Skip to content

Splunk integration

You can send Sophos Cloud Optix data to your Splunk Enterprise or Cloud instance using Splunk's HTTP event collector (HEC) interface.

Sophos Cloud Optix can send the following data:

  • Security monitoring and compliance alerts.
  • Anomaly alerts.
  • GuardDuty alerts from AWS.
  • Audit events generated in Sophos Cloud Optix such as a user signing in, policy changes, and configuration changes.
  • DevSecOps alerts as a result of scanning IaC (infrastructure as code) templates.

To integrate with Splunk, do as follows:

  1. In your Splunk instance, generate an HEC token.
  2. In Sophos Cloud Optix, click Integrations.
  3. Click Splunk.
  4. Click Enable.
  5. Enter your Splunk URL and HEC Token.
  6. In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Splunk.
  7. In Alert Post By, choose how alerts are updated:

    • Consolidated: A single alert is updated each time another resource is affected by the same alert type (as in the Sophos Cloud Optix alerts page).
    • Affected Resources: A separate alert is pushed for each affected resource.
  8. Select Enable Sophos Cloud Optix Logs if you want to send Sophos Cloud Optix dashboard logs, including user sign-in events, policy related events, and configuration changes, to Splunk.

  9. Click Save.