Splunk® Supported Add-ons

Splunk Add-on for Sophos

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Lookups for the Splunk Add-on for Sophos

The Splunk Add-on for Sophos uses lookups that map fields from Sophos systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_sophos/lookups/.

Lookup Filename Description
sophos_actions.csv Maps the action description from Sophos to a CIM-compliant string.
sophos_firewall_actions.csv Maps the firewall action description from Sophos to a CIM-compliant string
sophos_ip_protocols.csv This lookup defines the friendly protocol name field for this add-on.
sophos_ips_severities.csv Maps the severity ID to a human readable string and a CIM-compliant severity value.
sophos_risk_levels.csv Maps the risk level ID to a human readable string and a CIM-compliant severity value
sophos_swa_actions.csv Maps the action id from Sophos to a CIM-compliant action value.
sophos_swa_blocks.csv Maps the rsn id from Sophos to a CIM-compliant block reason value.
sophos_swa_categories.csv Maps the category id from Sophos to a CIM-compliant category value.
sophos_threat_actions.csv Maps the category ID to a human-readable string.
sophos_vendor_informations.csv Defines the vendor and product fields for this add-on.
sophos_change_result.csv Fetches values for action, result, status, object, object_category, and change_type values for the EventCode and SourceName for WinEventLog:Application:sophos sourcetype.
sophos_service.csv Fetches values for status, service, and service_name based on the EventCode and SourceName values for the WinEventLog:Application:sophos sourcetype.

You can change the lookup mappings if different versions or configurations require different mappings.

Last modified on 22 June, 2021
PREVIOUS
Troubleshoot the Splunk Add-on for Sophos
  NEXT
Source types for the Splunk Add-on for Sophos

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters