Sophos Central

Sophos Central v4.2.0

Home FortiSOAR Connectors Sophos Central

Sophos Central v4.2.0

4.2.0

Copy Link

Copy Doc ID 061c8be0-4893-11ee-8e6d-fa163e15d75b:671

About the connector

Sophos Central is a unified console for managing your Sophos products Sophos Central lets you administer protection for endpoints, mobile devices, encryption, web, email, servers, etc. This connector facilitates automated operations related to endpoints, email, etc.

This document provides information about the Sophos Central Connector, which facilitates automated interactions, with a Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central Connector as a step in FortiSOAR™ playbooks and perform automated operations with Sophos Central.

Version information

Connector Version: 4.2.0

FortiSOAR™ Version Tested on: 7.4.1-3167

Sophos Central API Version Tested on: v1.0.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.2.0

Following enhancements have been made to the Sophos Central Connector in version 4.2.0:

You can now configure data ingestion using the Data Ingestion Wizard.
Added pagination support for connector action Get Alert List.
Removed unwanted parameter Page From from connector action Get Alert List.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

You must have the URL of Sophos Central server to connect and perform automated operations and credentials to access that server.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Sophos Central server.

Minimum Permissions Required

the API credentials created must have the role Service Principal Super Admin.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	Specify the URL of the Sophos Central server to connect and perform automated operations.
Client ID	Specify the Client ID used to access the Sophos Central server to connect and perform automated operations.
Client Secret	Specify the Secret code used to access the Sophos Central server to connect and perform automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to `True`.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function	Description	Annotation and Category
Get Alert List	Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified.	list_alerts Investigation
Get Alert by ID	Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified.	get_alerts Investigation
Perform Alert Action	Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified.	alerts_action Investigation
Search Alerts	Searches for alerts from Sophos Central based on the filter criteria that you have specified.	search_alerts Investigation
Get Endpoints	Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified.	list_endpoints Investigation
Get Endpoint by ID	Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoints Investigation
Delete Endpoint	Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified.	delete_endpoints Investigation
Scan Endpoint	Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified.	scan_endpoints Investigation
Get Endpoint Isolations	Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoints_isolation Investigation
Isolate Endpoint	Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified.	isolate_endpoints Investigation
Unisolate Endpoint	Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified.	unisolate_endpoints Investigation
Get Endpoint Tamper Protection	Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoint_tamper_protection Investigation
Update Endpoint Tamper Protection	Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally.	update_endpoint_tamper_protection Investigation
Create Allowed Item	Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified.	create_allowed_items Investigation
Get Allowed Items	Retrieves a list of allowed items from Sophos Central.	list_allowed_items Investigation
Get Allowed Item by ID	Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified.	get_allowed_items Investigation
Update Allowed Item	Updates an allowed item in Sophos Central based on the allowed item ID you have specified.	update_allowed_items Investigation
Delete Allowed Item	Deletes an allowed item in Sophos Central based on the allowed item ID you have specified.	delete_allowed_items Investigation
Create Blocked Item	Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified.	create_blocked_items Investigation
Get Blocked Items	Retrieves a list of blocked items from Sophos Central.	list_blocked_items Investigation
Get Blocked Item by ID	Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified.	get_blocked_items Investigation
Delete Blocked Item	Deletes a blocked item in Sophos Central based on the blocked item ID you have specified.	delete_blocked_items Investigation
Create Exclusion Scanning	Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified.	create_exclusion_scanning Investigation
Get Exclusion Scanning	Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified.	list_exclusion_scanning Investigation
Get Exclusion Scanning by ID	Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified.	get_exclusion_scanning Investigation
Update Exclusion Scanning	Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified.	update_exclusion_scanning Investigation
Delete Exclusion Scanning	Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified.	delete_exclusion_scanning Investigation
Create Exploit Mitigation Application	Adds a new exploit mitigation application in Sophos Central based on the path list you have specified.	create_exploit_mitigation_application Investigation
Get Exploit Mitigation Application	Retrieves Exploit Mitigation settings for all protected applications from Sophos Central.	list_exploit_mitigation_application Investigation
Get Exploit Mitigation by ID	Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified.	get_exploit_mitigation_application Investigation
Update Exploit Mitigation Application	Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified.	update_exploit_mitigation_application Investigation
Delete Exploit Mitigation	Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message.	delete_exploit_mitigation_application Investigation
Get Detected Exploits	Retrieves detected exploits and the number of each detected exploit from Sophos Central.	list_detected_exploits Investigation
Get Specific Detected Exploit	Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified.	get_detected_exploits Investigation

operation: Get Alert List

Input parameters

Parameter	Description
Group Key	Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central.
From Alert Time	Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time	Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Product	Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central.
Category	Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central.
Severity	Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central.
ID List	Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Total Page	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "allowedActions": [],
            "category": "",
            "description": "",
            "groupKey": "",
            "managedAgent": {
                "id": "",
                "type": ""
            },
            "person": {
                "id": ""
            },
            "product": "",
            "raisedAt": "",
            "severity": "",
            "tenant": {
                "id": "",
                "name": ""
            },
            "type": ""
        }
    ],
    "pages": {
        "nextKey": "",
        "total": "",
        "items": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Alert by ID

Input parameters

Parameter	Description
Alert ID	Specify the ID of the alert whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "allowedActions": [],
    "category": "",
    "description": "",
    "groupKey": "",
    "managedAgent": {
        "id": "",
        "type": ""
    },
    "person": {
        "id": ""
    },
    "product": "",
    "raisedAt": "",
    "severity": "",
    "tenant": {
        "id": "",
        "name": ""
    },
    "type": ""
}

operation: Perform Alert Action

Input parameters

Parameter	Description
Alert ID	Specify the ID of the alert on which you want to perform the specific action in Sophos Central.
Alert Action	Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. NOTE: You can perform only the actions which are allowed on the alert.
Message	(Optional) Specify the message to be added while performing the specific action on the specified alert.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "alertId": "",
    "action": "",
    "status": "",
    "requestedAt": "",
    "startedAt": "",
    "completedAt": "",
    "result": ""
}

operation: Search Alerts

Input parameters

Parameter	Description
Group Key	Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central.
From Alert Time	Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time	Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc"
Product	Select the product types of the alerts using which you can filter the alerts searched in Sophos Central.
Category	Select the category of the alerts using which you can filter the alerts searched in Sophos Central.
Severity	Select the severity of the alerts using which you can filter the alerts searched in Sophos Central.
ID List	Specify a comma-separated list of alert IDs that you want to search for in Sophos Central.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Page From	Specify the key of the item from where to fetch a page.
Total Page	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "allowedActions": [],
            "category": "",
            "description": "",
            "groupKey": "",
            "managedAgent": {
                "id": "",
                "type": ""
            },
            "person": {
                "id": ""
            },
            "product": "",
            "raisedAt": "",
            "severity": "",
            "tenant": {
                "id": "",
                "name": ""
            },
            "type": ""
        }
    ],
    "pages": {
        "nextKey": "",
        "total": "",
        "items": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Endpoints

Input parameters

Parameter	Description
Last Seen After	Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Last Seen Before	Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Health Status	Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Type	Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Tamper Protection Enabled	Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa.
Lockdown Status	Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
ID List	Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central.
Isolation Status	Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa.
Hostname Contains	Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central.
Associated Person Contains	Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central.
Group Name Contains	Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central.
Search Field	Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields.
Search Keyword	Specify keywords (term) to search for and retrieve endpoints from Sophos Central based on the search fields specified in the Search Field parameter.
IP Address List	Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central.
Cloud	Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Page From	Specify the key of the item from where to fetch a page.
Total Page	Select this option to calculate and return the number of pages in this action's response.
Response View	Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains the following populated JSON schema:

{
    "pages": {
        "size": "",
        "maxSize": ""
    },
    "result": [
        {
            "id": "",
            "type": "",
            "tenant": {
                "id": ""
            },
            "hostname": "",
            "health": {
                "overall": "",
                "threats": {
                    "status": ""
                },
                "services": {
                    "status": "",
                    "serviceDetails": [
                        {
                            "name": "",
                            "status": ""
                        }
                    ]
                }
            },
            "os": {
                "isServer": "",
                "platform": "",
                "name": "",
                "majorVersion": "",
                "minorVersion": "",
                "build": ""
            },
            "ipv4Addresses": [],
            "macAddresses": [],
            "associatedPerson": {
                "name": "",
                "viaLogin": "",
                "id": ""
            },
            "tamperProtectionEnabled": "",
            "assignedProducts": [
                {
                    "code": "",
                    "version": "",
                    "status": ""
                }
            ],
            "lastSeenAt": "",
            "encryption": {
                "volumes": [
                    {
                        "volumeId": "",
                        "status": ""
                    }
                ]
            },
            "isolation": {
                "status": "",
                "adminIsolated": "",
                "selfIsolated": ""
            }
        }
    ]
}

operation: Get Endpoint by ID

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint whose details you want to retrieve from Sophos Central.
Fields in Response	(Optional) Specify a comma-separated list of fields that you want to include in this action's response.
Response View	(Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "type": "",
    "tenant": {
        "id": ""
    },
    "hostname": "",
    "health": {
        "overall": "",
        "threats": {
            "status": ""
        },
        "services": {
            "status": "",
            "serviceDetails": [
                {
                    "name": "",
                    "status": ""
                }
            ]
        }
    },
    "os": {
        "isServer": "",
        "platform": "",
        "name": "",
        "majorVersion": "",
        "minorVersion": "",
        "build": ""
    },
    "ipv4Addresses": [],
    "macAddresses": [],
    "associatedPerson": {
        "name": "",
        "viaLogin": ""
    },
    "tamperProtectionEnabled": "",
    "assignedProducts": [
        {
            "code": "",
            "version": "",
            "status": ""
        }
    ],
    "lastSeenAt": "",
    "encryption": {
        "volumes": [
            {
                "volumeId": "",
                "status": ""
            }
        ]
    }
}

operation: Delete Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Scan Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "status": "",
    "requestedAt": ""
}

operation: Get Endpoint Isolations

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": ""
}

operation: Isolate Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central.
Comments	(Optional) Specify the reason for isolating the specified endpoint.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "lastEnabledBy": {
        "id": ""
    },
    "comment": ""
}

operation: Unisolate Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central.
Comments	(Optional) Specify the reason for unisolating the specified endpoint.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "lastDisabledBy": {
        "id": ""
    },
    "comment": ""
}

operation: Get Endpoint Tamper Protection

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "password": "",
    "previousPasswords": [
        {
            "password": "",
            "invalidatedAt": ""
        }
    ]
}

operation: Update Endpoint Tamper Protection

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central.
Enabled	Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa.
Regenerate Password	Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "password": "",
    "previousPasswords": [
        {
            "password": "",
            "invalidatedAt": ""
        }
    ]
}

operation: Create Allowed Item

Input parameters

Parameter	Description
File Name	Specify the filename of the allowed item that you want to create in Sophos Central.
Type	Specify the type of property using which this item is allowed in Sophos Central. You can choose from following options: Path: Specify the path of the allowed application in the Path field. SHA256 Hash: Specify the Sha256 value of the allowed application in the Sha256 field. Certificate Signer: Specify the value saved for the certificate signer in the Certificate Signer field.
Comment	Specify a reason for allowing the item.
Origin Person ID	(Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen.
Origin Endpoint ID	(Optional) Specify the ID of the endpoint where the item to be allowed was last seen.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Get Allowed Items

Input parameters

Parameter	Description
Page	Specify the page number, starting with 1, from which you want to fetch the allowed items.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "createdAt": "",
            "updatedAt": "",
            "properties": {
                "path": ""
            },
            "comment": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Allowed Item by ID

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Update Allowed Item

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item that you want to update in Sophos Central.
Comment	Specify the reason for allowing the item.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Delete Allowed Item

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Blocked Item

Input parameters

Parameter	Description
File Name	Specify the filename of the blocked item that you want to create in Sophos Central.
Type	Specify the type of property using which this item is blocked in Sophos Central. If you choose Sha256, then in the Sha256 field specify the Sha256 value of the blocked application.
Comment	Specify a comment indicating why the item should be blocked.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "properties": {
        "sha256": ""
    },
    "comment": "",
    "type": ""
}

operation: Get Blocked Items

Input parameters

Parameter	Description
Page	Specify the page number, starting with 1, from which you want to fetch the blocked items.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "createdAt": "",
            "properties": {
                "sha256": ""
            },
            "comment": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Blocked Item by ID

Input parameters

Parameter	Description
Blocked Item ID	Specify the ID of the blocked item whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "properties": {
        "sha256": ""
    },
    "comment": "",
    "type": ""
}

operation: Delete Blocked Item

Input parameters

Parameter	Description
Blocked Item ID	Specify the ID of the blocked item that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Exclusion Scanning

Input parameters

Parameter	Description
Exclusion Value	Specify the value of the exclusion scan that you want to create in Sophos Central.
Type	Select the exclusion scanning type that you want to create in Sophos Central.
Scan Mode	Select the mode of the exclusion scan. The default value of scan mode is as follows: `onDemandAndOnAccess` for exclusions of type path, posixPath, and virtualPath `onAccess` for process, `web`, `pua`, and `amsi`. Behavioral and Detected Exploits (`exploitMitigation`) type exclusions do not support a scan mode.
Comment	(Optional) Specify the reason for creating the exclusion scan.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": ""
}

operation: Get Exclusion Scanning

Input parameters

Parameter	Description
Type	Select the exclusion scanning type that you want to retrieve from Sophos Central.
Page	Specify the page number, starting with 1, from which you want to fetch the exclusion scans.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "value": "",
            "type": "",
            "scanMode": "",
            "comment": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Exclusion Scanning by ID

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": "",
    "comment": ""
}

operation: Update Exclusion Scanning

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan that you want to create in Sophos Central.
Exclusion Value	Specify the ID of the exclusion scan that you want to create in Sophos Central.
Scan Mode	Select the mode of the exclusion scan. The default value of scan mode is as follows: "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath "onAccess" for process, web, pua, and amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment	(Optional) Specify the reason for updating the exclusion scan.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": "",
    "comment": ""
}

operation: Delete Exclusion Scanning

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Exploit Mitigation Application

Input parameters

Parameter	Description
Path List	Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Get Exploit Mitigation Application

Input parameters

Parameter	Description
Type	Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected.
Modified	Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa.
Page	Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "name": "",
            "paths": [],
            "category": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Exploit Mitigation by ID

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Update Exploit Mitigation Application

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application that you want to update in Sophos Central.
Path List	Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Delete Exploit Mitigation

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Get Detected Exploits

Input parameters

Parameter	Description
Thumb Print Not IN	Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central.
Page	Specify the page number, starting with 1, from which you want to fetch the detected exploits.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Specific Detected Exploit

Input parameters

Parameter	Description
Detected Exploit ID	Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "count": "",
    "description": "",
    "firstSeenAt": "",
    "lastSeenAt": "",
    "thumbprint": "",
    "lastEndpoint": {
        "hostname": "",
        "id": ""
    },
    "lastUser": {
        "name": "",
        "id": ""
    }
}

Included playbooks

The Sample - Sophos Central - 4.2.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR^TM after importing the Sophos Central connector.

Create Allowed Item
Create Blocked Item
Create Exclusion Scanning
Create Exploit Mitigation Application
Delete Blocked Item
Delete Allowed Item
Delete Endpoint
Delete Exclusion Scanning
Delete Exploit Mitigation
Get Alert List
Get Alert by ID
Get Allowed Item by ID
Get Allowed Items
Get Blocked Item by ID
Get Blocked Items
Get Detected Exploits
Get Endpoint Isolations
Get Endpoint Tamper Protection
Get Endpoint by ID
Get Endpoints
Get Exclusion Scanning
Get Exclusion Scanning by ID
Get Exploit Mitigation Application
Get Exploit Mitigation by ID
Get Specific Detected Exploit
Isolate Endpoint
Perform Alert Action
Scan Endpoint
Search Alerts
Unisolate Endpoint
Update Allowed Item
Update Endpoint Tamper Protection
Update Exclusion Scanning
Update Exploit Mitigation Application
Sophos > Ingest
> Sophos > Fetch and Create

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from Sophos Central. Currently, alerts ingested from Sophos Central is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Sophos Central alerts to FortiSOAR™'s Alerts.

The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Sophos Central into FortiSOAR™. It also lets you pull some sample data from Sophos Central using which you can define the mapping of data between Sophos Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Sophos Central alerts.

To begin configuring data ingestion, click Configure Data Ingestion on the Sophos Central connector's Configurations page.

Click Let's Start by fetching some data, to open the Fetch Sample Data screen.

Sample data is required to create a field mapping between Sophos Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Sophos Central. You can specify the Pull alerts created in past X minutes. The fetched data is used to create a mapping between the Sophos Central data and FortiSOAR™ Alerts.

The fetched data is used to create a mapping between the alerts from Sophos Central and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Sophos Central to the fields of an Alert present in FortiSOAR™.

To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the Severity parameter of an ingested alert from Sophos Central to the Alert Severity parameter of FortiSOAR™ Alerts, click the Severity field and then click the Alert Severity field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Sophos Central, so that the content gets pulled from the Sophos Central integration into FortiSOAR™

On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.

In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Sophos Central every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the alerts will be pulled from Sophos Central every 5 minutes:

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

About the connector

Version information

Connector Version: 4.2.0

FortiSOAR™ Version Tested on: 7.4.1-3167

Sophos Central API Version Tested on: v1.0.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.2.0

Following enhancements have been made to the Sophos Central Connector in version 4.2.0:

You can now configure data ingestion using the Data Ingestion Wizard.
Added pagination support for connector action Get Alert List.
Removed unwanted parameter Page From from connector action Get Alert List.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-sophos-central

Prerequisites to configuring the connector

You must have the URL of Sophos Central server to connect and perform automated operations and credentials to access that server.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Sophos Central server.

Minimum Permissions Required

the API credentials created must have the role Service Principal Super Admin.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

Parameter	Description
Server URL	Specify the URL of the Sophos Central server to connect and perform automated operations.
Client ID	Specify the Client ID used to access the Sophos Central server to connect and perform automated operations.
Client Secret	Specify the Secret code used to access the Sophos Central server to connect and perform automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to `True`.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function	Description	Annotation and Category
Get Alert List	Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified.	list_alerts Investigation
Get Alert by ID	Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified.	get_alerts Investigation
Perform Alert Action	Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified.	alerts_action Investigation
Search Alerts	Searches for alerts from Sophos Central based on the filter criteria that you have specified.	search_alerts Investigation
Get Endpoints	Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified.	list_endpoints Investigation
Get Endpoint by ID	Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoints Investigation
Delete Endpoint	Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified.	delete_endpoints Investigation
Scan Endpoint	Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified.	scan_endpoints Investigation
Get Endpoint Isolations	Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoints_isolation Investigation
Isolate Endpoint	Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified.	isolate_endpoints Investigation
Unisolate Endpoint	Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified.	unisolate_endpoints Investigation
Get Endpoint Tamper Protection	Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified.	get_endpoint_tamper_protection Investigation
Update Endpoint Tamper Protection	Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally.	update_endpoint_tamper_protection Investigation
Create Allowed Item	Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified.	create_allowed_items Investigation
Get Allowed Items	Retrieves a list of allowed items from Sophos Central.	list_allowed_items Investigation
Get Allowed Item by ID	Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified.	get_allowed_items Investigation
Update Allowed Item	Updates an allowed item in Sophos Central based on the allowed item ID you have specified.	update_allowed_items Investigation
Delete Allowed Item	Deletes an allowed item in Sophos Central based on the allowed item ID you have specified.	delete_allowed_items Investigation
Create Blocked Item	Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified.	create_blocked_items Investigation
Get Blocked Items	Retrieves a list of blocked items from Sophos Central.	list_blocked_items Investigation
Get Blocked Item by ID	Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified.	get_blocked_items Investigation
Delete Blocked Item	Deletes a blocked item in Sophos Central based on the blocked item ID you have specified.	delete_blocked_items Investigation
Create Exclusion Scanning	Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified.	create_exclusion_scanning Investigation
Get Exclusion Scanning	Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified.	list_exclusion_scanning Investigation
Get Exclusion Scanning by ID	Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified.	get_exclusion_scanning Investigation
Update Exclusion Scanning	Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified.	update_exclusion_scanning Investigation
Delete Exclusion Scanning	Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified.	delete_exclusion_scanning Investigation
Create Exploit Mitigation Application	Adds a new exploit mitigation application in Sophos Central based on the path list you have specified.	create_exploit_mitigation_application Investigation
Get Exploit Mitigation Application	Retrieves Exploit Mitigation settings for all protected applications from Sophos Central.	list_exploit_mitigation_application Investigation
Get Exploit Mitigation by ID	Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified.	get_exploit_mitigation_application Investigation
Update Exploit Mitigation Application	Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified.	update_exploit_mitigation_application Investigation
Delete Exploit Mitigation	Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message.	delete_exploit_mitigation_application Investigation
Get Detected Exploits	Retrieves detected exploits and the number of each detected exploit from Sophos Central.	list_detected_exploits Investigation
Get Specific Detected Exploit	Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified.	get_detected_exploits Investigation

operation: Get Alert List

Input parameters

Parameter	Description
Group Key	Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central.
From Alert Time	Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time	Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Product	Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central.
Category	Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central.
Severity	Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central.
ID List	Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Total Page	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "allowedActions": [],
            "category": "",
            "description": "",
            "groupKey": "",
            "managedAgent": {
                "id": "",
                "type": ""
            },
            "person": {
                "id": ""
            },
            "product": "",
            "raisedAt": "",
            "severity": "",
            "tenant": {
                "id": "",
                "name": ""
            },
            "type": ""
        }
    ],
    "pages": {
        "nextKey": "",
        "total": "",
        "items": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Alert by ID

Input parameters

Parameter	Description
Alert ID	Specify the ID of the alert whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "allowedActions": [],
    "category": "",
    "description": "",
    "groupKey": "",
    "managedAgent": {
        "id": "",
        "type": ""
    },
    "person": {
        "id": ""
    },
    "product": "",
    "raisedAt": "",
    "severity": "",
    "tenant": {
        "id": "",
        "name": ""
    },
    "type": ""
}

operation: Perform Alert Action

Input parameters

Parameter	Description
Alert ID	Specify the ID of the alert on which you want to perform the specific action in Sophos Central.
Alert Action	Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. NOTE: You can perform only the actions which are allowed on the alert.
Message	(Optional) Specify the message to be added while performing the specific action on the specified alert.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "alertId": "",
    "action": "",
    "status": "",
    "requestedAt": "",
    "startedAt": "",
    "completedAt": "",
    "result": ""
}

operation: Search Alerts

Input parameters

Parameter	Description
Group Key	Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central.
From Alert Time	Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time.
To Alert Time	Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time.
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc"
Product	Select the product types of the alerts using which you can filter the alerts searched in Sophos Central.
Category	Select the category of the alerts using which you can filter the alerts searched in Sophos Central.
Severity	Select the severity of the alerts using which you can filter the alerts searched in Sophos Central.
ID List	Specify a comma-separated list of alert IDs that you want to search for in Sophos Central.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Page From	Specify the key of the item from where to fetch a page.
Total Page	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "allowedActions": [],
            "category": "",
            "description": "",
            "groupKey": "",
            "managedAgent": {
                "id": "",
                "type": ""
            },
            "person": {
                "id": ""
            },
            "product": "",
            "raisedAt": "",
            "severity": "",
            "tenant": {
                "id": "",
                "name": ""
            },
            "type": ""
        }
    ],
    "pages": {
        "nextKey": "",
        "total": "",
        "items": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Endpoints

Input parameters

Parameter	Description
Last Seen After	Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Last Seen Before	Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive).
Sort Parameter	Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc"
Health Status	Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Type	Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
Tamper Protection Enabled	Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa.
Lockdown Status	Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central.
ID List	Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central.
Isolation Status	Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa.
Hostname Contains	Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central.
Associated Person Contains	Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central.
Group Name Contains	Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central.
Search Field	Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields.
Search Keyword	Specify keywords (term) to search for and retrieve endpoints from Sophos Central based on the search fields specified in the Search Field parameter.
IP Address List	Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central.
Cloud	Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding.
Fields in Response	Specify a comma-separated list of fields that you want to include in this action's response.
Page Size	Specify the maximum number of results, per page, that this operation should return.
Page From	Specify the key of the item from where to fetch a page.
Total Page	Select this option to calculate and return the number of pages in this action's response.
Response View	Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains the following populated JSON schema:

{
    "pages": {
        "size": "",
        "maxSize": ""
    },
    "result": [
        {
            "id": "",
            "type": "",
            "tenant": {
                "id": ""
            },
            "hostname": "",
            "health": {
                "overall": "",
                "threats": {
                    "status": ""
                },
                "services": {
                    "status": "",
                    "serviceDetails": [
                        {
                            "name": "",
                            "status": ""
                        }
                    ]
                }
            },
            "os": {
                "isServer": "",
                "platform": "",
                "name": "",
                "majorVersion": "",
                "minorVersion": "",
                "build": ""
            },
            "ipv4Addresses": [],
            "macAddresses": [],
            "associatedPerson": {
                "name": "",
                "viaLogin": "",
                "id": ""
            },
            "tamperProtectionEnabled": "",
            "assignedProducts": [
                {
                    "code": "",
                    "version": "",
                    "status": ""
                }
            ],
            "lastSeenAt": "",
            "encryption": {
                "volumes": [
                    {
                        "volumeId": "",
                        "status": ""
                    }
                ]
            },
            "isolation": {
                "status": "",
                "adminIsolated": "",
                "selfIsolated": ""
            }
        }
    ]
}

operation: Get Endpoint by ID

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint whose details you want to retrieve from Sophos Central.
Fields in Response	(Optional) Specify a comma-separated list of fields that you want to include in this action's response.
Response View	(Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "type": "",
    "tenant": {
        "id": ""
    },
    "hostname": "",
    "health": {
        "overall": "",
        "threats": {
            "status": ""
        },
        "services": {
            "status": "",
            "serviceDetails": [
                {
                    "name": "",
                    "status": ""
                }
            ]
        }
    },
    "os": {
        "isServer": "",
        "platform": "",
        "name": "",
        "majorVersion": "",
        "minorVersion": "",
        "build": ""
    },
    "ipv4Addresses": [],
    "macAddresses": [],
    "associatedPerson": {
        "name": "",
        "viaLogin": ""
    },
    "tamperProtectionEnabled": "",
    "assignedProducts": [
        {
            "code": "",
            "version": "",
            "status": ""
        }
    ],
    "lastSeenAt": "",
    "encryption": {
        "volumes": [
            {
                "volumeId": "",
                "status": ""
            }
        ]
    }
}

operation: Delete Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Scan Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "status": "",
    "requestedAt": ""
}

operation: Get Endpoint Isolations

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": ""
}

operation: Isolate Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central.
Comments	(Optional) Specify the reason for isolating the specified endpoint.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "lastEnabledBy": {
        "id": ""
    },
    "comment": ""
}

operation: Unisolate Endpoint

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central.
Comments	(Optional) Specify the reason for unisolating the specified endpoint.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "lastDisabledBy": {
        "id": ""
    },
    "comment": ""
}

operation: Get Endpoint Tamper Protection

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "password": "",
    "previousPasswords": [
        {
            "password": "",
            "invalidatedAt": ""
        }
    ]
}

operation: Update Endpoint Tamper Protection

Input parameters

Parameter	Description
Endpoint ID	Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central.
Enabled	Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa.
Regenerate Password	Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "enabled": "",
    "password": "",
    "previousPasswords": [
        {
            "password": "",
            "invalidatedAt": ""
        }
    ]
}

operation: Create Allowed Item

Input parameters

Parameter	Description
File Name	Specify the filename of the allowed item that you want to create in Sophos Central.
Type	Specify the type of property using which this item is allowed in Sophos Central. You can choose from following options: Path: Specify the path of the allowed application in the Path field. SHA256 Hash: Specify the Sha256 value of the allowed application in the Sha256 field. Certificate Signer: Specify the value saved for the certificate signer in the Certificate Signer field.
Comment	Specify a reason for allowing the item.
Origin Person ID	(Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen.
Origin Endpoint ID	(Optional) Specify the ID of the endpoint where the item to be allowed was last seen.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Get Allowed Items

Input parameters

Parameter	Description
Page	Specify the page number, starting with 1, from which you want to fetch the allowed items.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "createdAt": "",
            "updatedAt": "",
            "properties": {
                "path": ""
            },
            "comment": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Allowed Item by ID

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Update Allowed Item

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item that you want to update in Sophos Central.
Comment	Specify the reason for allowing the item.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "updatedAt": "",
    "properties": {
        "path": ""
    },
    "comment": "",
    "type": ""
}

operation: Delete Allowed Item

Input parameters

Parameter	Description
Allowed Item ID	Specify the ID of the allowed item that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Blocked Item

Input parameters

Parameter	Description
File Name	Specify the filename of the blocked item that you want to create in Sophos Central.
Type	Specify the type of property using which this item is blocked in Sophos Central. If you choose Sha256, then in the Sha256 field specify the Sha256 value of the blocked application.
Comment	Specify a comment indicating why the item should be blocked.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "properties": {
        "sha256": ""
    },
    "comment": "",
    "type": ""
}

operation: Get Blocked Items

Input parameters

Parameter	Description
Page	Specify the page number, starting with 1, from which you want to fetch the blocked items.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "createdAt": "",
            "properties": {
                "sha256": ""
            },
            "comment": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Blocked Item by ID

Input parameters

Parameter	Description
Blocked Item ID	Specify the ID of the blocked item whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "createdAt": "",
    "properties": {
        "sha256": ""
    },
    "comment": "",
    "type": ""
}

operation: Delete Blocked Item

Input parameters

Parameter	Description
Blocked Item ID	Specify the ID of the blocked item that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Exclusion Scanning

Input parameters

Parameter	Description
Exclusion Value	Specify the value of the exclusion scan that you want to create in Sophos Central.
Type	Select the exclusion scanning type that you want to create in Sophos Central.
Scan Mode	Select the mode of the exclusion scan. The default value of scan mode is as follows: `onDemandAndOnAccess` for exclusions of type path, posixPath, and virtualPath `onAccess` for process, `web`, `pua`, and `amsi`. Behavioral and Detected Exploits (`exploitMitigation`) type exclusions do not support a scan mode.
Comment	(Optional) Specify the reason for creating the exclusion scan.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": ""
}

operation: Get Exclusion Scanning

Input parameters

Parameter	Description
Type	Select the exclusion scanning type that you want to retrieve from Sophos Central.
Page	Specify the page number, starting with 1, from which you want to fetch the exclusion scans.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "value": "",
            "type": "",
            "scanMode": "",
            "comment": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Exclusion Scanning by ID

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": "",
    "comment": ""
}

operation: Update Exclusion Scanning

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan that you want to create in Sophos Central.
Exclusion Value	Specify the ID of the exclusion scan that you want to create in Sophos Central.
Scan Mode	Select the mode of the exclusion scan. The default value of scan mode is as follows: "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath "onAccess" for process, web, pua, and amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
Comment	(Optional) Specify the reason for updating the exclusion scan.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "value": "",
    "type": "",
    "scanMode": "",
    "comment": ""
}

operation: Delete Exclusion Scanning

Input parameters

Parameter	Description
Exclusion ID	Specify the ID of the exclusion scan that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Create Exploit Mitigation Application

Input parameters

Parameter	Description
Path List	Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Get Exploit Mitigation Application

Input parameters

Parameter	Description
Type	Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected.
Modified	Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa.
Page	Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [
        {
            "id": "",
            "name": "",
            "paths": [],
            "category": "",
            "type": ""
        }
    ],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Exploit Mitigation by ID

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Update Exploit Mitigation Application

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application that you want to update in Sophos Central.
Path List	Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "name": "",
    "paths": [],
    "category": "",
    "type": ""
}

operation: Delete Exploit Mitigation

Input parameters

Parameter	Description
Exploit Mitigation application ID	Specify the ID of the exploit mitigation application that you want to delete from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "deleted": ""
}

operation: Get Detected Exploits

Input parameters

Parameter	Description
Thumb Print Not IN	Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central.
Page	Specify the page number, starting with 1, from which you want to fetch the detected exploits.
Page Size	Specify the maximum number of results, per page, that this action should return.
Page Total	Select this option to calculate and return the number of pages in this action's response.

Output

The output contains the following populated JSON schema:

{
    "result": [],
    "pages": {
        "current": "",
        "size": "",
        "maxSize": ""
    }
}

operation: Get Specific Detected Exploit

Input parameters

Parameter	Description
Detected Exploit ID	Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central.

Output

The output contains the following populated JSON schema:

{
    "id": "",
    "count": "",
    "description": "",
    "firstSeenAt": "",
    "lastSeenAt": "",
    "thumbprint": "",
    "lastEndpoint": {
        "hostname": "",
        "id": ""
    },
    "lastUser": {
        "name": "",
        "id": ""
    }
}

Included playbooks

Create Allowed Item
Create Blocked Item
Create Exclusion Scanning
Create Exploit Mitigation Application
Delete Blocked Item
Delete Allowed Item
Delete Endpoint
Delete Exclusion Scanning
Delete Exploit Mitigation
Get Alert List
Get Alert by ID
Get Allowed Item by ID
Get Allowed Items
Get Blocked Item by ID
Get Blocked Items
Get Detected Exploits
Get Endpoint Isolations
Get Endpoint Tamper Protection
Get Endpoint by ID
Get Endpoints
Get Exclusion Scanning
Get Exclusion Scanning by ID
Get Exploit Mitigation Application
Get Exploit Mitigation by ID
Get Specific Detected Exploit
Isolate Endpoint
Perform Alert Action
Scan Endpoint
Search Alerts
Unisolate Endpoint
Update Allowed Item
Update Endpoint Tamper Protection
Update Exclusion Scanning
Update Exploit Mitigation Application
Sophos > Ingest
> Sophos > Fetch and Create

Data Ingestion Support

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Sophos Central alerts to FortiSOAR™'s Alerts.

To begin configuring data ingestion, click Configure Data Ingestion on the Sophos Central connector's Configurations page.

Click Let's Start by fetching some data, to open the Fetch Sample Data screen.

Sample data is required to create a field mapping between Sophos Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Sophos Central. You can specify the Pull alerts created in past X minutes. The fetched data is used to create a mapping between the Sophos Central data and FortiSOAR™ Alerts.

The fetched data is used to create a mapping between the alerts from Sophos Central and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Sophos Central to the fields of an Alert present in FortiSOAR™.

To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the Severity parameter of an ingested alert from Sophos Central to the Alert Severity parameter of FortiSOAR™ Alerts, click the Severity field and then click the Alert Severity field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Sophos Central, so that the content gets pulled from the Sophos Central integration into FortiSOAR™

On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.

In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Sophos Central every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the alerts will be pulled from Sophos Central every 5 minutes:

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.