Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 2.0.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Sophos Central Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Sophos Central server to which you will connect and perform automated operations. |
Username | Username to access the Sophos Central server to which you will connect and perform automated operations. |
Password | Password to access the Sophos Central to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Events | Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. | get_events Investigation |
Get Alerts | Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. | get_alerts Investigation |
Get Events related to Alert | Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. | get_alert_related_events Investigation |
Get Reports | Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. | get_reports Investigation |
Isolate Endpoint | Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. | isolate_endpoint Investigation |
Unisolate Endpoint | Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | unisolate_endpoint Investigation |
Scan Endpoint | Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | scan_endpoint Investigation |
Get Threat Cases | Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. | get_threat_cases Investigation |
Get Details of Threat Case | Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. | get_details_of_threat_case Investigation |
Get Artifacts of Threat Case | Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. | get_artifacts_of_threat_case Investigation |
Add Allow and Block Entry | Adds an "Allow and Block Entry" to the Sophos Central system based on the entry ID and action you have specified. | add_allow_block_entry Investigation |
Get Allow and Block Entries | Retrieves all the Allow and Block entries of email addresses or domains from the Sophos Central system. | get_allow_block_entries Investigation |
Delete Allow and Block Entry | Deletes an "Allow and Block Entry" from the Sophos Central system based on the entry ID you have specified. | delete_allow_block_entry Investigation |
Add MailBox | Adds a MailBox to the Sophos Central system based on the mailbox name, type, and address you have specified. | add_mailbox Investigation |
Get Mail Boxes | Retrieves information of mailboxes from the Sophos Central system. | get_mailboxes Investigation |
Get MailBox Details | Retrieves details of a specific mailbox from the Sophos Central system based on the mailbox ID you have specified. | get_mailbox_details Investigation |
Delete MailBox | Deletes a mailbox from the Sophos Central system based on the directory object ID you have specified. | delete_mailbox Investigation |
Get Quarantine Messages | Retrieves all quarantined messages from the Sophos Central system. | get_quarantine_messages Investigation |
Add Blocked Items | Adds blocked Items to the Sophos Central system based on the SHA 256 value of item and other input parameters you have specified. | add_blocked_items Investigation |
Get Blocked Items | Retrieves all blocked items from the Sophos Central system. | get_blocked_items Investigation |
Delete Blocked Items | Deletes an item from the Blocked Items in the Sophos Central system based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Add Global Exclusion | Adds an exclusion with specified values to Global Exclusions in the Sophos Central system based on the exclusion name, target, and type you have specified. | add_global_exclusion Investigation |
Get Global Exclusions | Retrieves all global exclusions from the Sophos Central system. | get_global_exclusions Investigation |
Remove Global Exclusion | Removes a specified exclusion from Global Exclusions from the Sophos Central system based on the exclusion name you have specified. | remove_global_exclusion Investigation |
Get Endpoint ID for Computer | Retrieves the endpoint id for a specific computer from the Sophos Central system based on the computer name you have specified. | get_endpoint_id Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | Type of event based on which you want to retrieve events from the Sophos Central system. |
Alert ID | Alert ID based on which you want to retrieve events from the Sophos Central system. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"events": [
{
"source_info": {
"ip": ""
},
"appCerts": "",
"threat": "",
"core_remedy_items": "",
"user_id": "",
"when": "",
"created_at": "",
"appSha256": "",
"id": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"alerts": [
{
"threat": "",
"event_service_event_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"customer_id": "",
"info": "",
"source": "",
"type": "",
"data": {
"endpoint_java_id": "",
"inserted_at": "",
"make_actionable_at": "",
"endpoint_type": "",
"event_service_id": "",
"source_info": {
"ip": ""
},
"endpoint_id": "",
"endpoint_platform": "",
"user_match_id": "",
"created_at": ""
},
"description": "",
"threat_cleanable": "",
"severity": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
Endpoint ID | (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | (Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"origin": "",
"appCerts": "",
"threat": "",
"endpoint_type": "",
"user_id": "",
"endpoint_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"source_info": {
"ip": ""
},
"name": "",
"customer_id": "",
"core_remedy_items": "",
"source": "",
"type": "",
"severity": "",
"appSha256": "",
"group": ""
}
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve reports from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
Ascending | Select the Ascending checkbox to sort the results in the ascending order. |
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"filtered": "",
"reports": [
{
"last_activity": "",
"mobile_devices": [],
"deployment_instructions_sent": "",
"health_status": "",
"logins": "",
"endpoints": "",
"groups": "",
"id": "",
"email": "",
"name": ""
}
],
"total": "",
"summary": ""
{
"total": "",
"active": "",
"dormant": "",
"no_devices": "",
"inactive": ""
}
}
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"reports": [
{
"last_activity": "",
"on_access": "",
"last_scan_time": "",
"last_login": "",
"is_adsync": "",
"last_updated": "",
"last_scan": "",
"health_status": "",
"group_name": "",
"id": "",
"name": ""
}
],
"filtered": "",
"summary": ""
{
"total": "",
"active": "",
"unprotected": "",
"inactive": ""
"domant": ""
}
"total": ""
}
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
"reports": [
{
"last_activity": "",
"last_user_id": "",
"on_access": "",
"last_scan_time": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to isolate on the Sophos Central system. |
Comment | Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to unisolate on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to scan on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Case Type | Type of case whose associated threats you want to retrieve from the Sophos Central system. You can choose between System Generated or Admin Generated. |
Endpoint Type | Type of endpoint whose associated threats you want to retrieve from the Sophos Central system. You can choose between Computer or Server. |
Priority | Priority of case based on which you want to retrieve threats from the Sophos Central system. You can choose between Medium, High, or Low. |
Case Status | Status of case based on which you want to retrieve threats from the Sophos Central system. You can choose between NewIn Progress, or Closed. |
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"inprogress": "",
"closed": "",
"total": "",
"new": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"cases": [
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
]
}
Parameter | Description |
---|---|
Case ID | ID of the case whose details you want to retrieve from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
Parameter | Description |
---|---|
Case ID | ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
Filters | (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system. You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
Limit | (Optional) Maximum number of results, per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"processes": "",
"total": "",
"business_files": "",
"other_files": "",
"network_connections": "",
"registry_keys": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"artifacts": []
}
Parameter | Description |
---|---|
Entry | Entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. |
Action | Action that you want to perform on the entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. You can choose between Allow or Block. |
Override Duplicates | Select the Override Duplicates checkbox if you want to replace the entry if the entry already exists in the "Allow and Block Entries" in the Sophos Central system. |
The output contains the following populated JSON schema:
{
"list_type": "",
"id": "",
"entry_type": "",
"entry": "",
"created_at": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"nextKey": "",
"filtered": "",
"entries": [
{
"list_type": "",
"id": "",
"entry_type": "",
"entry": "",
"created_at": ""
}
]
}
Parameter | Description |
---|---|
Entry ID | ID of the entry that you want to delete from the "Allow and Block Entries" on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Parameter | Description |
---|---|
MailBox Type | Type of the mailbox that you want to add to Sophos Central. You can choose between User, Public Folder, or Distribution Group. |
Mailbox Name | Name of the mailbox that you want to add to Sophos Central. |
Mailbox Address | Address of mailbox that you want to add to Sophos Central. |
The output contains the following populated JSON schema:
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"nextKey": "",
"filtered": "",
"mailboxes": [
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
]
}
Parameter | Description |
---|---|
MailBox ID | ID of the mailbox for which you want to retrieve details from Sophos Central. |
The output contains the following populated JSON schema:
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"aliases": [],
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
Parameter | Description |
---|---|
Directory Object ID | ID of the director object that you want to delete from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Sort Field | Field on which you want to sort quarantined messages retrieved from the Sophos Central system. You can choose from the following options: Date, Sender, Recipient, or Quarantine_Reason. |
Sort Order | Order to sort quarantined messages retrieved from the Sophos Central system. You can choose between Ascending or Descending. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"nextKey": "",
"messages": [
{
"sent_timestamp": "",
"to": "",
"direction": "",
"quarantine_reason": "",
"message_id": "",
"mailbox_id": "",
"subject": "",
"from": {
"address": "",
"name": ""
}
}
],
"filtered": "",
"total": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 value of the item that you want to add to the blocked items on Sophos Central. |
Comment | (Optional) Comment that you want to add to the item that you want to add to the blocked items on Sophos Central. |
Artifact Name | (Optional) Name of the artifact that you want to add to the blocked items on Sophos Central. |
The output contains the following populated JSON schema:
{
"Success": ""
}
None.
The output contains the following populated JSON schema:
{
"ruleType": "",
"rules": [
{
"id": "",
"actionedById": "",
"createdAt": "",
"criteria": {
"type": "",
"value": ""
},
"context": {
"artifactName": "",
"comment": ""
},
"actionedByName": ""
}
],
"customerId": ""
}
Parameter | Description |
---|---|
Blocked Item Id | ID of the blocked item that you want to delete from blocked items in Sophos Central. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Parameter | Description |
---|---|
Exclusion Name | Name of the exclusion that you want to add to Global Exclusions in Sophos Central. |
Target | Exclusion target that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: File or Folder(Windows), File or Folder(Mac/Linux), File or Folder(Sophos VM Security), Processes(Windows), Website(Windows/Mac), or Potentially Unwanted Applications(Windows/Mac). |
Type | Type of exclusion that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: Scheduled only, Real Time only, or Real time or Scheduled. |
Comment | (Optional) Comment that you want to add to the exclusion that you want to add as an entry to Global Exclusions in Sophos Central. |
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
Parameter | Description |
---|---|
Exclusion Name | Name of the exclusion that you want to remove from Global Exclusions in Sophos Central. |
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
Parameter | Description |
---|---|
Computer Name | Name of computer whose endpoint ID you want to retrieve from the Sophos Central system. Note: This is not applicable to Servers or Mobiles. |
The output contains the following populated JSON schema:
{
"endpoint_id": ""
}
The Sample - Sophos Central - 2.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 2.0.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Sophos Central Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Sophos Central server to which you will connect and perform automated operations. |
Username | Username to access the Sophos Central server to which you will connect and perform automated operations. |
Password | Password to access the Sophos Central to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Events | Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. | get_events Investigation |
Get Alerts | Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. | get_alerts Investigation |
Get Events related to Alert | Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. | get_alert_related_events Investigation |
Get Reports | Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. | get_reports Investigation |
Isolate Endpoint | Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. | isolate_endpoint Investigation |
Unisolate Endpoint | Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | unisolate_endpoint Investigation |
Scan Endpoint | Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | scan_endpoint Investigation |
Get Threat Cases | Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. | get_threat_cases Investigation |
Get Details of Threat Case | Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. | get_details_of_threat_case Investigation |
Get Artifacts of Threat Case | Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. | get_artifacts_of_threat_case Investigation |
Add Allow and Block Entry | Adds an "Allow and Block Entry" to the Sophos Central system based on the entry ID and action you have specified. | add_allow_block_entry Investigation |
Get Allow and Block Entries | Retrieves all the Allow and Block entries of email addresses or domains from the Sophos Central system. | get_allow_block_entries Investigation |
Delete Allow and Block Entry | Deletes an "Allow and Block Entry" from the Sophos Central system based on the entry ID you have specified. | delete_allow_block_entry Investigation |
Add MailBox | Adds a MailBox to the Sophos Central system based on the mailbox name, type, and address you have specified. | add_mailbox Investigation |
Get Mail Boxes | Retrieves information of mailboxes from the Sophos Central system. | get_mailboxes Investigation |
Get MailBox Details | Retrieves details of a specific mailbox from the Sophos Central system based on the mailbox ID you have specified. | get_mailbox_details Investigation |
Delete MailBox | Deletes a mailbox from the Sophos Central system based on the directory object ID you have specified. | delete_mailbox Investigation |
Get Quarantine Messages | Retrieves all quarantined messages from the Sophos Central system. | get_quarantine_messages Investigation |
Add Blocked Items | Adds blocked Items to the Sophos Central system based on the SHA 256 value of item and other input parameters you have specified. | add_blocked_items Investigation |
Get Blocked Items | Retrieves all blocked items from the Sophos Central system. | get_blocked_items Investigation |
Delete Blocked Items | Deletes an item from the Blocked Items in the Sophos Central system based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Add Global Exclusion | Adds an exclusion with specified values to Global Exclusions in the Sophos Central system based on the exclusion name, target, and type you have specified. | add_global_exclusion Investigation |
Get Global Exclusions | Retrieves all global exclusions from the Sophos Central system. | get_global_exclusions Investigation |
Remove Global Exclusion | Removes a specified exclusion from Global Exclusions from the Sophos Central system based on the exclusion name you have specified. | remove_global_exclusion Investigation |
Get Endpoint ID for Computer | Retrieves the endpoint id for a specific computer from the Sophos Central system based on the computer name you have specified. | get_endpoint_id Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | Type of event based on which you want to retrieve events from the Sophos Central system. |
Alert ID | Alert ID based on which you want to retrieve events from the Sophos Central system. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"events": [
{
"source_info": {
"ip": ""
},
"appCerts": "",
"threat": "",
"core_remedy_items": "",
"user_id": "",
"when": "",
"created_at": "",
"appSha256": "",
"id": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"alerts": [
{
"threat": "",
"event_service_event_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"customer_id": "",
"info": "",
"source": "",
"type": "",
"data": {
"endpoint_java_id": "",
"inserted_at": "",
"make_actionable_at": "",
"endpoint_type": "",
"event_service_id": "",
"source_info": {
"ip": ""
},
"endpoint_id": "",
"endpoint_platform": "",
"user_match_id": "",
"created_at": ""
},
"description": "",
"threat_cleanable": "",
"severity": ""
}
],
"filtered": "",
"total": "",
"nextKey": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
Endpoint ID | (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
Event Type | (Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"origin": "",
"appCerts": "",
"threat": "",
"endpoint_type": "",
"user_id": "",
"endpoint_id": "",
"when": "",
"created_at": "",
"id": "",
"location": "",
"source_info": {
"ip": ""
},
"name": "",
"customer_id": "",
"core_remedy_items": "",
"source": "",
"type": "",
"severity": "",
"appSha256": "",
"group": ""
}
Parameter | Description |
---|---|
Report Type | Type of report based on which you want to retrieve reports from the Sophos Central system. |
Limit | (Optional) Maximum number of results per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
Ascending | Select the Ascending checkbox to sort the results in the ascending order. |
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"filtered": "",
"reports": [
{
"last_activity": "",
"mobile_devices": [],
"deployment_instructions_sent": "",
"health_status": "",
"logins": "",
"endpoints": "",
"groups": "",
"id": "",
"email": "",
"name": ""
}
],
"total": "",
"summary": ""
{
"total": "",
"active": "",
"dormant": "",
"no_devices": "",
"inactive": ""
}
}
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
"filename": "",
"reports": [
{
"last_activity": "",
"on_access": "",
"last_scan_time": "",
"last_login": "",
"is_adsync": "",
"last_updated": "",
"last_scan": "",
"health_status": "",
"group_name": "",
"id": "",
"name": ""
}
],
"filtered": "",
"summary": ""
{
"total": "",
"active": "",
"unprotected": "",
"inactive": ""
"domant": ""
}
"total": ""
}
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
"reports": [
{
"last_activity": "",
"last_user_id": "",
"on_access": "",
"last_scan_time": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to isolate on the Sophos Central system. |
Comment | Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to unisolate on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"failed": [],
"succeeded": []
}
Parameter | Description |
---|---|
Endpoint ID | ID of the endpoint that you want to scan on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Case Type | Type of case whose associated threats you want to retrieve from the Sophos Central system. You can choose between System Generated or Admin Generated. |
Endpoint Type | Type of endpoint whose associated threats you want to retrieve from the Sophos Central system. You can choose between Computer or Server. |
Priority | Priority of case based on which you want to retrieve threats from the Sophos Central system. You can choose between Medium, High, or Low. |
Case Status | Status of case based on which you want to retrieve threats from the Sophos Central system. You can choose between NewIn Progress, or Closed. |
Limit | Maximum number of results, per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"inprogress": "",
"closed": "",
"total": "",
"new": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"cases": [
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
]
}
Parameter | Description |
---|---|
Case ID | ID of the case whose details you want to retrieve from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"malwareName": "",
"endpointName": "",
"endpointType": "",
"beaconDT": "",
"endpointSupportsL3FileAnalysis": "",
"rootCauseName": "",
"status": "",
"supportsDirectPath": "",
"numberOfBusinessFiles": "",
"hasProcessBeacon": "",
"allowedStates": [],
"isEndpointDeleted": "",
"suspectProcessCount": "",
"complexRootCause": {
"source": {
"value": "",
"type": ""
},
"interaction": "",
"provenance": {
"value": "",
"type": ""
},
"target": {}
},
"cloudCreatedAt": "",
"endpointId": "",
"rootCauseDT": "",
"priority": "",
"id": "",
"version": "",
"customerId": "",
"endpointSupportsForensicSnapshots": "",
"supportsSortOnDecoration": ""
}
Parameter | Description |
---|---|
Case ID | ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
Filters | (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system. You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
Limit | (Optional) Maximum number of results, per page, that this operation should return. |
Offset | (Optional) 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"summary": {
"processes": "",
"total": "",
"business_files": "",
"other_files": "",
"network_connections": "",
"registry_keys": ""
},
"nextKey": "",
"total": "",
"filtered": "",
"artifacts": []
}
Parameter | Description |
---|---|
Entry | Entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. |
Action | Action that you want to perform on the entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. You can choose between Allow or Block. |
Override Duplicates | Select the Override Duplicates checkbox if you want to replace the entry if the entry already exists in the "Allow and Block Entries" in the Sophos Central system. |
The output contains the following populated JSON schema:
{
"list_type": "",
"id": "",
"entry_type": "",
"entry": "",
"created_at": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"nextKey": "",
"filtered": "",
"entries": [
{
"list_type": "",
"id": "",
"entry_type": "",
"entry": "",
"created_at": ""
}
]
}
Parameter | Description |
---|---|
Entry ID | ID of the entry that you want to delete from the "Allow and Block Entries" on the Sophos Central system. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Parameter | Description |
---|---|
MailBox Type | Type of the mailbox that you want to add to Sophos Central. You can choose between User, Public Folder, or Distribution Group. |
Mailbox Name | Name of the mailbox that you want to add to Sophos Central. |
Mailbox Address | Address of mailbox that you want to add to Sophos Central. |
The output contains the following populated JSON schema:
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"nextKey": "",
"filtered": "",
"mailboxes": [
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
]
}
Parameter | Description |
---|---|
MailBox ID | ID of the mailbox for which you want to retrieve details from Sophos Central. |
The output contains the following populated JSON schema:
{
"associated_customer_info": {
"skip_checks_max_reached": ""
},
"mailbox_address": "",
"is_external": "",
"mailbox_type": "",
"date_created": "",
"aliases": [],
"directory_object_id": "",
"id": "",
"endpoint_id": "",
"endpoint_id_ruby": "",
"skip_inbound_checks_enabled": "",
"mailbox_name": "",
"owner_directory_object_id": ""
}
Parameter | Description |
---|---|
Directory Object ID | ID of the director object that you want to delete from the Sophos Central system. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Sort Field | Field on which you want to sort quarantined messages retrieved from the Sophos Central system. You can choose from the following options: Date, Sender, Recipient, or Quarantine_Reason. |
Sort Order | Order to sort quarantined messages retrieved from the Sophos Central system. You can choose between Ascending or Descending. |
Limit | Maximum number of results per page, that this operation should return. |
Offset | 0-based index of the page that this operation should return. |
The output contains the following populated JSON schema:
{
"nextKey": "",
"messages": [
{
"sent_timestamp": "",
"to": "",
"direction": "",
"quarantine_reason": "",
"message_id": "",
"mailbox_id": "",
"subject": "",
"from": {
"address": "",
"name": ""
}
}
],
"filtered": "",
"total": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 value of the item that you want to add to the blocked items on Sophos Central. |
Comment | (Optional) Comment that you want to add to the item that you want to add to the blocked items on Sophos Central. |
Artifact Name | (Optional) Name of the artifact that you want to add to the blocked items on Sophos Central. |
The output contains the following populated JSON schema:
{
"Success": ""
}
None.
The output contains the following populated JSON schema:
{
"ruleType": "",
"rules": [
{
"id": "",
"actionedById": "",
"createdAt": "",
"criteria": {
"type": "",
"value": ""
},
"context": {
"artifactName": "",
"comment": ""
},
"actionedByName": ""
}
],
"customerId": ""
}
Parameter | Description |
---|---|
Blocked Item Id | ID of the blocked item that you want to delete from blocked items in Sophos Central. |
The output contains the following populated JSON schema:
{
"Success": ""
}
Parameter | Description |
---|---|
Exclusion Name | Name of the exclusion that you want to add to Global Exclusions in Sophos Central. |
Target | Exclusion target that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: File or Folder(Windows), File or Folder(Mac/Linux), File or Folder(Sophos VM Security), Processes(Windows), Website(Windows/Mac), or Potentially Unwanted Applications(Windows/Mac). |
Type | Type of exclusion that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: Scheduled only, Real Time only, or Real time or Scheduled. |
Comment | (Optional) Comment that you want to add to the exclusion that you want to add as an entry to Global Exclusions in Sophos Central. |
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
Parameter | Description |
---|---|
Exclusion Name | Name of the exclusion that you want to remove from Global Exclusions in Sophos Central. |
The output contains the following populated JSON schema:
{
"customer_id": "",
"exclusions": [
{
"name": "",
"comment": "",
"type": "",
"target": "",
"event_id": "",
"description": ""
}
]
}
Parameter | Description |
---|---|
Computer Name | Name of computer whose endpoint ID you want to retrieve from the Sophos Central system. Note: This is not applicable to Servers or Mobiles. |
The output contains the following populated JSON schema:
{
"endpoint_id": ""
}
The Sample - Sophos Central - 2.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.