Lookups for the Splunk Add-on for Sophos
The Splunk Add-on for Sophos uses lookups that map fields from Sophos systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_sophos/lookups/.
| Lookup Filename | Description |
|---|---|
| sophos_actions.csv | Maps the action description from Sophos to a CIM-compliant string. |
| sophos_firewall_actions.csv | Maps the firewall action description from Sophos to a CIM-compliant string |
| sophos_ip_protocols.csv | This lookup defines the friendly protocol name field for this add-on. |
| sophos_ips_severities.csv | Maps the severity ID to a human readable string and a CIM-compliant severity value. |
| sophos_risk_levels.csv | Maps the risk level ID to a human readable string and a CIM-compliant severity value |
| sophos_swa_actions.csv | Maps the action id from Sophos to a CIM-compliant action value. |
| sophos_swa_blocks.csv | Maps the rsn id from Sophos to a CIM-compliant block reason value. |
| sophos_swa_categories.csv | Maps the category id from Sophos to a CIM-compliant category value. |
| sophos_threat_actions.csv | Maps the category ID to a human-readable string. |
| sophos_vendor_informations.csv | Defines the vendor and product fields for this add-on. |
| sophos_change_result.csv | Fetches values for action, result, status, object, object_category, and change_type values for the EventCode and SourceName for WinEventLog:Application:sophos sourcetype.
|
| sophos_service.csv | Fetches values for status, service, and service_name based on the EventCode and SourceName values for the WinEventLog:Application:sophos sourcetype.
|
You can change the lookup mappings if different versions or configurations require different mappings.
Last modified on 22 June, 2021
| Troubleshoot the Splunk Add-on for Sophos | Source types for the Splunk Add-on for Sophos |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!