Sophos Endpoint Protection Data
The Sophos Central Splunk Add-on is required to collect Sophos Endpoint Protection data.
Splunkbase Download: https://splunkbase.splunk.com/app/6186/
Installation and Configuration Guide: https://community.sophos.com/sophos-integrations/w/integrations/109/splunk-add-on-for-sophos-central
How to Install and Configure the Sophos Central Add-on:
-
Install the Add-on on the Heavy Forwarder.
- Configure the Add-on on the Heavy Forwarder.
- Configure the Application.
- Create an index named sophos or update the macro definition in the Cyences app (Settings > Configuration).
- Install the Add-on on the Search Head.
Estimated Data Size
The Sophos Central Add-on consumes around 60-80MB of license usage per day.
The total amount of data varies based on the size of your organization (our calculations are based on organizations with around thirty users and a few workstations).
Sophos Central Metadata through API
Cyences version 1.6 utilizes Sophos Central API to collect information about Sophos endpoints. The Sophos Central API data is being used in a number of places throughout the Cyences app, including the Device Inventory dashboard.
Sophos Central API Configuration
-
Login to Sophos Central Parner portal.
-
Click Settings & Policies.
-
Click on the API Credentials link.
-
Add a new set of credentials.
-
Provide a name and description for your credential set, then click Add.
-
Click the Copy button at the end of the Client ID.
-
Click Show Client Secret.
-
Refer to the Sophos Central documentation link below for further assistance.
*https://developer.sophos.com/getting-started
Sophos Central API Configuration for Cyences
-
From Cyences’ navigation bar, go to Cyences Settings > Cyences App Configuration > Sophos Central API Configuration.
-
Enter the Client ID and Client Secret for Sophos Central API Configuration.
-
Click Save.
How to verify the Sophos Central API configuration:
-
From Cyences’ navigation bar, click Search.
-
Run the following search query:
| sophosinstancedetails all_endpoints=True
-
If the search results return/s any errors, then there is something wrong with the configuration.
-
A successful configuration will display the total number of events with no errors.
Estimated Data Size
Data collected from Sophos will be stored in a KV Store lookup, so it will not affect your Splunk license.