Splunk integration for Sophos Firewall

Credit to Author: Chris McCormack| Date: Mon, 17 May 2021 13:02:48 +0000

The product team is pleased to announce the early access program (EAP) for our new Splunk integration and apps for Sophos Firewall.

As you probably know, Splunk is a world leader in data management and security information and event management (SIEM) and provides a perfect complement to Sophos Firewall and Sophos Central for on-premise firewall log storage and analysis.

The Splunk integration with Sophos Firewall includes two Splunk applications:

  • Sophos Firewall Technology Add-on (TA) for Splunk, which parses the data collected from Sophos Firewall
  • Sophos App for Splunk, which provides a series of pre-packaged dashboards for visualizing data from your Sophos Firewall in Splunk

Here are a couple of examples of what you can see in Splunk with the app:

Firewall top 10 applications
Threats blocked over time by source (ATP, AV, Sandboxing, WAF)

There are dashboard widgets for:

  • Threats
  • Firewall usage and activity
  • Web traffic, bandwidth, and activity
  • Top applications and clients
  • Traffic types and TLS encryption
  • Users and connections
  • VPN

This new Splunk integration for Sophos Firewall is a great compliment to Sophos Central cloud-based firewall reporting, which is helpful for doing on-premise reporting or for integrating Sophos Firewall into your Splunk SIEM solution.

How to get started

You will need SFOS v18 MR1 build 396 or later running on your Sophos Firewall to participate in this early access program.

Full details on the pre-requisites, download links, and setup instructions can be found on the Sophos Community.

Get more information and share your feedback on the community forums.

http://feeds.feedburner.com/sophos/dgdY