mstopa-splunk
commented
2 months ago hi @jungleboogie75 I added sophos_xg_firewall,index,netfw to splunk_metadata.csv and it worked.
For enhancement/bug fix issues please open a new github issue and refer to this one, for support please open a Splunk support ticket
What is the sc4s version ? 3.22.2
Describe the bug All of the data for Sophos is sent to the netdlp index rather than being routed to more logical destinations. My customer only had a few sourcetypes from Sophos, but these are the overrides I used:
sophos_xg_content_filtering,index,netproxy sophos_xg_event,index,netauth sophos_xg_firewall,index,netfw sophos_xg_waf,index,netwaf