Sophos Integration Setup
Integrating Rewst with Sophos brings robust cybersecurity capabilities to your Rewst workflows, enhancing data protection and threat management. With the integration, Rewst users can leverage Sophos' advanced security solutions to strengthen their defense against cyber threats. This includes features such as malware detection, ransomware protection, network security, and endpoint protection. By integrating Sophos into Rewst, users can enhance their security posture, mitigate risks, and safeguard sensitive data. The integration empowers users to proactively manage their cybersecurity within the Rewst platform, ensuring a secure environment for their operations and protecting against evolving threats.
Setup
To set up the Sophos Integration, you'll need to do the following:
Navigate to the Global Settings of Sophos and locate the API Credentials Management section.
Click on the "Add Credential" button to initiate the process of adding a new credential.
Provide a name and description for the credential to identify and distinguish it from others.
Choose the role that will be assigned to this credential. The available roles to choose from can be viewed here.
Navigate to the integrations page in Rewst.
Click on the Sophos integration.
Fill out the integration form.
Submit the form.
We'll run a quick test to ensure that the credentials are valid and that we can successfully connect to the Sophos API.
Actions
Alerts
List Alertsβ
List alerts matching specified criteria
GET /common/v1/alerts
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Group Key | String (?) | Alert group key. You can filter by group key |
From | String (?) | You can find alerts that were raised on or after this time |
To | String (?) | You can find alerts that were raised before this time |
Sort | Array | Defines how to sort the data |
Product | Array | Alerts for a product. You can query by product types |
Category | Array | Alert category. You can query by different categories |
Severity | Array | Alerts for a specific severity level. You can query by severity levels |
Alerts | String (?) | List of IDs |
Fields | String (?) | The fields to return in a partial response |
Get Alertβ
Get details of a specific alert
GET /common/v1/alerts/{alertId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Alert* | Sophos Alert | None Provided |
Take Action On Alertβ
Take an action on a specific alert
POST /common/v1/alerts/{alertId}/actions
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Alert* | Sophos Alert | None Provided |
Action* | String (?) | Actions that you can perform on these alerts |
Message | String (?) | Message to send for the action |
Allowed Items
List Exemptionsβ
Get all allowed items from settings
GET /endpoint/v1/settings/allowed-items
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Create Exemptionβ
Exempt an item from conviction
POST /endpoint/v1/settings/allowed-items
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Type* | String (?) | Property by which an item is allowed |
Comment* | String (?) | Comment indicating why the item should be allowed |
Origin Person* | String (?) | Person associated with the endpoint where the item to be allowed was last seen |
Origin Endpoint | String (?) | Endpoint where the item to be allowed was last seen |
Get Exemptionβ
Get an exemption by ID
GET /endpoint/v1/settings/allowed-items/{allowedItemId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Blocked Item* | Sophos Blocked Item | None Provided |
Update Exemptionβ
Update an exemption
PATCH /endpoint/v1/settings/allowed-items/{allowedItemId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Blocked Item* | Sophos Blocked Item | None Provided |
Comment* | String (?) | Comment indicating why the item should be allowed |
Delete Exemptionβ
Deletes the specified exemption
DELETE /endpoint/v1/settings/allowed-items/{allowedItemId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Blocked Item* | Sophos Blocked Item | None Provided |
Propertyβ
Key | Type | Description |
---|---|---|
File Name* | String (?) | File name |
Path* | String (?) | Path for the application |
Sha256* | String (?) | Sha256 value for the application |
Certificate Signer* | String (?) | Value saved for the certificateSigner |
Blocked Items
List Quarantined Itemsβ
Get all blocked items
GET /endpoint/v1/settings/blocked-items
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Add Item To Quarantineβ
Block an item from exoneration
POST /endpoint/v1/settings/blocked-items
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Type* | String (?) | Property by which an item is blocked |
Comment* | String (?) | Comment indicating why the item should be allowed |
Get Quarantined Itemβ
Get a blocked item by ID
GET /endpoint/v1/settings/blocked-items/{blockedItemId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Blocked Item* | Sophos Blocked Item | None Provided |
Delete From Quarantineβ
Deletes the specified blocked item
DELETE /endpoint/v1/settings/blocked-items/{blockedItemId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Blocked Item* | Sophos Blocked Item | None Provided |
Property - Blocked Itemsβ
Key | Type | Description |
---|---|---|
File Name* | String (?) | File name |
Path* | String (?) | Path for the application |
Sha256* | String (?) | Sha256 value for the application |
Certificate Signer* | String (?) | Value saved for the certificateSigner |
Directory Management
List Usersβ
List users in the directory
GET /common/v1/directory/users
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
IDs | String (?) | List of item IDs to match |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Source Type | String | Source directory type |
User Group | Sophos User Group | None Provided |
Domain | String (?) | List the items that match the given domain |
Create Userβ
Add a new user to the directory
POST /common/v1/directory/users
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Fields | String (?) | The fields to return in a partial response |
Name | String (?) | User's full name |
First Name | String (?) | None Provided |
Last Name | String (?) | None Provided |
String (?) | User's email address | |
Exchange Login | String (?) | User's Exchange login |
User Group | Array | Groups that the user should be added to |
Get Userβ
Get a user by ID
GET /common/v1/directory/users/{userId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
Fields | String (?) | The fields to return in a partial response |
Delete Userβ
Delete a user by ID
DELETE /common/v1/directory/users/{userId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
Update Userβ
Update an existing user
PATCH /common/v1/directory/users/{userId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
Fields | String (?) | The fields to return in a partial response |
Name | String (?) | User's full name |
First Name | String (?) | None Provided |
Last Name | String (?) | None Provided |
String (?) | User's email address | |
Exchange Login | String (?) | User's Exchange login |
List User Groupsβ
List user groups in the directory
GET /common/v1/directory/user-groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
IDs | String (?) | List of item IDs to match |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Source Type | String | Source directory type |
User | Sophos User | None Provided |
Domain | String (?) | List the items that match the given domain |
Create User Groupβ
Add a new group to the directory
POST /common/v1/directory/user-groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Fields | String (?) | The fields to return in a partial response |
Name | String (?) | Group name |
Description | String (?) | Group description |
Users | Array | Users in the group |
Get User Groupβ
Get a user group by ID
GET /common/v1/directory/user-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Fields | String (?) | The fields to return in a partial response |
Delete User Groupβ
Deletes the specified user group. The group must be empty.
DELETE /common/v1/directory/user-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Update User Groupβ
Update a user group
PATCH /common/v1/directory/user-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Fields | String (?) | The fields to return in a partial response |
Name | String (?) | New group name |
Description | String (?) | Group description |
Get User Group Membershipβ
List groups that a user belongs to
GET /common/v1/directory/users/{userId}/groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Source Type | String | Source directory type |
Domain | String (?) | List the items that match the given domain |
Add User To Group(S)β
Add a user to multiple groups
POST /common/v1/directory/users/{userId}/groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
IDs | String (?) | List of group IDs |
Remove User From Group(S)β
Remove a user from multiple groups
DELETE /common/v1/directory/users/{userId}/groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User* | Sophos User | None Provided |
User Groups | String (?) | List of group IDs |
List Users In Groupβ
List users in the specified group
GET /common/v1/directory/user-groups/{groupId}/users
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Source Type | String | Source directory type |
Domain | String (?) | List the items that match the given domain |
Add User(S) To Groupβ
Add multiple users to the specified group
POST /common/v1/directory/user-groups/{groupId}/users
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Users | String (?) | List of user IDs |
Remove User(S) From Groupβ
Remove multiple users from a group
DELETE /common/v1/directory/user-groups/{groupId}/users
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
User Group* | Sophos User Group | None Provided |
Users | String (?) | List of user IDs |
Downloads
List Endpoint Installer Linksβ
Get all the endpoint installer links for a tenant
GET /endpoint/v1/downloads
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Requested Products | Array | Products to include in the installers. All values are given if you don't use filters |
Platforms | Array | Specify which platforms to include. All values are given if you don't use filters |
Endpoint Groups Management
List Endpoint Groupsβ
Endpoint groups in the directory
GET /endpoint/v1/endpoint-groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Group Type | String | Endpoint group type |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
Endpoint Groups | String (?) | IDs to match |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Endpoints | Array | Endpoints UUIDs |
Create Endpoint Groupβ
Add a new endpoint group to the directory
POST /endpoint/v1/endpoint-groups
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Fields | String (?) | The fields to return in a partial response |
Name* | String (?) | Group name |
Description | String (?) | Group description |
Type* | String (?) | Endpoint group types |
Endpoints | Array | Endpoints UUIDs |
List Endpoint Groups By Typeβ
Endpoint groups of your specified type in the directory
GET /endpoint/v1/endpoint-groups/types/{groupType}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Group Type* | String | Endpoint group type |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
IDs | String (?) | IDs to match |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Endpoints | Array | Endpoints UUIDs |
Get Endpoint Groupβ
Get endpoint group by ID
GET /endpoint/v1/endpoint-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Fields | String (?) | The fields to return in a partial response |
Delete Endpoint Groupβ
Delete endpoint group
DELETE /endpoint/v1/endpoint-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Update Endpoint Groupβ
Update endpoint group
PATCH /endpoint/v1/endpoint-groups/{groupId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Fields | String (?) | The fields to return in a partial response |
Name | String (?) | New group name |
Description | String (?) | Group description |
List Endpoints In Groupβ
Endpoints in your specified group
GET /endpoint/v1/endpoint-groups/{groupId}/endpoints
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Sort | Array | Defines how to sort the data |
Fields | String (?) | The fields to return in a partial response |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
Add Endpoint(S) To Groupβ
Add endpoints to your group
POST /endpoint-groups/{groupId}/endpoints
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Endpoints | String (?) | List of endpoint IDs |
Remove From Groupβ
Remove endpoints from a group
DELETE /endpoint-groups/{groupId}/endpoints
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
IDs | String (?) | Endpoint IDs |
Remove Single Endpoint From Groupβ
Remove endpoint from a group
DELETE /endpoint-groups/{groupId}/endpoints/{endpointId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Groups* | Sophos Endpoint Group | None Provided |
Endpoint* | Sophos Endpoint | None Provided |
Endpoint Isolation
Configure Endpoint(s) Isolation Settingsβ
Turn on or off endpoint isolation for multiple endpoints
POST /endpoint/v1/endpoints/isolation
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Enabled | String (?) | Whether Tamper Protection should be turned on for the endpoint |
Comment* | String (?) | Comment indicating why the item should be allowed |
IDs | String (?) | List of endpoints IDs |
Get Endpoint's Isolation Settingsβ
Get isolation settings for an endpoint
GET /endpoint/v1/endpoints/{endpointId}/isolation
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint* | Sophos Endpoint | None Provided |
Update Endpoint's Isolation Settingsβ
Update isolation settings for an endpoint
PATCH /endpoint/v1/endpoints/{endpointId}/isolation
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint* | Sophos Endpoint | None Provided |
Enabled | String (?) | Whether Tamper Protection should be turned on for the endpoint |
Comment* | String (?) | Comment indicating why the item should be allowed |
Endpoints
List Endpointsβ
Get all the endpoints for the specified tenant
GET /endpoint/v1/endpoints
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Sort | Array | Defines how to sort the data |
Health Status | Array | Find endpoints by health status |
Type | String (?) | Find endpoints by type |
Tamper Protection Enabled | String (?) | Find endpoints by whether Tamper Protection is turned on |
Lockdown Status | Array | Find endpoints by lockdown status |
Last Seen Before | String (?) | Find endpoints that were last seen before the given date and time (UTC) or a duration relative to the current date and time (exclusive). |
Last Seen After | String (?) | Find endpoints that were last seen after the given date and time (UTC) or a duration relative to the current date and time (inclusive). |
IDs | String (?) | Find endpoints with the specified IDs |
Isolation Status | String | Find endpoints by isolation status |
Hostname Contains | String (?) | Find endpoints where the hostname contains the given string Only the first 10 characters of the given string are matched. |
Associated Person Contains | String (?) | Find endpoints where the name of the person associated with the endpoint contains the given string Only the first 10 characters of the given string are matched. |
Group Name Contains | String (?) | Find endpoints where the name of the group the endpoint is in contains the given string Only the first 10 characters of the given string are matched. |
Search | String (?) | Search for items that match the given terms |
Search Fields | Array | Search only within the specified fields, username field is default if search query is specified |
IP Addresses | Array | Find endpoints by IP addresses |
Cloud | Array | Find endpoints that are cloud instances. You must use URL encoding |
Fields | String (?) | The fields to return in a partial response |
View | String | Type of view to be returned in response |
Assigned To Group | String (?) | Whether endpoint is assigned to a group |
Endpoint Groups | Array | Groups that the endpoint should be added to |
MAC Addresses | Array | Find endpoints by MAC Addresses Can be in EUI-48 or EUI-64 format, case insensitive, colon, hyphen or dot separated, or with no separator e.g. 01:23:45:67:89:AB, 01-23-45-67-89-ab, 0123.4567.89ab, 0123456789ab, 01:23:45:67:89πcd:ef. |
Get Endpointβ
Get an endpoint based on ID
GET /endpoint/v1/endpoints/{endpointId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint* | Sophos Endpoint | None Provided |
Fields | String (?) | The fields to return in a partial response |
View | String | Type of view to be returned in response |
Delete Endpointβ
Deletes a specified endpoint
DELETE /endpoint/v1/endpoints/{endpointId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint* | Sophos Endpoint | None Provided |
Event Journal
List Event Journal Settingsβ
Get all event journal settings
GET /endpoint/v1/settings/event-journal/{endpointType}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Type* | String | Endpoint type |
Update Event Journal Settingsβ
Update settings for event journal size and disk space limits If you specify both a maximum disk space and a maximum journal size, the lower of these limits is used
PATCH /endpoint/v1/settings/event-journal/{endpointType}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Endpoint Type* | String | Endpoint type |
Use Recommended | String (?) | Shows if the recommended setting is required |
Disk Space Limit In Mb | String (?) | Maximum size of the event journal (MB) |
Disk Space Limit As Percentage | String | Disk space limit for the event journal (percentage). The value 0 will mean Disk space limit is not specified. |
Events
Get Eventsβ
Get events with timestamps within the last 24 hours
GET /siem/v1/events
Key | Type | Description |
---|---|---|
X-Tenant-ID | Sophos Tenant | None Provided |
limit | String (?) | The maximum number of items to return, default is 200, max is 1000 |
cursor | String (?) | Identifier for next item in the list, this value is available in response as next_cursor Response will default to last 24 hours if cursor is not within last 24 hours. |
from_date | String (?) | The starting date from which alerts will be retrieved defined as Unix timestamp in UTCIgnored if cursor is set. Must be within last 24 hours. |
exclude_types | String (?) | The String of list of types of events to be excluded |
Exploit Mitigation
List Detected Exploitsβ
Get detected exploits and the number of each detected exploit
GET /endpoint/v1/settings/exploit-mitigation/detected-exploits
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Thumbprint Not In | Array | Filter out detected exploits with these thumbprints |
Get Detected Exploitβ
Get a detected exploit by ID
GET /endpoint/v1/settings/exploit-mitigation/detected-exploits/{detectedExploitId}
Key | Type | Description |
---|---|---|
Tenant | Sophos Tenant | The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field. |
Detected Exploit* | Sophos Detected Exploit | None Provided |
List Exploit Mitigation Categoriesβ
Lists all the Exploit Mitigation categories
GET /endpoint/v1/settings/exploit-mitigation/categories