Exporting Alerts to Splunk

Set Up the Splunk Cloud Instance to receive the alerts

To receive the events from the sensor, we will set up a HTTP Event Collector in the Splunk instance following the below steps

Login to the Splunk Instance and click Add Data.
Click Monitor.
Click HTTP Event Collector.
Enter the preferred name for the event collector and click Next.
Set the Source Type as _json and click Review.
Review the details and click Submit.
The token value for the event collector will be listed in this step. Copy the token value and paste it in /etc/sophos/runtimedetections-rules.yaml.
The details of the Event Collector can be viewed from Settings > Data Input.
Click HTTP Event Collector.
You can add a new token or view the details of the tokens that were created already.

Some versions of Splunk don't enable the HTTP Event Collector tokens by default. If the Status column shows Disabled, click Global Settings and All Tokens: Enabled.

The token should have Enable Indexer Acknowledgement unchecked. This is found in Actions > Edit on the token details. If checked, it causes an error Data channel is missing.

Configuring Sophos Linux Sensor to send Alerts to a Splunk cloud instance

Update /etc/sophos/runtimedetections-rules.yaml and add the output type webhook as shown below.

Here's an example:

alert_output:
outputs:
    - type: webhook
    enabled: true
    url: https://<splunk-cloud-instance>:8088/services/collector/event
    template: '{**event**: {{AlertJSON .}}}'
    headers:
        "Authorization": "Splunk <token>"
        "Content-Type": "application/json"

url: Splunk instance URL followed by :8088/services/collector/event.

token: Splunk token can be obtained while setting up the http event collector.

Restart the sensor after updating the /etc/sophos/runtimedetections-rules.yaml.
```
sudo systemctl restart sophoslinuxsensor
```
Now the sensor is set up to send the alerts to Splunk cloud instance.

More information

Creating a Splunk dashboard