Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Sophos Central server to which you will connect and perform automated operations. |
Username | Username to access the Sophos Central server to which you will connect and perform automated operations. |
Password | Password to access the Sophos Central to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Events | Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. | get_events Investigation |
Get Alerts | Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. | get_alerts Investigation |
Get Events related to Alert | Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. | get_alert_related_events Investigation |
Get Reports | Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. | get_reports Investigation |
Isolate Endpoint | Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. | isolate_endpoint Investigation |
Unisolate Endpoint | Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | unisolate_endpoint Investigation |
Scan Endpoint | Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | scan_endpoint Investigation |
Get Threat Cases | Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. | get_threat_cases Investigation |
Get Details of Threat Case | Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. | get_details_of_threat_case Investigation |
Get Artifacts of Threat Case | Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. | get_artifacts_of_threat_case Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | Type of event based on which you want to retrieve events from the Sophos Central system. |
Alert ID | Alert ID based on which you want to retrieve events from the Sophos Central system. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"events": [
{
"source_info": {
"ip": ""
},
"appCerts": "",
"threat": "",
"core_remedy_items": "",
"user_id": "",
"when": "",
"created_at": "",
"appSha256": "",
"id": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"alerts": [
{
"threat": "",
"event_service_event_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"customer_id": "",
"info": "",
"source": "",
"type": "",
"data": {
"endpoint_java_id": "",
"inserted_at": "",
"make_actionable_at": "",
"endpoint_type": "",
"event_service_id": "",
"source_info": {
"ip": ""
},
"endpoint_id": "",
"endpoint_platform": "",
"user_match_id": "",
"created_at": ""
},
"description": "",
"threat_cleanable": "",
"severity": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
Endpoint ID | (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | (Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"origin": "",
"appCerts": "",
"threat": "",
"endpoint_type": "",
"user_id": "",
"endpoint_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"source_info": {
"ip": ""
},
"name": "",
"customer_id": "",
"core_remedy_items": "",
"source": "",
"type": "",
"severity": "",
"appSha256": "",
"group": ""
}
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve reports from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
Ascending | Select the Ascending checkbox to sort the results in the ascending order. |
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"filtered": "",
"reports": [
{
"last_activity": "",
"mobile_devices": [],
"deployment_instructions_sent": "",
"health_status": "",
"logins": "",
"endpoints": "",
"groups": "",
"id": "",
"email": "",
"name": ""
}
],
"total": "",
"summary": ""
{
"total": "",
"active": "",
"dormant": "",
"no_devices": "",
"inactive": ""
}
}
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"reports": [
{
"last_activity": "",
"on_access": "",
"last_scan_time": "",
"last_login": "",
"is_adsync": "",
"last_updated": "",
"last_scan": "",
"health_status": "",
"group_name": "",
"id": "",
"name": ""
}
],
"filtered": "",
"summary": ""
{
"total": "",
"active": "",
"unprotected": "",
"inactive": ""
"domant": ""
}
"total": ""
}
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
"reports": [
{
"last_activity": "",
"last_user_id": "",
"on_access": "",
"last_scan_time": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to isolate on the Sophos Central system. |
Comment | Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to unisolate on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to scan on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Case Type | Type of case whose associated threats you want to retrieve from the Sophos Central system. You can choose between System Generated or Admin Generated. |
Endpoint Type | Type of endpoint whose associated threats you want to retrieve from the Sophos Central system. You can choose between Computer or Server. |
Priority | Priority of case based on which you want to retrieve threats from the Sophos Central system. You can choose between Medium, High, or Low. |
Case Status | Status of case based on which you want to retrieve threats from the Sophos Central system. You can choose between New In Progress, or Closed. |
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"inprogress": "",
"closed": "",
"total": "",
"new": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"cases": [
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
]
}
Parameter | Description |
---|---|
Case ID | ID of the case whose details you want to retrieve from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
Parameter | Description |
---|---|
Case ID | ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
Filters | (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system. You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
Limit | (Optional) Maximum number of results, per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"processes": "",
"total": "",
"business_files": "",
"other_files": "",
"network_connections": "",
"registry_keys": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"artifacts": []
}
The Sample - Sophos Central - 1.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Sophos Central server to which you will connect and perform automated operations. |
Username | Username to access the Sophos Central server to which you will connect and perform automated operations. |
Password | Password to access the Sophos Central to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Events | Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. | get_events Investigation |
Get Alerts | Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. | get_alerts Investigation |
Get Events related to Alert | Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. | get_alert_related_events Investigation |
Get Reports | Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. | get_reports Investigation |
Isolate Endpoint | Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. | isolate_endpoint Investigation |
Unisolate Endpoint | Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | unisolate_endpoint Investigation |
Scan Endpoint | Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | scan_endpoint Investigation |
Get Threat Cases | Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. | get_threat_cases Investigation |
Get Details of Threat Case | Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. | get_details_of_threat_case Investigation |
Get Artifacts of Threat Case | Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. | get_artifacts_of_threat_case Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | Type of event based on which you want to retrieve events from the Sophos Central system. |
Alert ID | Alert ID based on which you want to retrieve events from the Sophos Central system. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"events": [
{
"source_info": {
"ip": ""
},
"appCerts": "",
"threat": "",
"core_remedy_items": "",
"user_id": "",
"when": "",
"created_at": "",
"appSha256": "",
"id": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"alerts": [
{
"threat": "",
"event_service_event_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"customer_id": "",
"info": "",
"source": "",
"type": "",
"data": {
"endpoint_java_id": "",
"inserted_at": "",
"make_actionable_at": "",
"endpoint_type": "",
"event_service_id": "",
"source_info": {
"ip": ""
},
"endpoint_id": "",
"endpoint_platform": "",
"user_match_id": "",
"created_at": ""
},
"description": "",
"threat_cleanable": "",
"severity": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
Endpoint ID | (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | (Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"origin": "",
"appCerts": "",
"threat": "",
"endpoint_type": "",
"user_id": "",
"endpoint_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"source_info": {
"ip": ""
},
"name": "",
"customer_id": "",
"core_remedy_items": "",
"source": "",
"type": "",
"severity": "",
"appSha256": "",
"group": ""
}
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve reports from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
Ascending | Select the Ascending checkbox to sort the results in the ascending order. |
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"filtered": "",
"reports": [
{
"last_activity": "",
"mobile_devices": [],
"deployment_instructions_sent": "",
"health_status": "",
"logins": "",
"endpoints": "",
"groups": "",
"id": "",
"email": "",
"name": ""
}
],
"total": "",
"summary": ""
{
"total": "",
"active": "",
"dormant": "",
"no_devices": "",
"inactive": ""
}
}
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"reports": [
{
"last_activity": "",
"on_access": "",
"last_scan_time": "",
"last_login": "",
"is_adsync": "",
"last_updated": "",
"last_scan": "",
"health_status": "",
"group_name": "",
"id": "",
"name": ""
}
],
"filtered": "",
"summary": ""
{
"total": "",
"active": "",
"unprotected": "",
"inactive": ""
"domant": ""
}
"total": ""
}
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
"reports": [
{
"last_activity": "",
"last_user_id": "",
"on_access": "",
"last_scan_time": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to isolate on the Sophos Central system. |
Comment | Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to unisolate on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to scan on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Case Type | Type of case whose associated threats you want to retrieve from the Sophos Central system. You can choose between System Generated or Admin Generated. |
Endpoint Type | Type of endpoint whose associated threats you want to retrieve from the Sophos Central system. You can choose between Computer or Server. |
Priority | Priority of case based on which you want to retrieve threats from the Sophos Central system. You can choose between Medium, High, or Low. |
Case Status | Status of case based on which you want to retrieve threats from the Sophos Central system. You can choose between New In Progress, or Closed. |
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"inprogress": "",
"closed": "",
"total": "",
"new": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"cases": [
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
]
}
Parameter | Description |
---|---|
Case ID | ID of the case whose details you want to retrieve from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
Parameter | Description |
---|---|
Case ID | ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
Filters | (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system. You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
Limit | (Optional) Maximum number of results, per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"processes": "",
"total": "",
"business_files": "",
"other_files": "",
"network_connections": "",
"registry_keys": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"artifacts": []
}
The Sample - Sophos Central - 1.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.