Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with the Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 4.0.0
Authored By: Community
Certified: No
Version 4.0.0 of the Sophos Central connector is completely different from the previous versions. Changes include:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Sophos Central connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | Specify the URL of the Sophos Central server to which you will connect and perform automated operations. |
Client ID | Specify the Client ID used to access the Sophos Central server to which you will connect and perform automated operations. |
Client Secret | Specify the Secret code used to access the Sophos Central server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alert List | Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. | list_alerts Investigation |
Get Alert by ID | Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. | get_alerts Investigation |
Perform Alert Action | Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. | alerts_action Investigation |
Search Alerts | Searches for alerts from Sophos Central based on the filter criteria that you have specified. | search_alerts Investigation |
Get Endpoints | Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. | list_endpoints Investigation |
Get Endpoint by ID | Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints Investigation |
Delete Endpoint | Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. | delete_endpoints Investigation |
Scan Endpoint | Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. | scan_endpoints Investigation |
Get Endpoint Isolations | Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints_isolation Investigation |
Isolate Endpoint | Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. | isolate_endpoints Investigation |
Unisolate Endpoint | Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. | unisolate_endpoints Investigation |
Get Endpoint Tamper Protection | Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoint_tamper_protection Investigation |
Update Endpoint Tamper Protection | Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally. |
update_endpoint_tamper_protection Investigation |
Get Allowed Items | Retrieves a list of allowed items from Sophos Central. | list_allowed_items Investigation |
Get Allowed Item by ID | Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. | get_allowed_items Investigation |
Create Allowed Item | Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_allowed_items Investigation |
Update Allowed Item | Updates an allowed item in Sophos Central based on the allowed item ID you have specified. | update_allowed_items Investigation |
Delete Allowed Item | Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. | delete_allowed_items Investigation |
Get Blocked Items | Retrieves a list of blocked items from Sophos Central. | list_blocked_items Investigation |
Get Blocked Item by ID | Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. | get_blocked_items Investigation |
Create Blocked Item | Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_blocked_items Investigation |
Delete Blocked Item | Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Get Exclusion Scanning | Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. | list_exclusion_scanning Investigation |
Get Exclusion Scanning by ID | Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | get_exclusion_scanning Investigation |
Create Exclusion Scanning | Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. | create_exclusion_scanning Investigation |
Update Exclusion Scanning | Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. | update_exclusion_scanning Investigation |
Delete Exclusion Scanning | Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | delete_exclusion_scanning Investigation |
Get Exploit Mitigation Application | Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. | list_exploit_mitigation_application Investigation |
Get Exploit Mitigation by ID | Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. | get_exploit_mitigation_application Investigation |
Create Exploit Mitigation Application | Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. | create_exploit_mitigation_application Investigation |
Update Exploit Mitigation Application | Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. | update_exploit_mitigation_application Investigation |
Delete Exploit Mitigation by ID | Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message. |
delete_exploit_mitigation_application Investigation |
Get Detected Exploits | Retrieves detected exploits and the number of each detected exploit from Sophos Central. | list_detected_exploits Investigation |
Get Specific Detected Exploits | Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. | get_detected_exploits Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert on which you want to perform the specific action in Sophos Central. |
Alert Action | Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. |
Message | (Optional) Specify the message to be added while performing the specific action on the specified alert. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts searched in Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts searched in Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts searched in Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to search for in Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all endpoints, is returned.
Parameter | Description |
---|---|
Last Seen After | Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Last Seen Before | Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Health Status | Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Type | Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Tamper Protection Enabled | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa. |
Lockdown Status | Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
ID List | Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central. |
Isolation Status | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa. |
Hostname Contains | Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central. |
Associated Person Contains | Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central. |
Group Name Contains | Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central. |
Search Keyword | Specify keywords (term) using which you want to search for and retrieve endpoints from Sophos Central. |
Search Field | Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields. |
IP Address List | Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central. |
Cloud | Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
Response View | Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint whose details you want to retrieve from Sophos Central. |
Fields in Response | (Optional) Specify a comma-separated list of fields that you want to include in this action's response. |
Response View | (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central. |
The output contains the following populated JSON schema:
{
"id": "",
"status": "",
"requestedAt": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central. |
Comments | (Optional) Specify the reason for isolating the specified endpoint. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central. |
Comments | (Optional) Specify the reason for unisolating the specified endpoint. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central. |
Enabled | Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa. |
Regenerate Password | Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central. |
The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all allowed items, is returned.
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the allowed items. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | Specify the filename of the allowed item that you want to create in Sophos Central. |
Type |
Specify the type of property using which this item is allowed in Sophos Central. You can choose between Path, Sha256, or Certificate Signer.
|
Comment | Specify the reason for allowing the item. |
Origin Person ID | (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen. |
Origin Endpoint ID | (Optional) Specify the ID of the endpoint where the item to be allowed was last seen. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to update in Sophos Central. |
Comment | Specify the reason for allowing the item. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to delete from Sophos Central. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all blocked items, is returned.
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the blocked items. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | Specify the filename of the blocked item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is blocked in Sophos Central. You can select Sha256. If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the blocked application. |
Comment | Specify the reason for blocking the item. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item that you want to delete from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Type | Select the exclusion scanning type that you want to retrieve from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the exclusion scans. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion Value | Specify the value of the exclusion scan that you want to create in Sophos Central. |
Type | Select the exclusion scanning type that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows:
|
Comment | (Optional) Specify the reason for creating the exclusion scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Exclusion Value | (Optional) Specify the value of the exclusion scan that you want to update in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows:
|
Comment | (Optional) Specify the reason for updating the exclusion scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all exploit mitigation applications, is returned.
Parameter | Description |
---|---|
Type | Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected. |
Modified | Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa. |
Page | Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Path List | Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to update in Sophos Central. |
Path List | Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all detected exploits, is returned.
Parameter | Description |
---|---|
Thumb Print Not IN | Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the detected exploits. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Detected Exploit ID | Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
The Sample - sophos-central - 4.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with the Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Connector Version: 4.0.0
Authored By: Community
Certified: No
Version 4.0.0 of the Sophos Central connector is completely different from the previous versions. Changes include:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Sophos Central connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | Specify the URL of the Sophos Central server to which you will connect and perform automated operations. |
Client ID | Specify the Client ID used to access the Sophos Central server to which you will connect and perform automated operations. |
Client Secret | Specify the Secret code used to access the Sophos Central server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alert List | Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. | list_alerts Investigation |
Get Alert by ID | Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. | get_alerts Investigation |
Perform Alert Action | Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. | alerts_action Investigation |
Search Alerts | Searches for alerts from Sophos Central based on the filter criteria that you have specified. | search_alerts Investigation |
Get Endpoints | Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. | list_endpoints Investigation |
Get Endpoint by ID | Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints Investigation |
Delete Endpoint | Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. | delete_endpoints Investigation |
Scan Endpoint | Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. | scan_endpoints Investigation |
Get Endpoint Isolations | Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints_isolation Investigation |
Isolate Endpoint | Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. | isolate_endpoints Investigation |
Unisolate Endpoint | Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. | unisolate_endpoints Investigation |
Get Endpoint Tamper Protection | Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoint_tamper_protection Investigation |
Update Endpoint Tamper Protection | Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally. |
update_endpoint_tamper_protection Investigation |
Get Allowed Items | Retrieves a list of allowed items from Sophos Central. | list_allowed_items Investigation |
Get Allowed Item by ID | Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. | get_allowed_items Investigation |
Create Allowed Item | Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_allowed_items Investigation |
Update Allowed Item | Updates an allowed item in Sophos Central based on the allowed item ID you have specified. | update_allowed_items Investigation |
Delete Allowed Item | Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. | delete_allowed_items Investigation |
Get Blocked Items | Retrieves a list of blocked items from Sophos Central. | list_blocked_items Investigation |
Get Blocked Item by ID | Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. | get_blocked_items Investigation |
Create Blocked Item | Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_blocked_items Investigation |
Delete Blocked Item | Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Get Exclusion Scanning | Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. | list_exclusion_scanning Investigation |
Get Exclusion Scanning by ID | Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | get_exclusion_scanning Investigation |
Create Exclusion Scanning | Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. | create_exclusion_scanning Investigation |
Update Exclusion Scanning | Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. | update_exclusion_scanning Investigation |
Delete Exclusion Scanning | Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | delete_exclusion_scanning Investigation |
Get Exploit Mitigation Application | Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. | list_exploit_mitigation_application Investigation |
Get Exploit Mitigation by ID | Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. | get_exploit_mitigation_application Investigation |
Create Exploit Mitigation Application | Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. | create_exploit_mitigation_application Investigation |
Update Exploit Mitigation Application | Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. | update_exploit_mitigation_application Investigation |
Delete Exploit Mitigation by ID | Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message. |
delete_exploit_mitigation_application Investigation |
Get Detected Exploits | Retrieves detected exploits and the number of each detected exploit from Sophos Central. | list_detected_exploits Investigation |
Get Specific Detected Exploits | Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. | get_detected_exploits Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert on which you want to perform the specific action in Sophos Central. |
Alert Action | Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. |
Message | (Optional) Specify the message to be added while performing the specific action on the specified alert. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts searched in Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts searched in Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts searched in Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to search for in Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all endpoints, is returned.
Parameter | Description |
---|---|
Last Seen After | Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Last Seen Before | Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Health Status | Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Type | Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Tamper Protection Enabled | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa. |
Lockdown Status | Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
ID List | Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central. |
Isolation Status | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa. |
Hostname Contains | Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central. |
Associated Person Contains | Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central. |
Group Name Contains | Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central. |
Search Keyword | Specify keywords (term) using which you want to search for and retrieve endpoints from Sophos Central. |
Search Field | Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields. |
IP Address List | Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central. |
Cloud | Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | The maximum number of results, per page, that this operation should return. |
Page From | The key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
Response View | Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint whose details you want to retrieve from Sophos Central. |
Fields in Response | (Optional) Specify a comma-separated list of fields that you want to include in this action's response. |
Response View | (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central. |
The output contains the following populated JSON schema:
{
"id": "",
"status": "",
"requestedAt": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central. |
Comments | (Optional) Specify the reason for isolating the specified endpoint. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central. |
Comments | (Optional) Specify the reason for unisolating the specified endpoint. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central. |
Enabled | Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa. |
Regenerate Password | Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central. |
The output contains the following populated JSON schema:
{
"enabled": "",
"password": "",
"previousPasswords": {
"password": "",
"invalidatedAt": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all allowed items, is returned.
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the allowed items. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | Specify the filename of the allowed item that you want to create in Sophos Central. |
Type |
Specify the type of property using which this item is allowed in Sophos Central. You can choose between Path, Sha256, or Certificate Signer.
|
Comment | Specify the reason for allowing the item. |
Origin Person ID | (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen. |
Origin Endpoint ID | (Optional) Specify the ID of the endpoint where the item to be allowed was last seen. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to update in Sophos Central. |
Comment | Specify the reason for allowing the item. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to delete from Sophos Central. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all blocked items, is returned.
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the blocked items. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | Specify the filename of the blocked item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is blocked in Sophos Central. You can select Sha256. If you choose 'Sha256', then in the Sha256 field specify the Sha256 value of the blocked application. |
Comment | Specify the reason for blocking the item. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item that you want to delete from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Type | Select the exclusion scanning type that you want to retrieve from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the exclusion scans. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion Value | Specify the value of the exclusion scan that you want to create in Sophos Central. |
Type | Select the exclusion scanning type that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows:
|
Comment | (Optional) Specify the reason for creating the exclusion scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Exclusion Value | (Optional) Specify the value of the exclusion scan that you want to update in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows:
|
Comment | (Optional) Specify the reason for updating the exclusion scan. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all exploit mitigation applications, is returned.
Parameter | Description |
---|---|
Type | Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected. |
Modified | Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa. |
Page | Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Path List | Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to update in Sophos Central. |
Path List | Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{
"deleted": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all detected exploits, is returned.
Parameter | Description |
---|---|
Thumb Print Not IN | Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the detected exploits. |
Page Size | The maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Detected Exploit ID | Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central. |
The output contains a non-dictionary value.
The Sample - sophos-central - 4.0.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.