Integrate with Splunk

Sophos Cloud Optix can send data to your Splunk Enterprise or Cloud instance using Splunk's HTTP event collector (HEC) interface.

Sophos Cloud Optix can send the following data:

  • Security monitoring and compliance alerts.
  • Anomaly alerts.
  • GuardDuty alerts from AWS.
  • Audit events generated in Sophos Cloud Optix (like user login, policy changes, configuration changes).
  • DevSecOps alerts as a result of scanning IaC (infrastructure as code) templates.

To integrate with Splunk, do as follows:

  1. In your Splunk instance, generate an HEC token.
  2. In Sophos Cloud Optix, go to Settings > Integration.
  3. Click Splunk.
  4. Enter your Splunk URL and HEC Token.
  5. In Alert Levels, select which Sophos Cloud Optix alerts (for example, Critical) you want to send to Splunk.
  6. In Alert Post By, choose how alerts are updated:
    • Consolidated: A single alert is updated each time another resource is affected by the same alert type (as in the Sophos Cloud Optix alerts page).
    • Affected Resources: A separate alert is pushed for each affected resource.
  7. Select Enable Sophos Cloud Optix Logs if you want to send audit events for Sophos Cloud Optix (including user login events, policy related events, and configuration changes) to Splunk for consolidation of all events.
  8. To turn on the integration, click Enable and then Save.