Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners. 

This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.0.0-866

Authored By: Fortinet

Certified: Yes  

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

  • You must have the URL of Sophos Central server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Sophos Central server to which you will connect and perform automated operations.
Username Username to access the Sophos Central server to which you will connect and perform automated operations.
Password Password to access the Sophos Central to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
Get Events Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. get_events
Investigation
Get Alerts Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. get_alerts
Investigation
Get Events related to Alert Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. get_alert_related_events
Investigation
Get Reports Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. get_reports
Investigation
Isolate Endpoint Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. isolate_endpoint
Investigation
Unisolate Endpoint Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. unisolate_endpoint
Investigation
Scan Endpoint Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. scan_endpoint
Investigation
Get Threat Cases Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. get_threat_cases
Investigation
Get Details of Threat Case Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. get_details_of_threat_case
Investigation
Get Artifacts of Threat Case Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. get_artifacts_of_threat_case
Investigation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint ID ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type Type of event based on which you want to retrieve events from the Sophos Central system.
Alert ID Alert ID based on which you want to retrieve events from the Sophos Central system.
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "events": [ 
         { 
             "source_info": { 
                 "ip": "" 
             }, 
             "appCerts": "", 
             "threat": "", 
             "core_remedy_items": "", 
             "user_id": "", 
             "when": "", 
             "created_at": "", 
             "appSha256": "", 
             "id": "" 
         } 
     ], 
     "filtered": "", 
     "total": "", 
     "nextKey": "" 
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "alerts": [ 
         { 
             "threat": "", 
             "event_service_event_id": "", 
             "when": "", 
             "created_at": "", 
             "id": "", 
             "location": "", 
             "customer_id": "", 
             "info": "", 
             "source": "", 
             "type": "", 
             "data": { 
                 "endpoint_java_id": "", 
                 "inserted_at": "", 
                 "make_actionable_at": "", 
                 "endpoint_type": "", 
                 "event_service_id": "", 
                 "source_info": { 
                     "ip": "" 
                 }, 
                 "endpoint_id": "", 
                 "endpoint_platform": "", 
                 "user_match_id": "", 
                 "created_at": "" 
             }, 
             "description": "", 
             "threat_cleanable": "", 
             "severity": "" 
         } 
     ], 
     "filtered": "", 
     "total": "", 
     "nextKey": "" 
}

operation: Get Events related to Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose associated events you want to retrieve from the Sophos Central system.
Endpoint ID (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type (Optional) Type of event based on which you want to retrieve events from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "origin": "", 
     "appCerts": "", 
     "threat": "", 
     "endpoint_type": "", 
     "user_id": "", 
     "endpoint_id": "", 
     "when": "", 
     "created_at": "", 
     "id": "", 
     "location": "", 
     "source_info": { 
         "ip": "" 
     }, 
     "name": "", 
     "customer_id": "", 
     "core_remedy_items": "", 
     "source": "", 
     "type": "", 
     "severity": "", 
     "appSha256": "", 
     "group": "" 
}

operation: Get Reports

Input parameters

Parameter Description
Report Type Type of report based on which you want to retrieve reports from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  
Ascending Select the Ascending checkbox to sort the results in the ascending order.

Output

When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:

     "filename": "",
     "filtered": "",
     "reports": [ 
         { 
             "last_activity": "", 
             "mobile_devices": [], 
             "deployment_instructions_sent": "", 
             "health_status": "", 
             "logins": "", 
             "endpoints": "", 
             "groups": "", 
             "id": "", 
             "email": "", 
             "name": ""
         } 
     ], 
     "total": "", 
     "summary": ""
         { 
             "total": "", 
             "active": "", 
             "dormant": "", 
             "no_devices": "", 
             "inactive": "" 
         } 
}

When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:

     "filename": "",
     "reports": [ 
         { 
             "last_activity": "", 
             "on_access": "", 
             "last_scan_time": "", 
             "last_login": "", 
             "is_adsync": "", 
             "last_updated": "", 
             "last_scan": "", 
             "health_status": "", 
             "group_name": "", 
             "id": "", 
             "name": ""
         } 
     ], 
     "filtered": "", 
     "summary": ""
         { 
             "total": "", 
             "active": "", 
             "unprotected": "", 
             "inactive": "" 
             "domant": ""
         } 
     "total": "" 
}

When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema

     "reports": [ 
         { 
             "last_activity": "", 
             "last_user_id": "", 
             "on_access": "", 
             "last_scan_time": ""
         } 
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to isolate on the Sophos Central system.
Comment Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "failed": [], 
     "succeeded": [] 
}

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to unisolate on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "failed": [], 
     "succeeded": [] 
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to scan on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "message": "" 
}

operation: Get Threat Cases

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Case Type Type of case whose associated threats you want to retrieve from the Sophos Central system.
You can choose between System Generated or Admin Generated.
Endpoint Type Type of endpoint whose associated threats you want to retrieve from the Sophos Central system.
You can choose between Computer or Server.
Priority Priority of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between Medium, High, or Low.
Case Status Status of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between New In Progress, or Closed.
Limit Maximum number of results, per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "summary": { 
         "inprogress": "", 
         "closed": "", 
         "total": "", 
         "new": "" 
     }, 
     "nextKey": "", 
     "total": "", 
     "filtered": "", 
     "cases": [ 
         { 
             "malwareName": "", 
             "endpointName": "", 
             "endpointType": "", 
             "beaconDT": "", 
             "endpointSupportsL3FileAnalysis": "", 
             "rootCauseName": "", 
             "status": "", 
             "supportsDirectPath": "", 
             "numberOfBusinessFiles": "", 
             "hasProcessBeacon": "", 
             "allowedStates": [], 
             "isEndpointDeleted": "", 
             "suspectProcessCount": "", 
             "complexRootCause": { 
                 "source": { 
                     "value": "", 
                     "type": "" 
                 }, 
                 "interaction": "", 
                 "provenance": { 
                     "value": "", 
                     "type": "" 
                 }, 
                 "target": {} 
             }, 
             "cloudCreatedAt": "", 
             "endpointId": "", 
             "rootCauseDT": "", 
             "priority": "", 
             "id": "", 
             "version": "", 
             "customerId": "", 
             "endpointSupportsForensicSnapshots": "", 
             "supportsSortOnDecoration": "" 
         } 
     ] 
}

operation: Get Details of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose details you want to retrieve from the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "malwareName": "", 
     "endpointName": "", 
     "endpointType": "", 
     "beaconDT": "", 
     "endpointSupportsL3FileAnalysis": "", 
     "rootCauseName": "", 
     "status": "", 
     "supportsDirectPath": "", 
     "numberOfBusinessFiles": "", 
     "hasProcessBeacon": "", 
     "allowedStates": [], 
     "isEndpointDeleted": "", 
     "suspectProcessCount": "", 
     "complexRootCause": { 
         "source": { 
             "value": "", 
             "type": "" 
         }, 
         "interaction": "", 
         "provenance": { 
             "value": "", 
             "type": "" 
         }, 
         "target": {} 
     }, 
     "cloudCreatedAt": "", 
     "endpointId": "", 
     "rootCauseDT": "", 
     "priority": "", 
     "id": "", 
     "version": "", 
     "customerId": "", 
     "endpointSupportsForensicSnapshots": "", 
     "supportsSortOnDecoration": "" 
}

operation: Get Artifacts of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose artifacts you want to retrieve from the Sophos Central system.
Filters (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system.
You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown.
Limit (Optional) Maximum number of results, per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "summary": { 
         "processes": "", 
         "total": "", 
         "business_files": "", 
         "other_files": "", 
         "network_connections": "", 
         "registry_keys": "" 
     }, 
     "nextKey": "", 
     "total": "", 
     "filtered": "", 
     "artifacts": [] 
}

Included playbooks

The Sample - Sophos Central - 1.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

  • Get Alerts
  • Get Artifacts of Threat Case
  • Get Details of Threat Case
  • Get Events
  • Get Events related to Alert
  • Get Reports
  • Get Threat Cases
  • Isolate Endpoint
  • Scan Endpoint
  • Unisolate Endpoint

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners. 

This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.0.0-866

Authored By: Fortinet

Certified: Yes  

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Sophos Central server to which you will connect and perform automated operations.
Username Username to access the Sophos Central server to which you will connect and perform automated operations.
Password Password to access the Sophos Central to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
Get Events Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. get_events
Investigation
Get Alerts Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. get_alerts
Investigation
Get Events related to Alert Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. get_alert_related_events
Investigation
Get Reports Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. get_reports
Investigation
Isolate Endpoint Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. isolate_endpoint
Investigation
Unisolate Endpoint Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. unisolate_endpoint
Investigation
Scan Endpoint Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. scan_endpoint
Investigation
Get Threat Cases Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. get_threat_cases
Investigation
Get Details of Threat Case Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. get_details_of_threat_case
Investigation
Get Artifacts of Threat Case Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. get_artifacts_of_threat_case
Investigation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint ID ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type Type of event based on which you want to retrieve events from the Sophos Central system.
Alert ID Alert ID based on which you want to retrieve events from the Sophos Central system.
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "events": [ 
         { 
             "source_info": { 
                 "ip": "" 
             }, 
             "appCerts": "", 
             "threat": "", 
             "core_remedy_items": "", 
             "user_id": "", 
             "when": "", 
             "created_at": "", 
             "appSha256": "", 
             "id": "" 
         } 
     ], 
     "filtered": "", 
     "total": "", 
     "nextKey": "" 
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "alerts": [ 
         { 
             "threat": "", 
             "event_service_event_id": "", 
             "when": "", 
             "created_at": "", 
             "id": "", 
             "location": "", 
             "customer_id": "", 
             "info": "", 
             "source": "", 
             "type": "", 
             "data": { 
                 "endpoint_java_id": "", 
                 "inserted_at": "", 
                 "make_actionable_at": "", 
                 "endpoint_type": "", 
                 "event_service_id": "", 
                 "source_info": { 
                     "ip": "" 
                 }, 
                 "endpoint_id": "", 
                 "endpoint_platform": "", 
                 "user_match_id": "", 
                 "created_at": "" 
             }, 
             "description": "", 
             "threat_cleanable": "", 
             "severity": "" 
         } 
     ], 
     "filtered": "", 
     "total": "", 
     "nextKey": "" 
}

operation: Get Events related to Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose associated events you want to retrieve from the Sophos Central system.
Endpoint ID (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type (Optional) Type of event based on which you want to retrieve events from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "origin": "", 
     "appCerts": "", 
     "threat": "", 
     "endpoint_type": "", 
     "user_id": "", 
     "endpoint_id": "", 
     "when": "", 
     "created_at": "", 
     "id": "", 
     "location": "", 
     "source_info": { 
         "ip": "" 
     }, 
     "name": "", 
     "customer_id": "", 
     "core_remedy_items": "", 
     "source": "", 
     "type": "", 
     "severity": "", 
     "appSha256": "", 
     "group": "" 
}

operation: Get Reports

Input parameters

Parameter Description
Report Type Type of report based on which you want to retrieve reports from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  
Ascending Select the Ascending checkbox to sort the results in the ascending order.

Output

When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:

     "filename": "",
     "filtered": "",
     "reports": [ 
         { 
             "last_activity": "", 
             "mobile_devices": [], 
             "deployment_instructions_sent": "", 
             "health_status": "", 
             "logins": "", 
             "endpoints": "", 
             "groups": "", 
             "id": "", 
             "email": "", 
             "name": ""
         } 
     ], 
     "total": "", 
     "summary": ""
         { 
             "total": "", 
             "active": "", 
             "dormant": "", 
             "no_devices": "", 
             "inactive": "" 
         } 
}

When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:

     "filename": "",
     "reports": [ 
         { 
             "last_activity": "", 
             "on_access": "", 
             "last_scan_time": "", 
             "last_login": "", 
             "is_adsync": "", 
             "last_updated": "", 
             "last_scan": "", 
             "health_status": "", 
             "group_name": "", 
             "id": "", 
             "name": ""
         } 
     ], 
     "filtered": "", 
     "summary": ""
         { 
             "total": "", 
             "active": "", 
             "unprotected": "", 
             "inactive": "" 
             "domant": ""
         } 
     "total": "" 
}

When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema

     "reports": [ 
         { 
             "last_activity": "", 
             "last_user_id": "", 
             "on_access": "", 
             "last_scan_time": ""
         } 
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to isolate on the Sophos Central system.
Comment Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "failed": [], 
     "succeeded": [] 
}

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to unisolate on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "failed": [], 
     "succeeded": [] 
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to scan on the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "message": "" 
}

operation: Get Threat Cases

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Case Type Type of case whose associated threats you want to retrieve from the Sophos Central system.
You can choose between System Generated or Admin Generated.
Endpoint Type Type of endpoint whose associated threats you want to retrieve from the Sophos Central system.
You can choose between Computer or Server.
Priority Priority of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between Medium, High, or Low.
Case Status Status of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between New In Progress, or Closed.
Limit Maximum number of results, per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "summary": { 
         "inprogress": "", 
         "closed": "", 
         "total": "", 
         "new": "" 
     }, 
     "nextKey": "", 
     "total": "", 
     "filtered": "", 
     "cases": [ 
         { 
             "malwareName": "", 
             "endpointName": "", 
             "endpointType": "", 
             "beaconDT": "", 
             "endpointSupportsL3FileAnalysis": "", 
             "rootCauseName": "", 
             "status": "", 
             "supportsDirectPath": "", 
             "numberOfBusinessFiles": "", 
             "hasProcessBeacon": "", 
             "allowedStates": [], 
             "isEndpointDeleted": "", 
             "suspectProcessCount": "", 
             "complexRootCause": { 
                 "source": { 
                     "value": "", 
                     "type": "" 
                 }, 
                 "interaction": "", 
                 "provenance": { 
                     "value": "", 
                     "type": "" 
                 }, 
                 "target": {} 
             }, 
             "cloudCreatedAt": "", 
             "endpointId": "", 
             "rootCauseDT": "", 
             "priority": "", 
             "id": "", 
             "version": "", 
             "customerId": "", 
             "endpointSupportsForensicSnapshots": "", 
             "supportsSortOnDecoration": "" 
         } 
     ] 
}

operation: Get Details of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose details you want to retrieve from the Sophos Central system.

Output

The output contains the following populated JSON schema:

     "malwareName": "", 
     "endpointName": "", 
     "endpointType": "", 
     "beaconDT": "", 
     "endpointSupportsL3FileAnalysis": "", 
     "rootCauseName": "", 
     "status": "", 
     "supportsDirectPath": "", 
     "numberOfBusinessFiles": "", 
     "hasProcessBeacon": "", 
     "allowedStates": [], 
     "isEndpointDeleted": "", 
     "suspectProcessCount": "", 
     "complexRootCause": { 
         "source": { 
             "value": "", 
             "type": "" 
         }, 
         "interaction": "", 
         "provenance": { 
             "value": "", 
             "type": "" 
         }, 
         "target": {} 
     }, 
     "cloudCreatedAt": "", 
     "endpointId": "", 
     "rootCauseDT": "", 
     "priority": "", 
     "id": "", 
     "version": "", 
     "customerId": "", 
     "endpointSupportsForensicSnapshots": "", 
     "supportsSortOnDecoration": "" 
}

operation: Get Artifacts of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose artifacts you want to retrieve from the Sophos Central system.
Filters (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system.
You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown.
Limit (Optional) Maximum number of results, per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:

     "summary": { 
         "processes": "", 
         "total": "", 
         "business_files": "", 
         "other_files": "", 
         "network_connections": "", 
         "registry_keys": "" 
     }, 
     "nextKey": "", 
     "total": "", 
     "filtered": "", 
     "artifacts": [] 
}

Included playbooks

The Sample - Sophos Central - 1.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.