Hi,
We have Splunk add-on for Sophos installed. But it doesn't appear to be mapping two fields correctly as per CIM. Fields which we noticed so far are signature and category.
Data is being sent by Splunk forwarder which is using TA's input.conf to read/monitor the log files created by Sophos console.
After checking props.conf for sourcetype `sophos:threats`, it appears to be configured for EventType & EventName, which are different from the fields we get. In log files created by Sophos, we have ThreatType/ThreatName instead of EventType/EventName
So, the field-aliases defined under under props.conf
FIELDALIAS-category_for_threat = EventType as category
FIELDALIAS-signature_for_threat = EventName as signature
Should ideally be the following in our situation:
FIELDALIAS-category_for_threat = ThreatType as category
FIELDALIAS-signature_for_threat = ThreatName as signature
But despite making this change on SearchHeads, we continue to see both "signature" and "category" fields getting the value "unknown".
![alt text][1]
Should we be making this change directly on the forwarder's props.conf instead of Search Head?
Thanks,
~ Abhi
[1]: /storage/temp/187278-malware-signature-unknown.png
↧