Add-on for Sophos Central CEF

Add-on for Sophos Central CEF is a technical add-on that parses Sophos Central security events delivered via CEF-formatted syslog to a Splunk Heavy Forwarder. The add-on provides comprehensive field extractions, automatic sub-sourcetype routing, and CIM v5 data model tagging for integration with Splunk Enterprise Security. It processes threat detections from Sophos Intercept X, investigation and case management events, firewall gateway logs, web control violations, device telemetry, update activity, and behavioral analysis events. The add-on performs index-time sub-sourcetype routing based on the CEF deviceEventClassId field, splitting incoming sophos:cef:central events into nine distinct sourcetypes: threat, investigation, firewall, webcontrol, device, update, corebehavioral, and coreclean. Field extractions include MITRE ATT&CK technique mappings extracted from Sophos threat intelligence, enabling correlation of detections with adversary tactics. CIM v5 compliance covers the Malware, Intrusion Detection, Incident Management, Network Traffic, and Web data models, providing normalized field mappings for use in Enterprise Security correlation searches, notable events, and threat intelligence workflows.