Introducing the GA release for our latest integration; Splunk for Sophos Next-Gen firewall.
Splunk provides an excellent compliment to Sophos Central cloud-based reporting for on-premise data storage, dashboarding and reporting of firewall log data.
*Note: This installer is provided to our partners and customers "as is" for improving their business processes and conducting threat hunting.
This integration consists of 2 Splunk applications:
Google Chrome, Mozilla Firefox
CentOS, Ubuntu, Windows
Splunk Enterprise, Splunk Cloud
Splunk Enterprise Version
8.1.x, 8.0.x, 7.3.x
Splunk CIM Version
SFOS 18.0.1 MR-1-Build396 or later
Based on your Splunk deployment as determined from your capacity planning, follow the steps below to install the Splunk applications as either a Stand alone or Distributed instance.
If you are using “Distributed Splunk Deployment”, refer to the below tables to determine where to install your respective applications.
Sophos (XG) Firewall Add-on For Splunk
Splunk Instance Type
Heavy Forwarder/Universal Forwarder
The TA can either be installed on a heavy forwarder or universal forwarder.
Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.
Search Head/Search Head Cluster
Sophos App For Splunk
Once the installation of the Sophos (XG) Firewall Add-on For Splunk is done successfully, follow these steps to configure:
The Sophos (XG) Firewall Add-on For Splunk manages inputs through TCP or UDP inputs provided by Splunk. To configure inputs follow the respective instructions below
[SSL]requireClientCert = falserootCA = $SPLUNK_HOME/etc/auth/ca.pem # Location of root CAserverCert = $SPLUNK_HOME/etc/auth/server.pem # Location of server certificatepassword = <password of server.pem file> [tcp-ssl://10514] # tcp-ssl://<port number>index = main # index on which logs will be insertedsourcetype = sophos:xg:logs:secure # Do not change sourcetype
To use the CIM mapped fields, the user first needs to configure the event type to provide the index in which the data is being collected. To configure event type:
Once the installation of the Sophos App For Splunk is done successfully, follow below steps to configure:
The user needs to update the provided macro to use the index in which Sophos data is getting collected. To configure macro:
Please see this post for a detailed table of how the data collected from the Sophos (XG) Firewall maps to the Network Traffic Common Information Data Model from Splunk.
Sophos Dashboard App For Splunk provides 7 dashboards and several visualizations to provide user insights into the data collected from the Sophos (XG) Firewall platform. The linked post provides a table mapping of panel visualization names to source types found in each dashboard.
Currently the following three event log types are not supported in the ingestor APP (TA)
Support for this application while in Early Access will be provided via the Feedback forum associated with this Wiki. Please use an existing post if your issue has already been reported, or create a new post for each new issue you wish to report.