You can send Sophos Cloud Optix data to your Splunk Enterprise or Cloud instance using Splunk's HTTP event collector (HEC) interface.
Sophos Cloud Optix can send the following data:
- Security monitoring and compliance alerts.
- Anomaly alerts.
- GuardDuty alerts from AWS.
- Audit events generated in Sophos Cloud Optix such as a user signing in, policy changes, and configuration changes.
- DevSecOps alerts as a result of scanning IaC (infrastructure as code) templates.
To integrate with Splunk, do as follows:
- In your Splunk instance, generate an HEC token.
- In Sophos Cloud Optix, click Integrations.
- Click Splunk.
- Click Enable.
- Enter your Splunk URL and HEC Token.
- In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Splunk.
In Alert Post By, choose how alerts are updated:
- Consolidated: A single alert is updated each time another resource is affected by the same alert type (as in the Sophos Cloud Optix alerts page).
- Affected Resources: A separate alert is pushed for each affected resource.
Select Enable Sophos Cloud Optix Logs if you want to send Sophos Cloud Optix dashboard logs, including user sign-in events, policy related events, and configuration changes, to Splunk.
- Click Save.