Splunk Add on for Sophos Central

Steps to generate SPL file:

• Install Splunk in your local machine
• Download the Sophos Central Add-on from Splunkbase
• Copy TA-sophos-central-addon-for-splunk directory to splunk/etc/apps/ directory
• Restart Splunk.
• After installing the Splunk, Switch to /splunk/bin directory
• By following command user can generate SPL file :
  • MAC/Linux: ./splunk package app your_app_name (TA-sophos-central-addon-for-splunk)
  • Windows: splunk package app your_app_name (TA-sophos-central-addon-for-splunk)
• User will get location of spl like this:
  • 
• User can install add-on with this SPL file into Splunk

Authentication:

• Authentication uses a Client ID and Secret pair from a Tenant or Enterprise admin account.
  • If using an enterprise admin account, this will authenticate to all managed tenants this account has permissions for
    • See here for instructions on Creating a service principal for an Enterprise Admin
    • See here for instructions onCreating a service principal for an for a Tenant
• Once you have created your API Client ID and Secret pair from the instructions above
  • From within the Splunk interface, navigate to: Apps → Sophos Central Addon for Splunk → Configuration → Addon Settings
    • Enter the "Client ID" and "Client Secret" in the fields and press "Save"

• Next navigate to the "Inputs" tab to configure settings for sync intervals, default indexes, and to enable or disable a specific input.
  • Recommended sync intervals are following
    • Tenants - every 24 hours
    • Endpoints - Hourly
    • Alerts - Hourly
    • Events - Hourly

• Once you have configured your initial sync settings, we recommend viewing the options for Events as you have additional configuration options to exclude specific event types as shown in the below example.