About the connector
Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
Prerequisites to configuring the connector
- You must have the URL of Sophos Central server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Sophos Central server to which you will connect and perform automated operations. |
| Username |
Username to access the Sophos Central server to which you will connect and perform automated operations. |
| Password |
Password to access the Sophos Central to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Get Events |
Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. |
get_events
Investigation |
| Get Alerts |
Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. |
get_alerts
Investigation |
| Get Events related to Alert |
Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. |
get_alert_related_events
Investigation |
| Get Reports |
Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. |
get_reports
Investigation |
| Isolate Endpoint |
Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. |
isolate_endpoint
Investigation |
| Unisolate Endpoint |
Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. |
unisolate_endpoint
Investigation |
| Scan Endpoint |
Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. |
scan_endpoint
Investigation |
| Get Threat Cases |
Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. |
get_threat_cases
Investigation |
| Get Details of Threat Case |
Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. |
get_details_of_threat_case
Investigation |
| Get Artifacts of Threat Case |
Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. |
get_artifacts_of_threat_case
Investigation |
operation: Get Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Endpoint ID |
ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
| Event Type |
Type of event based on which you want to retrieve events from the Sophos Central system. |
| Alert ID |
Alert ID based on which you want to retrieve events from the Sophos Central system. |
| Limit |
Maximum number of results per page, that this operation should return. |
| Offset |
0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"events": [
{
"source_info": {
"ip": ""
},
"appCerts": "",
"threat": "",
"core_remedy_items": "",
"user_id": "",
"when": "",
"created_at": "",
"appSha256": "",
"id": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
operation: Get Alerts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Limit |
Maximum number of results per page, that this operation should return. |
| Offset |
0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"alerts": [
{
"threat": "",
"event_service_event_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"customer_id": "",
"info": "",
"source": "",
"type": "",
"data": {
"endpoint_java_id": "",
"inserted_at": "",
"make_actionable_at": "",
"endpoint_type": "",
"event_service_id": "",
"source_info": {
"ip": ""
},
"endpoint_id": "",
"endpoint_platform": "",
"user_match_id": "",
"created_at": ""
},
"description": "",
"threat_cleanable": "",
"severity": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
operation: Get Events related to Alert
Input parameters
| Parameter |
Description |
| Alert ID |
ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
| Endpoint ID |
(Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
| Event Type |
(Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
| Limit |
(Optional) Maximum number of results per page, that this operation should return. |
| Offset |
(Optional) 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"origin": "",
"appCerts": "",
"threat": "",
"endpoint_type": "",
"user_id": "",
"endpoint_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"source_info": {
"ip": ""
},
"name": "",
"customer_id": "",
"core_remedy_items": "",
"source": "",
"type": "",
"severity": "",
"appSha256": "",
"group": ""
}
operation: Get Reports
Input parameters
| Parameter |
Description |
| Report Type |
Type of report based on which you want to retrieve reports from the Sophos Central system. |
| Limit |
(Optional) Maximum number of results per page, that this operation should return. |
| Offset |
(Optional) 0-based index of the page that this operation should return. |
| Ascending |
Select the Ascending checkbox to sort the results in the ascending order. |
Output
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"filtered": "",
"reports": [
{
"last_activity": "",
"mobile_devices": [],
"deployment_instructions_sent": "",
"health_status": "",
"logins": "",
"endpoints": "",
"groups": "",
"id": "",
"email": "",
"name": ""
}
],
"total": "",
"summary": ""
{
"total": "",
"active": "",
"dormant": "",
"no_devices": "",
"inactive": ""
}
}
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"reports": [
{
"last_activity": "",
"on_access": "",
"last_scan_time": "",
"last_login": "",
"is_adsync": "",
"last_updated": "",
"last_scan": "",
"health_status": "",
"group_name": "",
"id": "",
"name": ""
}
],
"filtered": "",
"summary": ""
{
"total": "",
"active": "",
"unprotected": "",
"inactive": ""
"domant": ""
}
"total": ""
}
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
"reports": [
{
"last_activity": "",
"last_user_id": "",
"on_access": "",
"last_scan_time": ""
}
]
}
operation: Isolate Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID |
ID of the endpoint that you want to isolate on the Sophos Central system. |
| Comment |
Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
Output
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
operation: Unisolate Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID |
ID of the endpoint that you want to unisolate on the Sophos Central system. |
Output
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
operation: Scan Endpoint
Input parameters
| Parameter |
Description |
| Endpoint ID |
ID of the endpoint that you want to scan on the Sophos Central system. |
Output
The output contains the following populated JSON schema:
{
"message": ""
}
operation: Get Threat Cases
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Case Type |
Type of case whose associated threats you want to retrieve from the Sophos Central system.
You can choose between System Generated or Admin Generated. |
| Endpoint Type |
Type of endpoint whose associated threats you want to retrieve from the Sophos Central system.
You can choose between Computer or Server. |
| Priority |
Priority of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between Medium, High, or Low. |
| Case Status |
Status of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between New In Progress, or Closed. |
| Limit |
Maximum number of results, per page, that this operation should return. |
| Offset |
0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"summary": {
"inprogress": "",
"closed": "",
"total": "",
"new": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"cases": [
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
]
}
operation: Get Details of Threat Case
Input parameters
| Parameter |
Description |
| Case ID |
ID of the case whose details you want to retrieve from the Sophos Central system. |
Output
The output contains the following populated JSON schema:
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
operation: Get Artifacts of Threat Case
Input parameters
| Parameter |
Description |
| Case ID |
ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
| Filters |
(Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system.
You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
| Limit |
(Optional) Maximum number of results, per page, that this operation should return. |
| Offset |
(Optional) 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"summary": {
"processes": "",
"total": "",
"business_files": "",
"other_files": "",
"network_connections": "",
"registry_keys": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"artifacts": []
}
Included playbooks
The Sample - Sophos Central - 1.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
- Get Alerts
- Get Artifacts of Threat Case
- Get Details of Threat Case
- Get Events
- Get Events related to Alert
- Get Reports
- Get Threat Cases
- Isolate Endpoint
- Scan Endpoint
- Unisolate Endpoint
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
