Skip to content

Splunk integration

You can send Sophos Cloud Optix data to your Splunk Enterprise or Cloud instance using Splunk's HTTP event collector (HEC) interface.

Sophos Cloud Optix can send the following data:

  • Security monitoring and compliance alerts.
  • Anomaly alerts.
  • GuardDuty alerts from AWS.
  • Audit events generated in Sophos Cloud Optix such as a user signing in, policy changes, and configuration changes.
  • DevSecOps alerts as a result of scanning IaC (infrastructure as code) templates.

To integrate with Splunk Enterprise, do as follows:

  1. In your Splunk instance, generate an HEC token.
  2. In Sophos Cloud Optix, click Integrations.
  3. Click Splunk.
  4. Click Enable.
  5. Enter your Splunk URL and HEC Token.
  6. In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Splunk.
  7. In Alert Post By, choose how alerts are updated:

    • Consolidated: A single alert is updated each time another resource is affected by the same alert type.

      This is the same update method used in the Sophos Cloud Optix Alerts page.

    • Affected Resources: A separate alert is pushed for each affected resource.

  8. Select Enable Sophos Cloud Optix Logs if you want to send Sophos Cloud Optix dashboard logs to Splunk, including user sign-in events, policy-related events, and configuration changes.

  9. Click Save.

To integrate with Splunk Cloud, you must send data using a specific URL for HEC. See Send data to HTTP Event Collector on Splunk Cloud Platform.