Hi,
We are using Splunk Addon for Sophos to ingest Sophos Console data into Enterprise Security App. Sophos add-on is installed on the console( with Splunk forwarder & Windows addon) and on the Indexer / Search Head as well.
Logs are produced by Sophos Log Writer, written into a log file, which are then picked up by Splunk Forwarder. There are two problems we faced so far with this setup.
- Noticed that Malware Center dashboard is not able to read any of the data coming from Sophos. This was because Sophos add-on assigns "malware" & "Attack" tags only to data with eventtype "sophos_sec_av", whereas all data coming from Sophos was with eventtype "sophos_sec". This was only getting tagged as "application" and "endpoint". To fix this, I had to edit the tags.conf file on Sophos add in SH and under "sophos_sec" added "malware" & "attack". This allowed the Malware datamodel to at least see the data coming from console.
Was this the correct way to fix it or would it cause more problems down the line?
- After doing the above step, there is one calculated field still getting only value "Unknown". This is Malware.signature. Eval expression for this field under Settings->Data Models->Malware is `if(isnull(signature) OR signature="","unknown",signature)
`
What exactly is this expression trying to do?
On some windows machines where Splunk forwarder is installed, local event logs also record any virus detections, which is later sent to same indexer. This data is perfectly parsed each time by the Sophos addon and all fields are populated. We tested this with EICAR. Signature is correctly set as EICAR-AV-Test, which means Addon is working as expected. But whenever data comes from Console, signature is set to Unknown.
How can I find where the problem lies? Is it the way Sophos is logging into log files, or something with the Sophos Addon configured on the Sophos console?
Many Thanks,
~ Abhi
↧