Sophos Central

Integration with Sophos Central endpoint protection product

Triggers

Sophos SIEM Alerts

Collect SIEM alerts from Sophos Central.

Input

Name Description Type Required Syntax
Client ID Client ID that was provided by Sophos Central when creating the API user. input True True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input True True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to use by default when Sophos Central is in multi-tenant mode input False True

Sophos SIEM Events

Collect SIEM events from Sophos Central.

Input

Name Description Type Required Syntax
Client ID Client ID that was provided by Sophos Central when creating the API user. input True True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input True True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to use by default when Sophos Central is in multi-tenant mode input False True

Actions

Sophos Central Connect

Create a connection handler for Sophos Central that can be used with other Sophos Central actions in a flow.

Input

Name Description Type Required Syntax
Client ID Client ID that was provided by Sophos Central when creating the API user. input True True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input True True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to use by default when Sophos Central is in multi-tenant mode input False True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Connection successful and handler created."}}
rc Returns the exit code for the action. number True {"200": {"description": "Connection successful and handler created."}}
sophos_connection_id Returns the index of the connection handler that can be referred to when using multi-connections. number True {}

Sophos Central Set Tenant

Change the current Sophos Central connection tenancy for use when using multi-tenant Sophos deployment.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input True True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successfully changed tenant."}, "False": {"description": "Unable to change tenant check that the tenant ID provided is correct."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successfully changed tenant."}, "403": {"description": "Unable to change tenant check that the tenant ID provided is correct."}}

Sophos Central List Tenants

Returns a list of tenants for a given organization when Sophos Central is deployed in multi-tenant mode

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}
tenants List of tenants. list True {}

Sophos Central Get Endpoints

Return a list of Sophos Central endpoints, optionally a filter can be provided to filter the list of returned endpoints.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True
Filters Key/Value filters to apply to the GET endpoints API. json-input False True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}
endpoints List of endpoints. list True {}

Sophos Central Get Endpoint

Gets data about a single endpoint as defined by the endpoint ID.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True
Endpoint ID The ID of the endpoint you wish to get details of. input True True
Data View The type / amount of endpoint data to return. dropdown True True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}
endpoint Endpoint data for the defined endpoint. json True {}

Sophos Central Get Alerts

Returns alerts after the defined start time.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True
Products Can be a list of comma separated list to apply a filter to alerts. input False True
Category Can be a list of comma separated list to apply a filter to alerts. input False True
Severity Can be a list of comma separated list to apply a filter to alerts. input False True
Start Time A epoch start time value for which the alerts returned will be newer than. input True False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Start time is not defined or is not a number."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}, "1": {"description": "Start time is not defined or is not a number."}}
alerts List of alerts. list True {}

Sophos Central Custom Request

Send an API request to Sophos Central API endpoint that is not covered by other action objects.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True
API Endpoint API endpoint URI i.e. endpoint/v1/endpoints? input True True
HTTP Method The HTTP method to use e.g. HEAD, GET, PUT, POST, DELETE. dropdown True True
Data Body data to include with the request. json-input False True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}
status_code HTTP status code returned by the API. number True {}
response HTTP response body returned by the API text True {}

Get all the endpoint installer links for a tenant.

Input

Name Description Type Required Syntax
Local Object Authentication When checked you are able to define the API details directly on the action without the need of the Sophos Central Connect object. group-checkbox False False
Connection ID Existing connection ID returned by Sophos Central Connect object. input False True
Client ID Client ID that was provided by Sophos Central when creating the API user. input False True
Client Secret Client secrets that was provided by Sophos Central when creating the API user. password-input False True
Organization ID Organization ID required when Sophos Central is in multi-tenant mode. input False True
Tenant ID Tenant to change to when Sophos Central is in multi-tenant mode input False True
Products Can be a list of comma separated list to apply a filter to alerts. input False True
Platforms Can be a list of comma separated list to apply a filter to alerts. input False True

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}
response API response data json True {}