Sophos Central SIEM Integration
Add-on Homepage: https://apps.splunk.com/apps/id/TA-sophos_central_github
Author: Hurricane Labs
Version: 1.0.3
You are required to download the Sophos Central script from their GitHub here for this add-on to work: https://github.com/sophos/Sophos-Central-SIEM-Integration
Note: We do not own the rights nor are we a maintainer of this GitHub page. This script runs outside of Splunk, and is NOT included in this add-on. This is the only script that Sophos will provide support for if you have issues. Other add-ons or scripts are not guaranteed to deliver all of your data!
The purpose of this add-on is to provide value to your Sophos Central Event Reports logs, using the official script supported by Sophos. This is done by making the logs CIM compliant, adding tagging for Enterprise Security data models, and other knowledge objects to make searching and visualizing this data easy.
This add-on needs to be installed on your Search Head(s) and on the FIRST Splunk Enterprise system(s) that handles the data, traditionally that would be a Heavy Forwarder or Indexer. This add-on should not be deployed to a Universal Forwarder as it won't do anything, even if it's doing the data collection.
Note: There are installation/configuration instructions here as well: https://github.com/sophos/Sophos-Central-SIEM-Integration
1. Untar the Github folder anywhere. In this example we will use '/opt/sophos-central' and install as root.
2. Configure the "SOPHOS_SIEM_HOME"
environment variable to point at the script install path.
echo 'export SOPHOS_SIEM_HOME=/opt/sophos-central/Sophos-Central-SIEM-Integration' >> /etc/profile.d/20-sophos_home.sh
3. Configure the config.ini file in the install folder. The comments will explain what settings you can use. If you choose to write to "file", your logs will be stored in 'log' folder of your install folder.
nano /opt/sophos-central/Sophos-Central-SIEM-Integration/config.ini
4. Test the script (you may need to exit and re-enter your root shell to get the export env variable to work from step 2.)
/usr/bin/python /opt/sophos-central/Sophos-Central-SIEM-Integration/siem.py -d
5. Run the command 'env' and copy the output of PATH and SOPHOS_SIEM_HOME for the next step.
6. Configure a cron job to run the script every 5 minutes. Paste in your env variables from the last step.
nano /etc/cron.d/sophos-central
SOPHOS_SIEM_HOME=/opt/sophos-central/Sophos-Central-SIEM-Integration
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/splunk/bin:/snap/bin
*/5 * * * * root /usr/bin/python /opt/sophos-central/Sophos-Central-SIEM-Integration/siem.py
NOTE: I highly recommend running the script and add-on on a Splunk HF using the file method and JSON output. This makes everything easy and straightforward for install.
index=* sourcetype=sophos:central:* | dedup sourcetype
How you choose to bring the data into Splunk is completely up to you. Here are a couple examples of how you might setup inputs.conf:
[batch:///opt/sophos-central/Sophos-Central-SIEM-Integration/log/]
disabled = 0
sourcetype = sophos:central:cef
index = sophos
move_policy = sinkhole
crcSalt = <SOURCE>
[batch:///opt/sophos-central/Sophos-Central-SIEM-Integration/log/]
disabled = 0
sourcetype = sophos:central:keyvalue
index = sophos
move_policy = sinkhole
crcSalt = <SOURCE>
[batch:///opt/sophos-central/Sophos-Central-SIEM-Integration/log/]
disabled = 0
sourcetype = sophos:central:json
index = sophos
move_policy = sinkhole
crcSalt = <SOURCE>
[monitor:///var/log/network/sophos_central/\*/\*.syslog]
disabled = 0
sourcetype = sophos:central:cef
index = sophos
[sophos:central:json]
LINE_BREAKER = ([\r\n]+){\n*\s*"source_info"
1.0.3:
1.0.2:
1.0.1:
1.0.1: Fixed improper event type tagging for Enterprise Security. Only cleaned events were being tagged as malware.
Reminder: We will provide absolutely no support for the setup of the script or the script itself. Please reach out to Sophos Support or submit an issue on their GitHub page for any issues with the script. Our support is limited to issues/requests with the knowledge objects of the add-on ONLY.
Contact: splunk-app@hurricanelabs.com
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.