Sophos Central V3

Version: 3.3
Updated: Mar 4, 2024

Utilize Sophos Central enrichment data during incident investigations.

Actions

Get Alerts (Enrichment) - Gather Sophos Central alerts.
Get Alerts Sophos Daemon (Daemon) - Get Sophos Central alerts on a time interval.
Get Endpoints (Enrichment) - Gather all endpoints.
Isolate an Endpoint (Containment) - Isolate a single endpoint.
Isolate Endpoints (Containment) - Isolate multiple endpoints.

The following steps show how to create new API credentials to work with Cloud SOAR.

Log in to the Sophos Central Partner platform.
On the left click on Settings & Policies and then click the API credentials.
Click on Add Credential.
Enter Credential name (required) and the description if you want.
Click the Copy button on the Client ID and paste it temporally in a text editor.
Click Show Client Secret.
Now you can copy the key as shown.

Access integrations in the Automation Service or Cloud SOAR.
After the list of the integrations appears, search/look for the integration and click on the row.
The integration details will appear. Click on the "+" button to add new Resource.
Populate all the required fields (*) and then click SAVE.
- Label. The name of the resource.
- URL. https://api.central.sophos.com.
- Client ID and Client Secret taken earlier from Sophos.
To make sure the resource is working, hover over the resource and then click the pencil icon that appears on the right.
Click TEST SAVED SETTINGS.
You should receive a successful notification in the bottom right corner.

December 28, 2021 - First upload
January 24, 2022 - New actions added
July 11, 2023 (v3.2)
- Updated the integration with Environmental Variables
- Integration renamed from Sophos Central 3.0 to Sophos Central V3
March 4, 2024 (v3.3) - Updated code for compatibility with Python 3.12