Fortinet Document Library

Version:


Table of Contents

2.0.0
Copy Link

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners. 

This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Sophos Central Connector in version 2.0.0:

  • Added the following new operations and playbooks:
    • Get Allow and Block Entries
    • Delete Allow and Block Entry
    • Add Allow and Block Entry
    • Get Mail Boxes
    • Get Mailbox Details
    • Delete Mailbox
    • Add Mailbox
    • Get Quarantine Messages
    • Get Blocked Items
    • Add Blocked Items
    • Delete Blocked Items
    • Get Global Exclusions
    • Remove Global Exclusion
    • Add Global Exclusion
    • Get Endpoint ID for Computer

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

  • You must have the URL of Sophos Central server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Sophos Central server to which you will connect and perform automated operations.
Username Username to access the Sophos Central server to which you will connect and perform automated operations.
Password Password to access the Sophos Central to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
Get Events Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. get_events
Investigation
Get Alerts Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. get_alerts
Investigation
Get Events related to Alert Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. get_alert_related_events
Investigation
Get Reports Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. get_reports
Investigation
Isolate Endpoint Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. isolate_endpoint
Investigation
Unisolate Endpoint Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. unisolate_endpoint
Investigation
Scan Endpoint Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. scan_endpoint
Investigation
Get Threat Cases Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. get_threat_cases
Investigation
Get Details of Threat Case Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. get_details_of_threat_case
Investigation
Get Artifacts of Threat Case Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. get_artifacts_of_threat_case
Investigation
Add Allow and Block Entry Adds an "Allow and Block Entry" to the Sophos Central system based on the entry ID and action you have specified. add_allow_block_entry
Investigation
Get Allow and Block Entries Retrieves all the Allow and Block entries of email addresses or domains from the Sophos Central system. get_allow_block_entries
Investigation
Delete Allow and Block Entry Deletes an "Allow and Block Entry" from the Sophos Central system based on the entry ID you have specified. delete_allow_block_entry
Investigation
Add MailBox Adds a MailBox to the Sophos Central system based on the mailbox name, type, and address you have specified. add_mailbox
Investigation
Get Mail Boxes Retrieves information of mailboxes from the Sophos Central system. get_mailboxes
Investigation
Get MailBox Details Retrieves details of a specific mailbox from the Sophos Central system based on the mailbox ID you have specified. get_mailbox_details
Investigation
Delete MailBox Deletes a mailbox from the Sophos Central system based on the directory object ID you have specified. delete_mailbox
Investigation
Get Quarantine Messages Retrieves all quarantined messages from the Sophos Central system. get_quarantine_messages
Investigation
Add Blocked Items Adds blocked Items to the Sophos Central system based on the SHA 256 value of item and other input parameters you have specified.  add_blocked_items
Investigation
Get Blocked Items Retrieves all blocked items from the Sophos Central system. get_blocked_items
Investigation
Delete Blocked Items Deletes an item from the Blocked Items in the Sophos Central system based on the blocked item ID you have specified. delete_blocked_items
Investigation
Add Global Exclusion Adds an exclusion with specified values to Global Exclusions in the Sophos Central system based on the exclusion name, target, and type you have specified. add_global_exclusion
Investigation
Get Global Exclusions Retrieves all global exclusions from the Sophos Central system. get_global_exclusions
Investigation
Remove Global Exclusion Removes a specified exclusion from Global Exclusions from the Sophos Central system based on the exclusion name you have specified. remove_global_exclusion
Investigation
Get Endpoint ID for Computer Retrieves the endpoint id for a specific computer from the Sophos Central system based on the computer name you have specified. get_endpoint_id
Investigation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint ID ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type Type of event based on which you want to retrieve events from the Sophos Central system.
Alert ID Alert ID based on which you want to retrieve events from the Sophos Central system.
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "events": [
         {
             "source_info": {
                 "ip": ""
             },
             "appCerts": "",
             "threat": "",
             "core_remedy_items": "",
             "user_id": "",
             "when": "",
             "created_at": "",
             "appSha256": "",
             "id": ""
         }
     ],
     "filtered": "",
     "total": "",
     "nextKey": ""
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "alerts": [
         {
             "threat": "",
             "event_service_event_id": "",
             "when": "",
             "created_at": "",
             "id": "",
             "location": "",
             "customer_id": "",
             "info": "",
             "source": "",
             "type": "",
             "data": {
                 "endpoint_java_id": "",
                 "inserted_at": "",
                 "make_actionable_at": "",
                 "endpoint_type": "",
                 "event_service_id": "",
                 "source_info": {
                     "ip": ""
                 },
                 "endpoint_id": "",
                 "endpoint_platform": "",
                 "user_match_id": "",
                 "created_at": ""
             },
             "description": "",
             "threat_cleanable": "",
             "severity": ""
         }
     ],
     "filtered": "",
     "total": "",
     "nextKey": ""
}

operation: Get Events related to Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose associated events you want to retrieve from the Sophos Central system.
Endpoint ID (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type (Optional) Type of event based on which you want to retrieve events from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "origin": "",
     "appCerts": "",
     "threat": "",
     "endpoint_type": "",
     "user_id": "",
     "endpoint_id": "",
     "when": "",
     "created_at": "",
     "id": "",
     "location": "",
     "source_info": {
         "ip": ""
     },
     "name": "",
     "customer_id": "",
     "core_remedy_items": "",
     "source": "",
     "type": "",
     "severity": "",
     "appSha256": "",
     "group": ""
}

operation: Get Reports

Input parameters

Parameter Description
Report Type Type of report based on which you want to retrieve reports from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  
Ascending Select the Ascending checkbox to sort the results in the ascending order.

Output

When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
     "filename": "",
     "filtered": "",
     "reports": [
         {
             "last_activity": "",
             "mobile_devices": [],
             "deployment_instructions_sent": "",
             "health_status": "",
             "logins": "",
             "endpoints": "",
             "groups": "",
             "id": "",
             "email": "",
             "name": ""
         }
     ],
     "total": "",
     "summary": ""
         {
             "total": "",
             "active": "",
             "dormant": "",
             "no_devices": "",
             "inactive": ""
         }
}

When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
     "filename": "",
     "reports": [
         {
             "last_activity": "",
             "on_access": "",
             "last_scan_time": "",
             "last_login": "",
             "is_adsync": "",
             "last_updated": "",
             "last_scan": "",
             "health_status": "",
             "group_name": "",
             "id": "",
             "name": ""
         }
     ],
     "filtered": "",
     "summary": ""
         {
             "total": "",
             "active": "",
             "unprotected": "",
             "inactive": ""
             "domant": ""
         }
     "total": ""
}

When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
     "reports": [
         {
             "last_activity": "",
             "last_user_id": "",
             "on_access": "",
             "last_scan_time": ""
         }
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to isolate on the Sophos Central system.
Comment Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "failed": [],
     "succeeded": []
}

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to unisolate on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "failed": [],
     "succeeded": []
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to scan on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "message": ""
}

operation: Get Threat Cases

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Case Type Type of case whose associated threats you want to retrieve from the Sophos Central system.
You can choose between System Generated or Admin Generated.
Endpoint Type Type of endpoint whose associated threats you want to retrieve from the Sophos Central system.
You can choose between Computer or Server.
Priority Priority of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between Medium, High, or Low.
Case Status Status of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between NewIn Progress, or Closed.
Limit Maximum number of results, per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "summary": {
         "inprogress": "",
         "closed": "",
         "total": "",
         "new": ""
     },
     "nextKey": "",
     "total": "",
     "filtered": "",
     "cases": [
         {
             "malwareName": "",
             "endpointName": "",
             "endpointType": "",
             "beaconDT": "",
             "endpointSupportsL3FileAnalysis": "",
             "rootCauseName": "",
             "status": "",
             "supportsDirectPath": "",
             "numberOfBusinessFiles": "",
             "hasProcessBeacon": "",
             "allowedStates": [],
             "isEndpointDeleted": "",
             "suspectProcessCount": "",
             "complexRootCause": {
                 "source": {
                     "value": "",
                     "type": ""
                 },
                 "interaction": "",
                 "provenance": {
                     "value": "",
                     "type": ""
                 },
                 "target": {}
             },
             "cloudCreatedAt": "",
             "endpointId": "",
             "rootCauseDT": "",
             "priority": "",
             "id": "",
             "version": "",
             "customerId": "",
             "endpointSupportsForensicSnapshots": "",
             "supportsSortOnDecoration": ""
         }
     ]
}

operation: Get Details of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose details you want to retrieve from the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "malwareName": "",
     "endpointName": "",
     "endpointType": "",
     "beaconDT": "",
     "endpointSupportsL3FileAnalysis": "",
     "rootCauseName": "",
     "status": "",
     "supportsDirectPath": "",
     "numberOfBusinessFiles": "",
     "hasProcessBeacon": "",
     "allowedStates": [],
     "isEndpointDeleted": "",
     "suspectProcessCount": "",
     "complexRootCause": {
         "source": {
             "value": "",
             "type": ""
         },
         "interaction": "",
         "provenance": {
             "value": "",
             "type": ""
         },
         "target": {}
     },
     "cloudCreatedAt": "",
     "endpointId": "",
     "rootCauseDT": "",
     "priority": "",
     "id": "",
     "version": "",
     "customerId": "",
     "endpointSupportsForensicSnapshots": "",
     "supportsSortOnDecoration": ""
}

operation: Get Artifacts of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose artifacts you want to retrieve from the Sophos Central system.
Filters (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system.
You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown.
Limit (Optional) Maximum number of results, per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "summary": {
         "processes": "",
         "total": "",
         "business_files": "",
         "other_files": "",
         "network_connections": "",
         "registry_keys": ""
     },
     "nextKey": "",
     "total": "",
     "filtered": "",
     "artifacts": []
}

operation: Add Allow and Block Entry

Input parameters

Parameter Description
Entry Entry that you want to add to the "Allow and Block Entries" on the Sophos Central system.
Action Action that you want to perform on the entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. You can choose between Allow or Block.
Override Duplicates Select the Override Duplicates checkbox if you want to replace the entry if the entry already exists in the "Allow and Block Entries" in the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "list_type": "",
     "id": "",
     "entry_type": "",
     "entry": "",
     "created_at": ""
}

operation: Get Allow and Block Entries

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Maximum number of results per page, that this operation should return. 
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "nextKey": "",
     "filtered": "",
     "entries": [
         {
             "list_type": "",
             "id": "",
             "entry_type": "",
             "entry": "",
             "created_at": ""
         }
     ]
}

operation: Delete Allow and Block Entry

Input parameters

Parameter Description
Entry ID ID of the entry that you want to delete from the "Allow and Block Entries" on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "Success": ""
}

operation: Add MailBox

Input parameters

Parameter Description
MailBox Type Type of the mailbox that you want to add to Sophos Central. You can choose between User, Public Folder, or Distribution Group.
Mailbox Name Name of the mailbox that you want to add to Sophos Central. 
Mailbox Address Address of mailbox that you want to add to Sophos Central. 

Output

The output contains the following populated JSON schema:
{
     "associated_customer_info": {
         "skip_checks_max_reached": ""
     },
     "mailbox_address": "",
     "is_external": "",
     "mailbox_type": "",
     "date_created": "",
     "directory_object_id": "",
     "id": "",
     "endpoint_id": "",
     "endpoint_id_ruby": "",
     "skip_inbound_checks_enabled": "",
     "mailbox_name": "",
     "owner_directory_object_id": ""
}

operation: Get Mail Boxes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "nextKey": "",
     "filtered": "",
     "mailboxes": [
         {
             "associated_customer_info": {
                 "skip_checks_max_reached": ""
             },
             "mailbox_address": "",
             "is_external": "",
             "mailbox_type": "",
             "date_created": "",
             "directory_object_id": "",
             "id": "",
             "endpoint_id": "",
             "endpoint_id_ruby": "",
             "skip_inbound_checks_enabled": "",
             "mailbox_name": "",
             "owner_directory_object_id": ""
         }
     ]
}

operation: Get MailBox Details

Input parameters

Parameter Description
MailBox ID ID of the mailbox for which you want to retrieve details from Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "associated_customer_info": {
         "skip_checks_max_reached": ""
     },
     "mailbox_address": "",
     "is_external": "",
     "mailbox_type": "",
     "date_created": "",
     "aliases": [],
     "directory_object_id": "",
     "id": "",
     "endpoint_id": "",
     "endpoint_id_ruby": "",
     "skip_inbound_checks_enabled": "",
     "mailbox_name": "",
     "owner_directory_object_id": ""
}

operation: Delete MailBox

Input parameters

Parameter Description
Directory Object ID ID of the director object that you want to delete from the Sophos Central system.

Output

The output contains the following populated JSON schema:


{
     "Success": ""
}

operation: Get Quarantine Messages

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Sort Field Field on which you want to sort quarantined messages retrieved from the Sophos Central system. You can choose from the following options: Date, Sender, Recipient, or Quarantine_Reason.
Sort Order Order to sort quarantined messages retrieved from the Sophos Central system. You can choose between Ascending or Descending.
Limit Maximum number of results per page, that this operation should return. 
Offset 0-based index of the page that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "nextKey": "",
     "messages": [
         {
             "sent_timestamp": "",
             "to": "",
             "direction": "",
             "quarantine_reason": "",
             "message_id": "",
             "mailbox_id": "",
             "subject": "",
             "from": {
                 "address": "",
                 "name": ""
             }
         }
     ],
     "filtered": "",
     "total": ""
}

operation: Add Blocked Items

Input parameters

Parameter Description
SHA256 SHA256 value of the item that you want to add to the blocked items on Sophos Central.
Comment (Optional) Comment that you want to add to the item that you want to add to the blocked items on Sophos Central.
Artifact Name (Optional) Name of the artifact that you want to add to the blocked items on Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "Success": ""
}

operation: Get Blocked Items

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "ruleType": "",
     "rules": [
         {
             "id": "",
             "actionedById": "",
             "createdAt": "",
             "criteria": {
                 "type": "",
                 "value": ""
             },
             "context": {
                 "artifactName": "",
                 "comment": ""
             },
             "actionedByName": ""
         }
     ],
     "customerId": ""
}

operation: Delete Blocked Items

Input parameters

Parameter Description
Blocked Item Id ID of the blocked item that you want to delete from blocked items in Sophos Central.

Output

The output contains the following populated JSON schema:


{
     "Success": ""
}

operation: Add Global Exclusion

Input parameters

Parameter Description
Exclusion Name Name of the exclusion that you want to add to Global Exclusions in Sophos Central.
Target Exclusion target that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: File or Folder(Windows), File or Folder(Mac/Linux), File or Folder(Sophos VM Security), Processes(Windows), Website(Windows/Mac), or Potentially Unwanted Applications(Windows/Mac)
Type Type of exclusion that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: Scheduled only, Real Time only, or Real time or Scheduled.
Comment (Optional) Comment that you want to add to the exclusion that you want to add as an entry to Global Exclusions in Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Get Global Exclusions

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Remove Global Exclusion

Input parameters

Parameter Description
Exclusion Name Name of the exclusion that you want to remove from Global Exclusions in Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Get Endpoint ID for Computer

Input parameters

Parameter Description
Computer Name Name of computer whose endpoint ID you want to retrieve from the Sophos Central system.
Note: This is not applicable to Servers or Mobiles.

Output

The output contains the following populated JSON schema:
{
     "endpoint_id": ""
}

Included playbooks

The Sample - Sophos Central - 2.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

  • Add Allow and Block Entry
  • Add Blocked Items
  • Add Global Exclusion
  • Add Mailbox
  • Delete Allow and Block Entry
  • Delete Blocked Items
  • Delete Mailbox
  • Get Alerts
  • Get Allow and Block Entries
  • Get Artifacts of Threat Case
  • Get Blocked Items
  • Get Details of Threat Case
  • Get Endpoint ID for Computer
  • Get Events
  • Get Events related to Alert
  • Get Global Exclusions
  • Get Mailbox Details
  • Get Mail Boxes
  • Get Quarantine Messages
  • Get Reports
  • Get Threat Cases
  • Isolate Endpoint
  • Remove Global Exclusion
  • Scan Endpoint
  • Unisolate Endpoint

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners. 

This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 2.0.0

Authored By: Fortinet

Certified: No

Release Notes for version 2.0.0

Following enhancements have been made to the Sophos Central Connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Sophos Central server to which you will connect and perform automated operations.
Username Username to access the Sophos Central server to which you will connect and perform automated operations.
Password Password to access the Sophos Central to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
Get Events Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. get_events
Investigation
Get Alerts Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. get_alerts
Investigation
Get Events related to Alert Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. get_alert_related_events
Investigation
Get Reports Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. get_reports
Investigation
Isolate Endpoint Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. isolate_endpoint
Investigation
Unisolate Endpoint Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. unisolate_endpoint
Investigation
Scan Endpoint Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. scan_endpoint
Investigation
Get Threat Cases Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. get_threat_cases
Investigation
Get Details of Threat Case Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. get_details_of_threat_case
Investigation
Get Artifacts of Threat Case Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. get_artifacts_of_threat_case
Investigation
Add Allow and Block Entry Adds an "Allow and Block Entry" to the Sophos Central system based on the entry ID and action you have specified. add_allow_block_entry
Investigation
Get Allow and Block Entries Retrieves all the Allow and Block entries of email addresses or domains from the Sophos Central system. get_allow_block_entries
Investigation
Delete Allow and Block Entry Deletes an "Allow and Block Entry" from the Sophos Central system based on the entry ID you have specified. delete_allow_block_entry
Investigation
Add MailBox Adds a MailBox to the Sophos Central system based on the mailbox name, type, and address you have specified. add_mailbox
Investigation
Get Mail Boxes Retrieves information of mailboxes from the Sophos Central system. get_mailboxes
Investigation
Get MailBox Details Retrieves details of a specific mailbox from the Sophos Central system based on the mailbox ID you have specified. get_mailbox_details
Investigation
Delete MailBox Deletes a mailbox from the Sophos Central system based on the directory object ID you have specified. delete_mailbox
Investigation
Get Quarantine Messages Retrieves all quarantined messages from the Sophos Central system. get_quarantine_messages
Investigation
Add Blocked Items Adds blocked Items to the Sophos Central system based on the SHA 256 value of item and other input parameters you have specified.  add_blocked_items
Investigation
Get Blocked Items Retrieves all blocked items from the Sophos Central system. get_blocked_items
Investigation
Delete Blocked Items Deletes an item from the Blocked Items in the Sophos Central system based on the blocked item ID you have specified. delete_blocked_items
Investigation
Add Global Exclusion Adds an exclusion with specified values to Global Exclusions in the Sophos Central system based on the exclusion name, target, and type you have specified. add_global_exclusion
Investigation
Get Global Exclusions Retrieves all global exclusions from the Sophos Central system. get_global_exclusions
Investigation
Remove Global Exclusion Removes a specified exclusion from Global Exclusions from the Sophos Central system based on the exclusion name you have specified. remove_global_exclusion
Investigation
Get Endpoint ID for Computer Retrieves the endpoint id for a specific computer from the Sophos Central system based on the computer name you have specified. get_endpoint_id
Investigation

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Endpoint ID ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type Type of event based on which you want to retrieve events from the Sophos Central system.
Alert ID Alert ID based on which you want to retrieve events from the Sophos Central system.
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "events": [
         {
             "source_info": {
                 "ip": ""
             },
             "appCerts": "",
             "threat": "",
             "core_remedy_items": "",
             "user_id": "",
             "when": "",
             "created_at": "",
             "appSha256": "",
             "id": ""
         }
     ],
     "filtered": "",
     "total": "",
     "nextKey": ""
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned. 

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "alerts": [
         {
             "threat": "",
             "event_service_event_id": "",
             "when": "",
             "created_at": "",
             "id": "",
             "location": "",
             "customer_id": "",
             "info": "",
             "source": "",
             "type": "",
             "data": {
                 "endpoint_java_id": "",
                 "inserted_at": "",
                 "make_actionable_at": "",
                 "endpoint_type": "",
                 "event_service_id": "",
                 "source_info": {
                     "ip": ""
                 },
                 "endpoint_id": "",
                 "endpoint_platform": "",
                 "user_match_id": "",
                 "created_at": ""
             },
             "description": "",
             "threat_cleanable": "",
             "severity": ""
         }
     ],
     "filtered": "",
     "total": "",
     "nextKey": ""
}

operation: Get Events related to Alert

Input parameters

Parameter Description
Alert ID ID of the alert whose associated events you want to retrieve from the Sophos Central system.
Endpoint ID (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system.
Event Type (Optional) Type of event based on which you want to retrieve events from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "origin": "",
     "appCerts": "",
     "threat": "",
     "endpoint_type": "",
     "user_id": "",
     "endpoint_id": "",
     "when": "",
     "created_at": "",
     "id": "",
     "location": "",
     "source_info": {
         "ip": ""
     },
     "name": "",
     "customer_id": "",
     "core_remedy_items": "",
     "source": "",
     "type": "",
     "severity": "",
     "appSha256": "",
     "group": ""
}

operation: Get Reports

Input parameters

Parameter Description
Report Type Type of report based on which you want to retrieve reports from the Sophos Central system.
Limit (Optional) Maximum number of results per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  
Ascending Select the Ascending checkbox to sort the results in the ascending order.

Output

When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:
{
     "filename": "",
     "filtered": "",
     "reports": [
         {
             "last_activity": "",
             "mobile_devices": [],
             "deployment_instructions_sent": "",
             "health_status": "",
             "logins": "",
             "endpoints": "",
             "groups": "",
             "id": "",
             "email": "",
             "name": ""
         }
     ],
     "total": "",
     "summary": ""
         {
             "total": "",
             "active": "",
             "dormant": "",
             "no_devices": "",
             "inactive": ""
         }
}

When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:
{
     "filename": "",
     "reports": [
         {
             "last_activity": "",
             "on_access": "",
             "last_scan_time": "",
             "last_login": "",
             "is_adsync": "",
             "last_updated": "",
             "last_scan": "",
             "health_status": "",
             "group_name": "",
             "id": "",
             "name": ""
         }
     ],
     "filtered": "",
     "summary": ""
         {
             "total": "",
             "active": "",
             "unprotected": "",
             "inactive": ""
             "domant": ""
         }
     "total": ""
}

When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema
{
     "reports": [
         {
             "last_activity": "",
             "last_user_id": "",
             "on_access": "",
             "last_scan_time": ""
         }
     ]
}

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to isolate on the Sophos Central system.
Comment Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "failed": [],
     "succeeded": []
}

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to unisolate on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "failed": [],
     "succeeded": []
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID ID of the endpoint that you want to scan on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "message": ""
}

operation: Get Threat Cases

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Case Type Type of case whose associated threats you want to retrieve from the Sophos Central system.
You can choose between System Generated or Admin Generated.
Endpoint Type Type of endpoint whose associated threats you want to retrieve from the Sophos Central system.
You can choose between Computer or Server.
Priority Priority of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between Medium, High, or Low.
Case Status Status of case based on which you want to retrieve threats from the Sophos Central system.
You can choose between NewIn Progress, or Closed.
Limit Maximum number of results, per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "summary": {
         "inprogress": "",
         "closed": "",
         "total": "",
         "new": ""
     },
     "nextKey": "",
     "total": "",
     "filtered": "",
     "cases": [
         {
             "malwareName": "",
             "endpointName": "",
             "endpointType": "",
             "beaconDT": "",
             "endpointSupportsL3FileAnalysis": "",
             "rootCauseName": "",
             "status": "",
             "supportsDirectPath": "",
             "numberOfBusinessFiles": "",
             "hasProcessBeacon": "",
             "allowedStates": [],
             "isEndpointDeleted": "",
             "suspectProcessCount": "",
             "complexRootCause": {
                 "source": {
                     "value": "",
                     "type": ""
                 },
                 "interaction": "",
                 "provenance": {
                     "value": "",
                     "type": ""
                 },
                 "target": {}
             },
             "cloudCreatedAt": "",
             "endpointId": "",
             "rootCauseDT": "",
             "priority": "",
             "id": "",
             "version": "",
             "customerId": "",
             "endpointSupportsForensicSnapshots": "",
             "supportsSortOnDecoration": ""
         }
     ]
}

operation: Get Details of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose details you want to retrieve from the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "malwareName": "",
     "endpointName": "",
     "endpointType": "",
     "beaconDT": "",
     "endpointSupportsL3FileAnalysis": "",
     "rootCauseName": "",
     "status": "",
     "supportsDirectPath": "",
     "numberOfBusinessFiles": "",
     "hasProcessBeacon": "",
     "allowedStates": [],
     "isEndpointDeleted": "",
     "suspectProcessCount": "",
     "complexRootCause": {
         "source": {
             "value": "",
             "type": ""
         },
         "interaction": "",
         "provenance": {
             "value": "",
             "type": ""
         },
         "target": {}
     },
     "cloudCreatedAt": "",
     "endpointId": "",
     "rootCauseDT": "",
     "priority": "",
     "id": "",
     "version": "",
     "customerId": "",
     "endpointSupportsForensicSnapshots": "",
     "supportsSortOnDecoration": ""
}

operation: Get Artifacts of Threat Case

Input parameters

Parameter Description
Case ID ID of the case whose artifacts you want to retrieve from the Sophos Central system.
Filters (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system.
You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown.
Limit (Optional) Maximum number of results, per page, that this operation should return.
Offset (Optional) 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "summary": {
         "processes": "",
         "total": "",
         "business_files": "",
         "other_files": "",
         "network_connections": "",
         "registry_keys": ""
     },
     "nextKey": "",
     "total": "",
     "filtered": "",
     "artifacts": []
}

operation: Add Allow and Block Entry

Input parameters

Parameter Description
Entry Entry that you want to add to the "Allow and Block Entries" on the Sophos Central system.
Action Action that you want to perform on the entry that you want to add to the "Allow and Block Entries" on the Sophos Central system. You can choose between Allow or Block.
Override Duplicates Select the Override Duplicates checkbox if you want to replace the entry if the entry already exists in the "Allow and Block Entries" in the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "list_type": "",
     "id": "",
     "entry_type": "",
     "entry": "",
     "created_at": ""
}

operation: Get Allow and Block Entries

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Maximum number of results per page, that this operation should return. 
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "nextKey": "",
     "filtered": "",
     "entries": [
         {
             "list_type": "",
             "id": "",
             "entry_type": "",
             "entry": "",
             "created_at": ""
         }
     ]
}

operation: Delete Allow and Block Entry

Input parameters

Parameter Description
Entry ID ID of the entry that you want to delete from the "Allow and Block Entries" on the Sophos Central system.

Output

The output contains the following populated JSON schema:
{
     "Success": ""
}

operation: Add MailBox

Input parameters

Parameter Description
MailBox Type Type of the mailbox that you want to add to Sophos Central. You can choose between User, Public Folder, or Distribution Group.
Mailbox Name Name of the mailbox that you want to add to Sophos Central. 
Mailbox Address Address of mailbox that you want to add to Sophos Central. 

Output

The output contains the following populated JSON schema:
{
     "associated_customer_info": {
         "skip_checks_max_reached": ""
     },
     "mailbox_address": "",
     "is_external": "",
     "mailbox_type": "",
     "date_created": "",
     "directory_object_id": "",
     "id": "",
     "endpoint_id": "",
     "endpoint_id_ruby": "",
     "skip_inbound_checks_enabled": "",
     "mailbox_name": "",
     "owner_directory_object_id": ""
}

operation: Get Mail Boxes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Maximum number of results per page, that this operation should return.  
Offset 0-based index of the page that this operation should return.  

Output

The output contains the following populated JSON schema:
{
     "total": "",
     "nextKey": "",
     "filtered": "",
     "mailboxes": [
         {
             "associated_customer_info": {
                 "skip_checks_max_reached": ""
             },
             "mailbox_address": "",
             "is_external": "",
             "mailbox_type": "",
             "date_created": "",
             "directory_object_id": "",
             "id": "",
             "endpoint_id": "",
             "endpoint_id_ruby": "",
             "skip_inbound_checks_enabled": "",
             "mailbox_name": "",
             "owner_directory_object_id": ""
         }
     ]
}

operation: Get MailBox Details

Input parameters

Parameter Description
MailBox ID ID of the mailbox for which you want to retrieve details from Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "associated_customer_info": {
         "skip_checks_max_reached": ""
     },
     "mailbox_address": "",
     "is_external": "",
     "mailbox_type": "",
     "date_created": "",
     "aliases": [],
     "directory_object_id": "",
     "id": "",
     "endpoint_id": "",
     "endpoint_id_ruby": "",
     "skip_inbound_checks_enabled": "",
     "mailbox_name": "",
     "owner_directory_object_id": ""
}

operation: Delete MailBox

Input parameters

Parameter Description
Directory Object ID ID of the director object that you want to delete from the Sophos Central system.

Output

The output contains the following populated JSON schema:


{
     "Success": ""
}

operation: Get Quarantine Messages

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Sort Field Field on which you want to sort quarantined messages retrieved from the Sophos Central system. You can choose from the following options: Date, Sender, Recipient, or Quarantine_Reason.
Sort Order Order to sort quarantined messages retrieved from the Sophos Central system. You can choose between Ascending or Descending.
Limit Maximum number of results per page, that this operation should return. 
Offset 0-based index of the page that this operation should return. 

Output

The output contains the following populated JSON schema:
{
     "nextKey": "",
     "messages": [
         {
             "sent_timestamp": "",
             "to": "",
             "direction": "",
             "quarantine_reason": "",
             "message_id": "",
             "mailbox_id": "",
             "subject": "",
             "from": {
                 "address": "",
                 "name": ""
             }
         }
     ],
     "filtered": "",
     "total": ""
}

operation: Add Blocked Items

Input parameters

Parameter Description
SHA256 SHA256 value of the item that you want to add to the blocked items on Sophos Central.
Comment (Optional) Comment that you want to add to the item that you want to add to the blocked items on Sophos Central.
Artifact Name (Optional) Name of the artifact that you want to add to the blocked items on Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "Success": ""
}

operation: Get Blocked Items

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "ruleType": "",
     "rules": [
         {
             "id": "",
             "actionedById": "",
             "createdAt": "",
             "criteria": {
                 "type": "",
                 "value": ""
             },
             "context": {
                 "artifactName": "",
                 "comment": ""
             },
             "actionedByName": ""
         }
     ],
     "customerId": ""
}

operation: Delete Blocked Items

Input parameters

Parameter Description
Blocked Item Id ID of the blocked item that you want to delete from blocked items in Sophos Central.

Output

The output contains the following populated JSON schema:


{
     "Success": ""
}

operation: Add Global Exclusion

Input parameters

Parameter Description
Exclusion Name Name of the exclusion that you want to add to Global Exclusions in Sophos Central.
Target Exclusion target that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: File or Folder(Windows), File or Folder(Mac/Linux), File or Folder(Sophos VM Security), Processes(Windows), Website(Windows/Mac), or Potentially Unwanted Applications(Windows/Mac)
Type Type of exclusion that you want to add to Global Exclusions in Sophos Central. You can choose from the following options: Scheduled only, Real Time only, or Real time or Scheduled.
Comment (Optional) Comment that you want to add to the exclusion that you want to add as an entry to Global Exclusions in Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Get Global Exclusions

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Remove Global Exclusion

Input parameters

Parameter Description
Exclusion Name Name of the exclusion that you want to remove from Global Exclusions in Sophos Central.

Output

The output contains the following populated JSON schema:
{
     "customer_id": "",
     "exclusions": [
         {
             "name": "",
             "comment": "",
             "type": "",
             "target": "",
             "event_id": "",
             "description": ""
         }
     ]
}

operation: Get Endpoint ID for Computer

Input parameters

Parameter Description
Computer Name Name of computer whose endpoint ID you want to retrieve from the Sophos Central system.
Note: This is not applicable to Servers or Mobiles.

Output

The output contains the following populated JSON schema:
{
     "endpoint_id": ""
}

Included playbooks

The Sample - Sophos Central - 2.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.