where to display the data.
- Navigate to "Settings" and click on "Advanced Search"
- Click on "Search Macros"
- Select the desired Sophos Search macro for either Sophos Central or Sophos Firewall
- Enter the name of the index in use within the description field
- Note: the default value is: index=main
- Press "Save"
Help & Support
Please post feedback or inquiries to our Feedback forum or email: apis @ sophos.com