Fortinet black logo

Sophos Central

Home FortiSOAR Connectors Sophos Central
4.0.0
4.2.0
4.1.0
4.0.1
4.0.0
3.0.0
2.0.0
1.0.0

Sophos Central v4.0.0

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.

This document provides information about the Sophos Central connector, which facilitates automated interactions, with the Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 4.0.0

Authored By: Community

Certified: No

Release Notes for version 4.0.0

Version 4.0.0 of the Sophos Central connector is completely different from the previous versions. Changes include:

  • Updated the authentication from "Basic Auth" to "OAuth".
  • All the operations and playbooks have been updated or newly added. The output schemas for all the operations have also been updated.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

  • You must have the URL of the Sophos Central server to which you will connect and perform automated operations and credentials (client ID and client secret) to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Sophos Central server.

Minimum Permissions Required

  • Not Applicable.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Sophos Central connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL Specify the URL of the Sophos Central server to which you will connect and perform automated operations.
Client ID Specify the Client ID used to access the Sophos Central server to which you will connect and perform automated operations.
Client Secret Specify the Secret code used to access the Sophos Central server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get Alert List Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. list_alerts
Investigation
Get Alert by ID Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. get_alerts
Investigation
Perform Alert Action Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. alerts_action
Investigation
Search Alerts Searches for alerts from Sophos Central based on the filter criteria that you have specified. search_alerts
Investigation
Get Endpoints Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. list_endpoints
Investigation
Get Endpoint by ID Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoints
Investigation
Delete Endpoint Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. delete_endpoints
Investigation
Scan Endpoint Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. scan_endpoints
Investigation
Get Endpoint Isolations Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoints_isolation
Investigation
Isolate Endpoint Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. isolate_endpoints
Investigation
Unisolate Endpoint Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. unisolate_endpoints
Investigation
Get Endpoint Tamper Protection Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoint_tamper_protection
Investigation
Update Endpoint Tamper Protection Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified.
Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally.		 update_endpoint_tamper_protection
Investigation
Get Allowed Items Retrieves a list of allowed items from Sophos Central. list_allowed_items
Investigation
Get Allowed Item by ID Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. get_allowed_items
Investigation
Create Allowed Item Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. create_allowed_items
Investigation
Update Allowed Item Updates an allowed item in Sophos Central based on the allowed item ID you have specified. update_allowed_items
Investigation
Delete Allowed Item Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. delete_allowed_items
Investigation
Get Blocked Items Retrieves a list of blocked items from Sophos Central. list_blocked_items
Investigation
Get Blocked Item by ID Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. get_blocked_items
Investigation
Create Blocked Item Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. create_blocked_items
Investigation
Delete Blocked Item Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. delete_blocked_items
Investigation
Get Exclusion Scanning Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. list_exclusion_scanning
Investigation
Get Exclusion Scanning by ID Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. get_exclusion_scanning
Investigation
Create Exclusion Scanning Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. create_exclusion_scanning
Investigation
Update Exclusion Scanning Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. update_exclusion_scanning
Investigation
Delete Exclusion Scanning Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. delete_exclusion_scanning
Investigation
Get Exploit Mitigation Application Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. list_exploit_mitigation_application
Investigation
Get Exploit Mitigation by ID Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. get_exploit_mitigation_application
Investigation
Create Exploit Mitigation Application Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. create_exploit_mitigation_application
Investigation
Update Exploit Mitigation Application Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. update_exploit_mitigation_application
Investigation
Delete Exploit Mitigation by ID Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified.
Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message.		 delete_exploit_mitigation_application
Investigation
Get Detected Exploits Retrieves detected exploits and the number of each detected exploit from Sophos Central. list_detected_exploits
Investigation
Get Specific Detected Exploits Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. get_detected_exploits
Investigation

operation: Get Alert List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.

Parameter Description
Group Key Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central.
From Alert Time Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Product Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central.
Category Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central.
Severity Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central.
ID List Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Alert by ID

Input parameters

Parameter Description
Alert ID Specify the ID of the alert whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Perform Alert Action

Input parameters

Parameter Description
Alert ID Specify the ID of the alert on which you want to perform the specific action in Sophos Central.
Alert Action Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc.
Message (Optional) Specify the message to be added while performing the specific action on the specified alert.

Output

The output contains a non-dictionary value.

operation: Search Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.

Parameter Description
Group Key Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central.
From Alert Time Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc"
Product Select the product types of the alerts using which you can filter the alerts searched in Sophos Central.
Category Select the category of the alerts using which you can filter the alerts searched in Sophos Central.
Severity Select the severity of the alerts using which you can filter the alerts searched in Sophos Central.
ID List Specify a comma-separated list of alert IDs that you want to search for in Sophos Central.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all endpoints, is returned.

Parameter Description
Last Seen After Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Last Seen Before Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Sort Parameter Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Health Status Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Type Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Tamper Protection Enabled Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa.
Lockdown Status Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
ID List Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central.
Isolation Status Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa.
Hostname Contains Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central.
Associated Person Contains Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central.
Group Name Contains Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central.
Search Keyword Specify keywords (term) using which you want to search for and retrieve endpoints from Sophos Central.
Search Field Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields.
IP Address List Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central.
Cloud Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.
Response View Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains a non-dictionary value.

operation: Get Endpoint by ID

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint whose details you want to retrieve from Sophos Central.
Fields in Response (Optional) Specify a comma-separated list of fields that you want to include in this action's response.
Response View (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains a non-dictionary value.

operation: Delete Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central.

Output

The output contains the following populated JSON schema:
{
"id": "",
"status": "",
"requestedAt": ""
}

operation: Get Endpoint Isolations

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central.
Comments (Optional) Specify the reason for isolating the specified endpoint.

Output

The output contains a non-dictionary value.

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central.
Comments (Optional) Specify the reason for unisolating the specified endpoint.

Output

The output contains a non-dictionary value.

operation: Get Endpoints Tamper Protection

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}

operation: Update Endpoints Tamper Protection

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central.
Enabled Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa.
Regenerate Password Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central.

Output

The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}

operation: Get Allowed Items

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all allowed items, is returned.

Parameter Description
Page Specify the page number, starting with 1, from which you want to fetch the allowed items.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Allowed Item by ID

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Allowed Item

Input parameters

Parameter Description
File Name Specify the filename of the allowed item that you want to create in Sophos Central.
Type

Specify the type of property using which this item is allowed in Sophos Central. You can choose between Path, Sha256, or Certificate Signer.

  • If you choose 'Path', then in the Path field specify the path of the allowed application.
  • If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the allowed application.
  • If you choose 'Certificate Signer', then in the Certificate Signer field specify the value saved for the certificate signer.
Comment Specify the reason for allowing the item.
Origin Person ID (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen.
Origin Endpoint ID (Optional) Specify the ID of the endpoint where the item to be allowed was last seen.

Output

The output contains a non-dictionary value.

operation: Update Allowed Item

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item that you want to update in Sophos Central.
Comment Specify the reason for allowing the item.

Output

The output contains a non-dictionary value.

operation: Delete Allowed Item

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item that you want to delete from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Get Blocked Items

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all blocked items, is returned.

Parameter Description
Page Specify the page number, starting with 1, from which you want to fetch the blocked items.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Blocked Item by ID

Input parameters

Parameter Description
Blocked Item ID Specify the ID of the blocked item whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Blocked Item

Input parameters

Parameter Description
File Name Specify the filename of the blocked item that you want to create in Sophos Central.
Type Specify the type of property using which this item is blocked in Sophos Central. You can select Sha256.
If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the blocked application.
Comment Specify the reason for blocking the item.

Output

The output contains a non-dictionary value.

operation: Delete Blocked Item

Input parameters

Parameter Description
Blocked Item ID Specify the ID of the blocked item that you want to delete from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Get Exclusion Scanning

Input parameters

Parameter Description
Type Select the exclusion scanning type that you want to retrieve from Sophos Central.
Page Specify the page number, starting with 1, from which you want to fetch the exclusion scans.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Exclusion Scanning by ID

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Exclusion Scanning

Input parameters

Parameter Description
Exclusion Value Specify the value of the exclusion scan that you want to create in Sophos Central.
Type Select the exclusion scanning type that you want to create in Sophos Central.
Scan Mode Select the mode of the exclusion scan.
The default value of scan mode is as follows:
  • "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath
  • "onAccess" for process, web, pua, and amsi.
  • Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment (Optional) Specify the reason for creating the exclusion scan.

Output

The output contains a non-dictionary value.

operation: Update Exclusion Scanning

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan that you want to create in Sophos Central.
Exclusion Value (Optional) Specify the value of the exclusion scan that you want to update in Sophos Central.
Scan Mode Select the mode of the exclusion scan.
The default value of scan mode is as follows:
  • "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath
  • "onAccess" for process, web, pua, and amsi.
  • Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment (Optional) Specify the reason for updating the exclusion scan.

Output

The output contains a non-dictionary value.

operation: Delete Exclusion Scanning

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Get Exploit Mitigation Application

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all exploit mitigation applications, is returned.

Parameter Description
Type Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected.
Modified Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa.
Page Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Exploit Mitigation by ID

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Exploit Mitigation Application

Input parameters

Parameter Description
Path List Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central.

Output

The output contains a non-dictionary value.

operation: Update Exploit Mitigation Application

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application that you want to update in Sophos Central.
Path List Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central.

Output

The output contains a non-dictionary value.

operation: Delete Exploit Mitigation by ID

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Get Detected Exploits

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all detected exploits, is returned.

Parameter Description
Thumb Print Not IN Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central.
Page Specify the page number, starting with 1, from which you want to fetch the detected exploits.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Specific Detected Exploits

Input parameters

Parameter Description
Detected Exploit ID Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - sophos-central - 4.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

  • Create Allowed Item
  • Create Blocked Item
  • Create Exclusion Scanning
  • Create Exploit Mitigation Application
  • Delete Blocked Item
  • Delete Allowed Item
  • Delete Endpoint
  • Delete Exclusion Scanning
  • Delete Exploit Mitigation
  • Get Alert List
  • Get Alert by ID
  • Get Allowed Item by ID
  • Get Allowed Items
  • Get Blocked Item by ID
  • Get Blocked Items
  • Get Detected Exploits
  • Get Endpoint Isolations
  • Get Endpoint Tamper Protection
  • Get Endpoint by ID
  • Get Endpoints
  • Get Exclusion Scanning
  • Get Exclusion Scanning by ID
  • Get Exploit Mitigation Application
  • Get Exploit Mitigation by ID
  • Get Specific Detected Exploit
  • Isolate Endpoint
  • Perform Alert Action
  • Scan Endpoint
  • Search Alerts
  • Unisolate Endpoint
  • Update Allowed Item
  • Update Endpoint Tamper Protection
  • Update Exclusion Scanning
  • Update Exploit Mitigation Application

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.

This document provides information about the Sophos Central connector, which facilitates automated interactions, with the Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.

Version information

Connector Version: 4.0.0

Authored By: Community

Certified: No

Release Notes for version 4.0.0

Version 4.0.0 of the Sophos Central connector is completely different from the previous versions. Changes include:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Sophos Central connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL Specify the URL of the Sophos Central server to which you will connect and perform automated operations.
Client ID Specify the Client ID used to access the Sophos Central server to which you will connect and perform automated operations.
Client Secret Specify the Secret code used to access the Sophos Central server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get Alert List Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. list_alerts
Investigation
Get Alert by ID Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. get_alerts
Investigation
Perform Alert Action Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. alerts_action
Investigation
Search Alerts Searches for alerts from Sophos Central based on the filter criteria that you have specified. search_alerts
Investigation
Get Endpoints Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. list_endpoints
Investigation
Get Endpoint by ID Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoints
Investigation
Delete Endpoint Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. delete_endpoints
Investigation
Scan Endpoint Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. scan_endpoints
Investigation
Get Endpoint Isolations Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoints_isolation
Investigation
Isolate Endpoint Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. isolate_endpoints
Investigation
Unisolate Endpoint Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. unisolate_endpoints
Investigation
Get Endpoint Tamper Protection Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. get_endpoint_tamper_protection
Investigation
Update Endpoint Tamper Protection Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified.
Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally.		 update_endpoint_tamper_protection
Investigation
Get Allowed Items Retrieves a list of allowed items from Sophos Central. list_allowed_items
Investigation
Get Allowed Item by ID Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. get_allowed_items
Investigation
Create Allowed Item Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. create_allowed_items
Investigation
Update Allowed Item Updates an allowed item in Sophos Central based on the allowed item ID you have specified. update_allowed_items
Investigation
Delete Allowed Item Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. delete_allowed_items
Investigation
Get Blocked Items Retrieves a list of blocked items from Sophos Central. list_blocked_items
Investigation
Get Blocked Item by ID Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. get_blocked_items
Investigation
Create Blocked Item Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. create_blocked_items
Investigation
Delete Blocked Item Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. delete_blocked_items
Investigation
Get Exclusion Scanning Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. list_exclusion_scanning
Investigation
Get Exclusion Scanning by ID Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. get_exclusion_scanning
Investigation
Create Exclusion Scanning Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. create_exclusion_scanning
Investigation
Update Exclusion Scanning Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. update_exclusion_scanning
Investigation
Delete Exclusion Scanning Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. delete_exclusion_scanning
Investigation
Get Exploit Mitigation Application Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. list_exploit_mitigation_application
Investigation
Get Exploit Mitigation by ID Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. get_exploit_mitigation_application
Investigation
Create Exploit Mitigation Application Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. create_exploit_mitigation_application
Investigation
Update Exploit Mitigation Application Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. update_exploit_mitigation_application
Investigation
Delete Exploit Mitigation by ID Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified.
Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message.		 delete_exploit_mitigation_application
Investigation
Get Detected Exploits Retrieves detected exploits and the number of each detected exploit from Sophos Central. list_detected_exploits
Investigation
Get Specific Detected Exploits Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. get_detected_exploits
Investigation

operation: Get Alert List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.

Parameter Description
Group Key Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central.
From Alert Time Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Product Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central.
Category Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central.
Severity Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central.
ID List Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Alert by ID

Input parameters

Parameter Description
Alert ID Specify the ID of the alert whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Perform Alert Action

Input parameters

Parameter Description
Alert ID Specify the ID of the alert on which you want to perform the specific action in Sophos Central.
Alert Action Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc.
Message (Optional) Specify the message to be added while performing the specific action on the specified alert.

Output

The output contains a non-dictionary value.

operation: Search Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.

Parameter Description
Group Key Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central.
From Alert Time Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc"
Product Select the product types of the alerts using which you can filter the alerts searched in Sophos Central.
Category Select the category of the alerts using which you can filter the alerts searched in Sophos Central.
Severity Select the severity of the alerts using which you can filter the alerts searched in Sophos Central.
ID List Specify a comma-separated list of alert IDs that you want to search for in Sophos Central.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all endpoints, is returned.

Parameter Description
Last Seen After Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Last Seen Before Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Sort Parameter Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Health Status Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Type Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Tamper Protection Enabled Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa.
Lockdown Status Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
ID List Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central.
Isolation Status Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa.
Hostname Contains Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central.
Associated Person Contains Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central.
Group Name Contains Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central.
Search Keyword Specify keywords (term) using which you want to search for and retrieve endpoints from Sophos Central.
Search Field Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields.
IP Address List Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central.
Cloud Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding.
Fields in Response Specify a comma-separated list of fields that you want to include in this action's response.
Page Size The maximum number of results, per page, that this operation should return.
Page From The key of the item from where to fetch a page.
Total Page Select this option to calculate and return the number of pages in this action's response.
Response View Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains a non-dictionary value.

operation: Get Endpoint by ID

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint whose details you want to retrieve from Sophos Central.
Fields in Response (Optional) Specify a comma-separated list of fields that you want to include in this action's response.
Response View (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains a non-dictionary value.

operation: Delete Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Scan Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central.

Output

The output contains the following populated JSON schema:
{
"id": "",
"status": "",
"requestedAt": ""
}

operation: Get Endpoint Isolations

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Isolate Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central.
Comments (Optional) Specify the reason for isolating the specified endpoint.

Output

The output contains a non-dictionary value.

operation: Unisolate Endpoint

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central.
Comments (Optional) Specify the reason for unisolating the specified endpoint.

Output

The output contains a non-dictionary value.

operation: Get Endpoints Tamper Protection

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}

operation: Update Endpoints Tamper Protection

Input parameters

Parameter Description
Endpoint ID Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central.
Enabled Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa.
Regenerate Password Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central.

Output

The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}

operation: Get Allowed Items

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all allowed items, is returned.

Parameter Description
Page Specify the page number, starting with 1, from which you want to fetch the allowed items.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Allowed Item by ID

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Allowed Item

Input parameters

Parameter Description
File Name Specify the filename of the allowed item that you want to create in Sophos Central.
Type

Specify the type of property using which this item is allowed in Sophos Central. You can choose between Path, Sha256, or Certificate Signer.

  • If you choose 'Path', then in the Path field specify the path of the allowed application.
  • If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the allowed application.
  • If you choose 'Certificate Signer', then in the Certificate Signer field specify the value saved for the certificate signer.
Comment Specify the reason for allowing the item.
Origin Person ID (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen.
Origin Endpoint ID (Optional) Specify the ID of the endpoint where the item to be allowed was last seen.

Output

The output contains a non-dictionary value.

operation: Update Allowed Item

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item that you want to update in Sophos Central.
Comment Specify the reason for allowing the item.

Output

The output contains a non-dictionary value.

operation: Delete Allowed Item

Input parameters

Parameter Description
Allowed Item ID Specify the ID of the allowed item that you want to delete from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Get Blocked Items

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all blocked items, is returned.

Parameter Description
Page Specify the page number, starting with 1, from which you want to fetch the blocked items.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Blocked Item by ID

Input parameters

Parameter Description
Blocked Item ID Specify the ID of the blocked item whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Blocked Item

Input parameters

Parameter Description
File Name Specify the filename of the blocked item that you want to create in Sophos Central.
Type Specify the type of property using which this item is blocked in Sophos Central. You can select Sha256.
If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the blocked application.
Comment Specify the reason for blocking the item.

Output

The output contains a non-dictionary value.

operation: Delete Blocked Item

Input parameters

Parameter Description
Blocked Item ID Specify the ID of the blocked item that you want to delete from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Get Exclusion Scanning

Input parameters

Parameter Description
Type Select the exclusion scanning type that you want to retrieve from Sophos Central.
Page Specify the page number, starting with 1, from which you want to fetch the exclusion scans.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Exclusion Scanning by ID

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Exclusion Scanning

Input parameters

Parameter Description
Exclusion Value Specify the value of the exclusion scan that you want to create in Sophos Central.
Type Select the exclusion scanning type that you want to create in Sophos Central.
Scan Mode Select the mode of the exclusion scan.
The default value of scan mode is as follows:
  • "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath
  • "onAccess" for process, web, pua, and amsi.
  • Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment (Optional) Specify the reason for creating the exclusion scan.

Output

The output contains a non-dictionary value.

operation: Update Exclusion Scanning

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan that you want to create in Sophos Central.
Exclusion Value (Optional) Specify the value of the exclusion scan that you want to update in Sophos Central.
Scan Mode Select the mode of the exclusion scan.
The default value of scan mode is as follows:
  • "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath
  • "onAccess" for process, web, pua, and amsi.
  • Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment (Optional) Specify the reason for updating the exclusion scan.

Output

The output contains a non-dictionary value.

operation: Delete Exclusion Scanning

Input parameters

Parameter Description
Exclusion ID Specify the ID of the exclusion scan that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Get Exploit Mitigation Application

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all exploit mitigation applications, is returned.

Parameter Description
Type Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected.
Modified Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa.
Page Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Exploit Mitigation by ID

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

operation: Create Exploit Mitigation Application

Input parameters

Parameter Description
Path List Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central.

Output

The output contains a non-dictionary value.

operation: Update Exploit Mitigation Application

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application that you want to update in Sophos Central.
Path List Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central.

Output

The output contains a non-dictionary value.

operation: Delete Exploit Mitigation by ID

Input parameters

Parameter Description
Exploit Mitigation application ID Specify the ID of the exploit mitigation application that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:
{
"deleted": ""
}

operation: Get Detected Exploits

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all detected exploits, is returned.

Parameter Description
Thumb Print Not IN Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central.
Page Specify the page number, starting with 1, from which you want to fetch the detected exploits.
Page Size The maximum number of results, per page, that this action should return.
Page Total Select this option to calculate and return the number of pages in this action's response.

Output

The output contains a non-dictionary value.

operation: Get Specific Detected Exploits

Input parameters

Parameter Description
Detected Exploit ID Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - sophos-central - 4.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next