Sophos Central
Integration with Sophos Central endpoint protection product
Triggers
Sophos SIEM Alerts
Collect SIEM alerts from Sophos Central.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | True | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | True | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to use by default when Sophos Central is in multi-tenant mode | input | False | True |
Sophos SIEM Events
Collect SIEM events from Sophos Central.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | True | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | True | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to use by default when Sophos Central is in multi-tenant mode | input | False | True |
Actions
Sophos Central Connect
Create a connection handler for Sophos Central that can be used with other Sophos Central actions in a flow.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | True | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | True | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to use by default when Sophos Central is in multi-tenant mode | input | False | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Connection successful and handler created."}} |
rc | Returns the exit code for the action. | number | True | {"200": {"description": "Connection successful and handler created."}} |
sophos_connection_id | Returns the index of the connection handler that can be referred to when using multi-connections. | number | True | {} |
Sophos Central Set Tenant
Change the current Sophos Central connection tenancy for use when using multi-tenant Sophos deployment.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | True | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successfully changed tenant."}, "False": {"description": "Unable to change tenant check that the tenant ID provided is correct."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successfully changed tenant."}, "403": {"description": "Unable to change tenant check that the tenant ID provided is correct."}} |
Sophos Central List Tenants
Returns a list of tenants for a given organization when Sophos Central is deployed in multi-tenant mode
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
tenants | List of tenants. | list | True | {} |
Sophos Central Get Endpoints
Return a list of Sophos Central endpoints, optionally a filter can be provided to filter the list of returned endpoints.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
Filters | Key/Value filters to apply to the GET endpoints API. | json-input | False | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
endpoints | List of endpoints. | list | True | {} |
Sophos Central Get Endpoint
Gets data about a single endpoint as defined by the endpoint ID.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
Endpoint ID | The ID of the endpoint you wish to get details of. | input | True | True |
Data View | The type / amount of endpoint data to return. | dropdown | True | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
endpoint | Endpoint data for the defined endpoint. | json | True | {} |
Sophos Central Get Alerts
Returns alerts after the defined start time.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
Products | Can be a list of comma separated list to apply a filter to alerts. | input | False | True |
Category | Can be a list of comma separated list to apply a filter to alerts. | input | False | True |
Severity | Can be a list of comma separated list to apply a filter to alerts. | input | False | True |
Start Time | A epoch start time value for which the alerts returned will be newer than. | input | True | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Start time is not defined or is not a number."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}, "1": {"description": "Start time is not defined or is not a number."}} |
alerts | List of alerts. | list | True | {} |
Sophos Central Custom Request
Send an API request to Sophos Central API endpoint that is not covered by other action objects.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
API Endpoint | API endpoint URI i.e. endpoint/v1/endpoints? | input | True | True |
HTTP Method | The HTTP method to use e.g. HEAD, GET, PUT, POST, DELETE. | dropdown | True | True |
Data | Body data to include with the request. | json-input | False | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
status_code | HTTP status code returned by the API. | number | True | {} |
response | HTTP response body returned by the API | text | True | {} |
Sophos Central Get Endpoint Software Links
Get all the endpoint installer links for a tenant.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
Local Object Authentication | When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. | group-checkbox | False | False |
Connection ID | Existing connection ID returned by Sophos Central Connect object. | input | False | True |
Client ID | Client ID that was provided by Sophos Central when creating the API user. | input | False | True |
Client Secret | Client secrets that was provided by Sophos Central when creating the API user. | password-input | False | True |
Organization ID | Organization ID required when Sophos Central is in multi-tenant mode. | input | False | True |
Tenant ID | Tenant to change to when Sophos Central is in multi-tenant mode | input | False | True |
Products | Can be a list of comma separated list to apply a filter to alerts. | input | False | True |
Platforms | Can be a list of comma separated list to apply a filter to alerts. | input | False | True |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
response | API response data | json | True | {} |