Sophos Central is a unified console for managing your Sophos products Sophos Central lets you administer protection for endpoints, mobile devices, encryption, web, email, servers, etc. This connector facilitates automated operations related to endpoints, email, etc.
This document provides information about the Sophos Central Connector, which facilitates automated interactions, with a Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central Connector as a step in FortiSOAR™ playbooks and perform automated operations with Sophos Central.
Connector Version: 4.2.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Sophos Central API Version Tested on: v1.0.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Sophos Central Connector in version 4.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Sophos Central server to connect and perform automated operations. |
Client ID | Specify the Client ID used to access the Sophos Central server to connect and perform automated operations. |
Client Secret | Specify the Secret code used to access the Sophos Central server to connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alert List | Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. | list_alerts Investigation |
Get Alert by ID | Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. | get_alerts Investigation |
Perform Alert Action | Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. | alerts_action Investigation |
Search Alerts | Searches for alerts from Sophos Central based on the filter criteria that you have specified. | search_alerts Investigation |
Get Endpoints | Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. | list_endpoints Investigation |
Get Endpoint by ID | Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints Investigation |
Delete Endpoint | Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. | delete_endpoints Investigation |
Scan Endpoint | Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. | scan_endpoints Investigation |
Get Endpoint Isolations | Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints_isolation Investigation |
Isolate Endpoint | Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. | isolate_endpoints Investigation |
Unisolate Endpoint | Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. | unisolate_endpoints Investigation |
Get Endpoint Tamper Protection | Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoint_tamper_protection Investigation |
Update Endpoint Tamper Protection | Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally. | update_endpoint_tamper_protection Investigation |
Create Allowed Item | Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_allowed_items Investigation |
Get Allowed Items | Retrieves a list of allowed items from Sophos Central. | list_allowed_items Investigation |
Get Allowed Item by ID | Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. | get_allowed_items Investigation |
Update Allowed Item | Updates an allowed item in Sophos Central based on the allowed item ID you have specified. | update_allowed_items Investigation |
Delete Allowed Item | Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. | delete_allowed_items Investigation |
Create Blocked Item | Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_blocked_items Investigation |
Get Blocked Items | Retrieves a list of blocked items from Sophos Central. | list_blocked_items Investigation |
Get Blocked Item by ID | Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. | get_blocked_items Investigation |
Delete Blocked Item | Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Create Exclusion Scanning | Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. | create_exclusion_scanning Investigation |
Get Exclusion Scanning | Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. | list_exclusion_scanning Investigation |
Get Exclusion Scanning by ID | Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | get_exclusion_scanning Investigation |
Update Exclusion Scanning | Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. | update_exclusion_scanning Investigation |
Delete Exclusion Scanning | Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | delete_exclusion_scanning Investigation |
Create Exploit Mitigation Application | Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. | create_exploit_mitigation_application Investigation |
Get Exploit Mitigation Application | Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. | list_exploit_mitigation_application Investigation |
Get Exploit Mitigation by ID | Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. | get_exploit_mitigation_application Investigation |
Update Exploit Mitigation Application | Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. | update_exploit_mitigation_application Investigation |
Delete Exploit Mitigation | Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message. | delete_exploit_mitigation_application Investigation |
Get Detected Exploits | Retrieves detected exploits and the number of each detected exploit from Sophos Central. | list_detected_exploits Investigation |
Get Specific Detected Exploit | Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. | get_detected_exploits Investigation |
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" } ], "pages": { "nextKey": "", "total": "", "items": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" }
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert on which you want to perform the specific action in Sophos Central. |
Alert Action | Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. NOTE: You can perform only the actions which are allowed on the alert. |
Message | (Optional) Specify the message to be added while performing the specific action on the specified alert. |
The output contains the following populated JSON schema:
{ "id": "", "alertId": "", "action": "", "status": "", "requestedAt": "", "startedAt": "", "completedAt": "", "result": "" }
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts searched in Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts searched in Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts searched in Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to search for in Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Page From | Specify the key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" } ], "pages": { "nextKey": "", "total": "", "items": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Last Seen After | Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Last Seen Before | Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Health Status | Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Type | Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Tamper Protection Enabled | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa. |
Lockdown Status | Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
ID List | Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central. |
Isolation Status | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa. |
Hostname Contains | Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central. |
Associated Person Contains | Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central. |
Group Name Contains | Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central. |
Search Field | Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields. |
Search Keyword | Specify keywords (term) to search for and retrieve endpoints from Sophos Central based on the search fields specified in the Search Field parameter. |
IP Address List | Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central. |
Cloud | Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Page From | Specify the key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
Response View | Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains the following populated JSON schema:
{ "pages": { "size": "", "maxSize": "" }, "result": [ { "id": "", "type": "", "tenant": { "id": "" }, "hostname": "", "health": { "overall": "", "threats": { "status": "" }, "services": { "status": "", "serviceDetails": [ { "name": "", "status": "" } ] } }, "os": { "isServer": "", "platform": "", "name": "", "majorVersion": "", "minorVersion": "", "build": "" }, "ipv4Addresses": [], "macAddresses": [], "associatedPerson": { "name": "", "viaLogin": "", "id": "" }, "tamperProtectionEnabled": "", "assignedProducts": [ { "code": "", "version": "", "status": "" } ], "lastSeenAt": "", "encryption": { "volumes": [ { "volumeId": "", "status": "" } ] }, "isolation": { "status": "", "adminIsolated": "", "selfIsolated": "" } } ] }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint whose details you want to retrieve from Sophos Central. |
Fields in Response | (Optional) Specify a comma-separated list of fields that you want to include in this action's response. |
Response View | (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains the following populated JSON schema:
{ "id": "", "type": "", "tenant": { "id": "" }, "hostname": "", "health": { "overall": "", "threats": { "status": "" }, "services": { "status": "", "serviceDetails": [ { "name": "", "status": "" } ] } }, "os": { "isServer": "", "platform": "", "name": "", "majorVersion": "", "minorVersion": "", "build": "" }, "ipv4Addresses": [], "macAddresses": [], "associatedPerson": { "name": "", "viaLogin": "" }, "tamperProtectionEnabled": "", "assignedProducts": [ { "code": "", "version": "", "status": "" } ], "lastSeenAt": "", "encryption": { "volumes": [ { "volumeId": "", "status": "" } ] } }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "status": "", "requestedAt": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central. |
Comments | (Optional) Specify the reason for isolating the specified endpoint. |
The output contains the following populated JSON schema:
{ "enabled": "", "lastEnabledBy": { "id": "" }, "comment": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central. |
Comments | (Optional) Specify the reason for unisolating the specified endpoint. |
The output contains the following populated JSON schema:
{ "enabled": "", "lastDisabledBy": { "id": "" }, "comment": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "", "password": "", "previousPasswords": [ { "password": "", "invalidatedAt": "" } ] }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central. |
Enabled | Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa. |
Regenerate Password | Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "", "password": "", "previousPasswords": [ { "password": "", "invalidatedAt": "" } ] }
Parameter | Description |
---|---|
File Name | Specify the filename of the allowed item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is allowed in Sophos Central. You can choose from following options:
|
Comment | Specify a reason for allowing the item. |
Origin Person ID | (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen. |
Origin Endpoint ID | (Optional) Specify the ID of the endpoint where the item to be allowed was last seen. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the allowed items. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to update in Sophos Central. |
Comment | Specify the reason for allowing the item. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
File Name | Specify the filename of the blocked item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is blocked in Sophos Central. If you choose Sha256, then in the Sha256 field specify the Sha256 value of the blocked application. |
Comment | Specify a comment indicating why the item should be blocked. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the blocked items. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Exclusion Value | Specify the value of the exclusion scan that you want to create in Sophos Central. |
Type | Select the exclusion scanning type that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows: onDemandAndOnAccess for exclusions of type path, posixPath, and virtualPath onAccess for process, web , pua , and amsi . Behavioral and Detected Exploits (exploitMitigation ) type exclusions do not support a scan mode. |
Comment | (Optional) Specify the reason for creating the exclusion scan. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "" }
Parameter | Description |
---|---|
Type | Select the exclusion scanning type that you want to retrieve from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the exclusion scans. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "value": "", "type": "", "scanMode": "", "comment": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "", "comment": "" }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Exclusion Value | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows: "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath "onAccess" for process, web, pua, and amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
Comment | (Optional) Specify the reason for updating the exclusion scan. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "", "comment": "" }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Path List | Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Type | Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected. |
Modified | Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa. |
Page | Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "name": "", "paths": [], "category": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to update in Sophos Central. |
Path List | Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Thumb Print Not IN | Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the detected exploits. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Detected Exploit ID | Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "count": "", "description": "", "firstSeenAt": "", "lastSeenAt": "", "thumbprint": "", "lastEndpoint": { "hostname": "", "id": "" }, "lastUser": { "name": "", "id": "" } }
The Sample - Sophos Central - 4.2.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from Sophos Central. Currently, alerts ingested from Sophos Central is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Sophos Central alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Sophos Central into FortiSOAR™. It also lets you pull some sample data from Sophos Central using which you can define the mapping of data between Sophos Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Sophos Central alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the Sophos Central connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Sophos Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Sophos Central. You can specify the Pull alerts created in past X minutes. The fetched data is used to create a mapping between the Sophos Central data and FortiSOAR™ Alerts.
The fetched data is used to create a mapping between the alerts from Sophos Central and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Sophos Central to the fields of an Alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the Severity
parameter of an ingested alert from Sophos Central to the Alert Severity parameter of FortiSOAR™ Alerts, click the Severity field and then click the Alert Severity
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Sophos Central, so that the content gets pulled from the Sophos Central integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron
expression for the schedule. For example, if you want to pull data from Sophos Central every 5 minutes, click Every X Minute, and in the minute box enter */5
. This means that the alerts will be pulled from Sophos Central every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Sophos Central is a unified console for managing your Sophos products Sophos Central lets you administer protection for endpoints, mobile devices, encryption, web, email, servers, etc. This connector facilitates automated operations related to endpoints, email, etc.
This document provides information about the Sophos Central Connector, which facilitates automated interactions, with a Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central Connector as a step in FortiSOAR™ playbooks and perform automated operations with Sophos Central.
Connector Version: 4.2.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Sophos Central API Version Tested on: v1.0.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Sophos Central Connector in version 4.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-sophos-central
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Sophos Central server to connect and perform automated operations. |
Client ID | Specify the Client ID used to access the Sophos Central server to connect and perform automated operations. |
Client Secret | Specify the Secret code used to access the Sophos Central server to connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alert List | Retrieves a list of all the alerts or specific alerts from Sophos Central based on the filter criteria that you have specified. | list_alerts Investigation |
Get Alert by ID | Retrieves details of a specific alert from Sophos Central based on the alert ID you have specified. | get_alerts Investigation |
Perform Alert Action | Performs an action such as Clean Virus, Clear Threat, etc on a specific alert in Sophos Central based on the alert ID and action you have specified. | alerts_action Investigation |
Search Alerts | Searches for alerts from Sophos Central based on the filter criteria that you have specified. | search_alerts Investigation |
Get Endpoints | Retrieves a list of all the endpoints or specific endpoints for a specific tenant from Sophos Central based on the filter criteria that you have specified. | list_endpoints Investigation |
Get Endpoint by ID | Retrieves details of a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints Investigation |
Delete Endpoint | Deletes a specified endpoint from Sophos Central based on the endpoint ID you have specified. | delete_endpoints Investigation |
Scan Endpoint | Sends a request to the specified endpoint in Sophos Central to perform or configure a scan based on the endpoint ID you have specified. | scan_endpoints Investigation |
Get Endpoint Isolations | Retrieves isolation settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoints_isolation Investigation |
Isolate Endpoint | Updates the isolation settings for a specific endpoint to 'Isolate' in Sophos Central based on the endpoint ID you have specified. | isolate_endpoints Investigation |
Unisolate Endpoint | Updates the isolation settings for a specific endpoint to 'Unisolate' in Sophos Central based on the endpoint ID you have specified. | unisolate_endpoints Investigation |
Get Endpoint Tamper Protection | Retrieves the tamper protection settings for a specific endpoint from Sophos Central based on the endpoint ID you have specified. | get_endpoint_tamper_protection Investigation |
Update Endpoint Tamper Protection | Turns Tamper Protection on or off on an endpoint, or generates a new tamper protection password based on the endpoint ID you have specified. Note: Tamper Protection can be turned on for an endpoint only if it has also been turned on globally. | update_endpoint_tamper_protection Investigation |
Create Allowed Item | Creates an allowed item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_allowed_items Investigation |
Get Allowed Items | Retrieves a list of allowed items from Sophos Central. | list_allowed_items Investigation |
Get Allowed Item by ID | Retrieves details of a specific allowed item from Sophos Central based on the allowed item ID you have specified. | get_allowed_items Investigation |
Update Allowed Item | Updates an allowed item in Sophos Central based on the allowed item ID you have specified. | update_allowed_items Investigation |
Delete Allowed Item | Deletes an allowed item in Sophos Central based on the allowed item ID you have specified. | delete_allowed_items Investigation |
Create Blocked Item | Creates a blocked item in Sophos Central based on the file name, type, and other input parameters you have specified. | create_blocked_items Investigation |
Get Blocked Items | Retrieves a list of blocked items from Sophos Central. | list_blocked_items Investigation |
Get Blocked Item by ID | Retrieves details of a specific blocked item from Sophos Central based on the blocked item ID you have specified. | get_blocked_items Investigation |
Delete Blocked Item | Deletes a blocked item in Sophos Central based on the blocked item ID you have specified. | delete_blocked_items Investigation |
Create Exclusion Scanning | Adds a new scanning exclusion in Sophos Central based on the scanning exclusion value, scanning exclusion type, and other input parameters you have specified. | create_exclusion_scanning Investigation |
Get Exclusion Scanning | Retrieves all scanning exclusions from Sophos Central based on the scanning exclusion type and other input parameters you have specified. | list_exclusion_scanning Investigation |
Get Exclusion Scanning by ID | Retrieves details for a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | get_exclusion_scanning Investigation |
Update Exclusion Scanning | Updates an existing scanning exclusion in Sophos Central based on the scanning exclusion ID, scanning exclusion type, and other input parameters you have specified. | update_exclusion_scanning Investigation |
Delete Exclusion Scanning | Deletes a scanning exclusion from Sophos Central based on the scanning exclusion ID you have specified. | delete_exclusion_scanning Investigation |
Create Exploit Mitigation Application | Adds a new exploit mitigation application in Sophos Central based on the path list you have specified. | create_exploit_mitigation_application Investigation |
Get Exploit Mitigation Application | Retrieves Exploit Mitigation settings for all protected applications from Sophos Central. | list_exploit_mitigation_application Investigation |
Get Exploit Mitigation by ID | Retrieves Exploit Mitigation settings for an application based on the exploit mitigation application ID you have specified. | get_exploit_mitigation_application Investigation |
Update Exploit Mitigation Application | Updates an Exploit Mitigation settings for an application in Sophos Central based on the path list you have specified. | update_exploit_mitigation_application Investigation |
Delete Exploit Mitigation | Deletes a custom (user-defined) Exploit Mitigation application from Sophos Central based on the exploit mitigation application ID you have specified. Note: You can only delete custom applications. A request to delete a system-detected application fails with a 409 Conflict message. | delete_exploit_mitigation_application Investigation |
Get Detected Exploits | Retrieves detected exploits and the number of each detected exploit from Sophos Central. | list_detected_exploits Investigation |
Get Specific Detected Exploit | Retrieves details of a specific detected exploit from Sophos Central based on the detected exploit ID you have specified. | get_detected_exploits Investigation |
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts retrieved from Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are retrieved from Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts retrieved from Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts retrieved from Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to retrieve from Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" } ], "pages": { "nextKey": "", "total": "", "items": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" }
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert on which you want to perform the specific action in Sophos Central. |
Alert Action | Select the action that you want to perform on the specific alert. You can choose between actions such as Acknowledge, Clear Threat, Send Msg Pua, etc. NOTE: You can perform only the actions which are allowed on the alert. |
Message | (Optional) Specify the message to be added while performing the specific action on the specified alert. |
The output contains the following populated JSON schema:
{ "id": "", "alertId": "", "action": "", "status": "", "requestedAt": "", "startedAt": "", "completedAt": "", "result": "" }
Parameter | Description |
---|---|
Group Key | Specify the group key of the alerts using which you can filter the alerts searched in Sophos Central. |
From Alert Time | Specify the starting DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised on or after the specified time. |
To Alert Time | Specify the ending DateTime using which you can filter alerts that are searched in Sophos Central to only those alerts that are raised before the specified time. |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort alerts that are searched in Sophos Central. For example, "attribute:asc/desc" |
Product | Select the product types of the alerts using which you can filter the alerts searched in Sophos Central. |
Category | Select the category of the alerts using which you can filter the alerts searched in Sophos Central. |
Severity | Select the severity of the alerts using which you can filter the alerts searched in Sophos Central. |
ID List | Specify a comma-separated list of alert IDs that you want to search for in Sophos Central. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Page From | Specify the key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "allowedActions": [], "category": "", "description": "", "groupKey": "", "managedAgent": { "id": "", "type": "" }, "person": { "id": "" }, "product": "", "raisedAt": "", "severity": "", "tenant": { "id": "", "name": "" }, "type": "" } ], "pages": { "nextKey": "", "total": "", "items": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Last Seen After | Specify the starting DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen after the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Last Seen Before | Specify the ending DateTime using which you can filter endpoints retrieved from Sophos Central to include only those endpoints that were last seen before the specified date and time (UTC) or a duration relative to the current date and time (inclusive). |
Sort Parameter | Specify a comma-separated list of parameters using which you want to sort endpoints that are retrieved from Sophos Central. For example, "attribute:asc/desc" |
Health Status | Select the health status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Type | Select the types of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
Tamper Protection Enabled | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints whose Tamper Protection is turned on and vice-versa. |
Lockdown Status | Select the lockdown status of the endpoints using which you can filter the endpoints retrieved from Sophos Central. |
ID List | Specify a comma-separated list of endpoints IDs that you want to retrieve from Sophos Central. |
Isolation Status | Select true if you want to filter endpoints retrieved from Sophos Central to only those endpoints that are isolated and vice-versa. |
Hostname Contains | Specify a string that is contained in the hostname that is associated with endpoints you want to retrieve from Sophos Central. |
Associated Person Contains | Specify a string that is contained in the name of the person who is associated with endpoints you want to retrieve from Sophos Central. |
Group Name Contains | Specify a string that is contained in the name of the group that is associated with endpoints you want to retrieve from Sophos Central. |
Search Field | Select the search fields using which you want to search for the specified search term (keyword) that is associated with endpoints you want to retrieve from Sophos Central. By default, this is set to all applicable fields. |
Search Keyword | Specify keywords (term) to search for and retrieve endpoints from Sophos Central based on the search fields specified in the Search Field parameter. |
IP Address List | Specify a comma-separated list of IP addresses that are associated with endpoints you want to retrieve from Sophos Central. |
Cloud | Specify a comma-separated list of cloud instances that are associated with endpoints you want to retrieve from Sophos Central. To specify cloud instances, you must use URL encoding. |
Fields in Response | Specify a comma-separated list of fields that you want to include in this action's response. |
Page Size | Specify the maximum number of results, per page, that this operation should return. |
Page From | Specify the key of the item from where to fetch a page. |
Total Page | Select this option to calculate and return the number of pages in this action's response. |
Response View | Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains the following populated JSON schema:
{ "pages": { "size": "", "maxSize": "" }, "result": [ { "id": "", "type": "", "tenant": { "id": "" }, "hostname": "", "health": { "overall": "", "threats": { "status": "" }, "services": { "status": "", "serviceDetails": [ { "name": "", "status": "" } ] } }, "os": { "isServer": "", "platform": "", "name": "", "majorVersion": "", "minorVersion": "", "build": "" }, "ipv4Addresses": [], "macAddresses": [], "associatedPerson": { "name": "", "viaLogin": "", "id": "" }, "tamperProtectionEnabled": "", "assignedProducts": [ { "code": "", "version": "", "status": "" } ], "lastSeenAt": "", "encryption": { "volumes": [ { "volumeId": "", "status": "" } ] }, "isolation": { "status": "", "adminIsolated": "", "selfIsolated": "" } } ] }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint whose details you want to retrieve from Sophos Central. |
Fields in Response | (Optional) Specify a comma-separated list of fields that you want to include in this action's response. |
Response View | (Optional) Select the type of view to be returned in this action's response. You can choose between Basic, Summary, or Full. |
The output contains the following populated JSON schema:
{ "id": "", "type": "", "tenant": { "id": "" }, "hostname": "", "health": { "overall": "", "threats": { "status": "" }, "services": { "status": "", "serviceDetails": [ { "name": "", "status": "" } ] } }, "os": { "isServer": "", "platform": "", "name": "", "majorVersion": "", "minorVersion": "", "build": "" }, "ipv4Addresses": [], "macAddresses": [], "associatedPerson": { "name": "", "viaLogin": "" }, "tamperProtectionEnabled": "", "assignedProducts": [ { "code": "", "version": "", "status": "" } ], "lastSeenAt": "", "encryption": { "volumes": [ { "volumeId": "", "status": "" } ] } }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the ID of the endpoint on which you want to perform or configure a scan in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "status": "", "requestedAt": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Isolate' in Sophos Central. |
Comments | (Optional) Specify the reason for isolating the specified endpoint. |
The output contains the following populated JSON schema:
{ "enabled": "", "lastEnabledBy": { "id": "" }, "comment": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose isolation settings you want to update to 'Unisolate' in Sophos Central. |
Comments | (Optional) Specify the reason for unisolating the specified endpoint. |
The output contains the following populated JSON schema:
{ "enabled": "", "lastDisabledBy": { "id": "" }, "comment": "" }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "", "password": "", "previousPasswords": [ { "password": "", "invalidatedAt": "" } ] }
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose tamper protection settings you want to update in Sophos Central. |
Enabled | Select true if you want to turn on tamper protection for the specified endpoints in Sophos Central and vice-versa. |
Regenerate Password | Select true if you want to generate a new password for tamper protection for the specified endpoints in Sophos Central. |
The output contains the following populated JSON schema:
{ "enabled": "", "password": "", "previousPasswords": [ { "password": "", "invalidatedAt": "" } ] }
Parameter | Description |
---|---|
File Name | Specify the filename of the allowed item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is allowed in Sophos Central. You can choose from following options:
|
Comment | Specify a reason for allowing the item. |
Origin Person ID | (Optional) Specify the ID of the person associated with the endpoint where the item to be allowed was last seen. |
Origin Endpoint ID | (Optional) Specify the ID of the endpoint where the item to be allowed was last seen. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the allowed items. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to update in Sophos Central. |
Comment | Specify the reason for allowing the item. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "updatedAt": "", "properties": { "path": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Allowed Item ID | Specify the ID of the allowed item that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
File Name | Specify the filename of the blocked item that you want to create in Sophos Central. |
Type | Specify the type of property using which this item is blocked in Sophos Central. If you choose Sha256, then in the Sha256 field specify the Sha256 value of the blocked application. |
Comment | Specify a comment indicating why the item should be blocked. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Page | Specify the page number, starting with 1, from which you want to fetch the blocked items. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "createdAt": "", "properties": { "sha256": "" }, "comment": "", "type": "" }
Parameter | Description |
---|---|
Blocked Item ID | Specify the ID of the blocked item that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Exclusion Value | Specify the value of the exclusion scan that you want to create in Sophos Central. |
Type | Select the exclusion scanning type that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows: onDemandAndOnAccess for exclusions of type path, posixPath, and virtualPath onAccess for process, web , pua , and amsi . Behavioral and Detected Exploits (exploitMitigation ) type exclusions do not support a scan mode. |
Comment | (Optional) Specify the reason for creating the exclusion scan. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "" }
Parameter | Description |
---|---|
Type | Select the exclusion scanning type that you want to retrieve from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the exclusion scans. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "value": "", "type": "", "scanMode": "", "comment": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "", "comment": "" }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Exclusion Value | Specify the ID of the exclusion scan that you want to create in Sophos Central. |
Scan Mode | Select the mode of the exclusion scan. The default value of scan mode is as follows: "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath "onAccess" for process, web, pua, and amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
Comment | (Optional) Specify the reason for updating the exclusion scan. |
The output contains the following populated JSON schema:
{ "id": "", "value": "", "type": "", "scanMode": "", "comment": "" }
Parameter | Description |
---|---|
Exclusion ID | Specify the ID of the exclusion scan that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Path List | Specify a comma-separated list of paths for which you want to add the exploit mitigation application in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Type | Select the exploit mitigation application type that you want to retrieve from Sophos Central. You can choose between Custom or Detected. |
Modified | Select true if you want to retrieve only customized exploit mitigation applications from Sophos Central and vice-versa. |
Page | Specify the page number, starting with 1, from which you want to fetch the exploit mitigation applications. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [ { "id": "", "name": "", "paths": [], "category": "", "type": "" } ], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to update in Sophos Central. |
Path List | Specify a comma-separated list of paths for which you want to update the exploit mitigation applications in Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "name": "", "paths": [], "category": "", "type": "" }
Parameter | Description |
---|---|
Exploit Mitigation application ID | Specify the ID of the exploit mitigation application that you want to delete from Sophos Central. |
The output contains the following populated JSON schema:
{ "deleted": "" }
Parameter | Description |
---|---|
Thumb Print Not IN | Specify a comma-separated list of thumbprints based on which you want to retrieve detected exploits from Sophos Central. |
Page | Specify the page number, starting with 1, from which you want to fetch the detected exploits. |
Page Size | Specify the maximum number of results, per page, that this action should return. |
Page Total | Select this option to calculate and return the number of pages in this action's response. |
The output contains the following populated JSON schema:
{ "result": [], "pages": { "current": "", "size": "", "maxSize": "" } }
Parameter | Description |
---|---|
Detected Exploit ID | Specify the ID of the detected exploit whose details you want to retrieve from Sophos Central. |
The output contains the following populated JSON schema:
{ "id": "", "count": "", "description": "", "firstSeenAt": "", "lastSeenAt": "", "thumbprint": "", "lastEndpoint": { "hostname": "", "id": "" }, "lastUser": { "name": "", "id": "" } }
The Sample - Sophos Central - 4.2.0
playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Sophos Central connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from Sophos Central. Currently, alerts ingested from Sophos Central is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Sophos Central alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Sophos Central into FortiSOAR™. It also lets you pull some sample data from Sophos Central using which you can define the mapping of data between Sophos Central and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Sophos Central alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the Sophos Central connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Sophos Central data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Sophos Central. You can specify the Pull alerts created in past X minutes. The fetched data is used to create a mapping between the Sophos Central data and FortiSOAR™ Alerts.
The fetched data is used to create a mapping between the alerts from Sophos Central and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Sophos Central to the fields of an Alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the Severity
parameter of an ingested alert from Sophos Central to the Alert Severity parameter of FortiSOAR™ Alerts, click the Severity field and then click the Alert Severity
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Sophos Central, so that the content gets pulled from the Sophos Central integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron
expression for the schedule. For example, if you want to pull data from Sophos Central every 5 minutes, click Every X Minute, and in the minute box enter */5
. This means that the alerts will be pulled from Sophos Central every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.