Sophos Integration Setup

Integrating Rewst with Sophos brings robust cybersecurity capabilities to your Rewst workflows, enhancing data protection and threat management. With the integration, Rewst users can leverage Sophos' advanced security solutions to strengthen their defense against cyber threats. This includes features such as malware detection, ransomware protection, network security, and endpoint protection. By integrating Sophos into Rewst, users can enhance their security posture, mitigate risks, and safeguard sensitive data. The integration empowers users to proactively manage their cybersecurity within the Rewst platform, ensuring a secure environment for their operations and protecting against evolving threats.

Setup

To set up the Sophos Integration, you'll need to do the following:

  1. Navigate to the Global Settings of Sophos and locate the API Credentials Management section.

  2. Click on the "Add Credential" button to initiate the process of adding a new credential.

  3. Provide a name and description for the credential to identify and distinguish it from others.

  4. Choose the role that will be assigned to this credential. The available roles to choose from can be viewed here.

  5. Navigate to the integrations page in Rewst.

  6. Click on the Sophos integration.

  7. Fill out the integration form.

  8. Submit the form.

We'll run a quick test to ensure that the credentials are valid and that we can successfully connect to the Sophos API.

Actions

Alerts

List Alerts​

List alerts matching specified criteria

GET /common/v1/alerts

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Group Key

String (?)

Alert group key. You can filter by group key

From

String (?)

You can find alerts that were raised on or after this time

To

String (?)

You can find alerts that were raised before this time

Sort

Array

Defines how to sort the data

Product

Array

Alerts for a product. You can query by product types

Category

Array

Alert category. You can query by different categories

Severity

Array

Alerts for a specific severity level. You can query by severity levels

Alerts

String (?)

List of IDs

Fields

String (?)

The fields to return in a partial response

Get Alert​

Get details of a specific alert

GET /common/v1/alerts/{alertId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Alert*

Sophos Alert

None Provided

Take Action On Alert​

Take an action on a specific alert

POST /common/v1/alerts/{alertId}/actions

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Alert*

Sophos Alert

None Provided

Action*

String (?)

Actions that you can perform on these alerts

Message

String (?)

Message to send for the action

Allowed Items

List Exemptions​

Get all allowed items from settings

GET /endpoint/v1/settings/allowed-items

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Create Exemption​

Exempt an item from conviction

POST /endpoint/v1/settings/allowed-items

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Type*

String (?)

Property by which an item is allowed

Comment*

String (?)

Comment indicating why the item should be allowed

Origin Person*

String (?)

Person associated with the endpoint where the item to be allowed was last seen

Origin Endpoint

String (?)

Endpoint where the item to be allowed was last seen

Get Exemption​

Get an exemption by ID

GET /endpoint/v1/settings/allowed-items/{allowedItemId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Blocked Item*

Sophos Blocked Item

None Provided

Update Exemption​

Update an exemption

PATCH /endpoint/v1/settings/allowed-items/{allowedItemId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Blocked Item*

Sophos Blocked Item

None Provided

Comment*

String (?)

Comment indicating why the item should be allowed

Delete Exemption​

Deletes the specified exemption

DELETE /endpoint/v1/settings/allowed-items/{allowedItemId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Blocked Item*

Sophos Blocked Item

None Provided


Property​

KeyTypeDescription

File Name*

String (?)

File name

Path*

String (?)

Path for the application

Sha256*

String (?)

Sha256 value for the application

Certificate Signer*

String (?)

Value saved for the certificateSigner

Blocked Items

List Quarantined Items​

Get all blocked items

GET /endpoint/v1/settings/blocked-items

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Add Item To Quarantine​

Block an item from exoneration

POST /endpoint/v1/settings/blocked-items

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Type*

String (?)

Property by which an item is blocked

Comment*

String (?)

Comment indicating why the item should be allowed

Get Quarantined Item​

Get a blocked item by ID

GET /endpoint/v1/settings/blocked-items/{blockedItemId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Blocked Item*

Sophos Blocked Item

None Provided

Delete From Quarantine​

Deletes the specified blocked item

DELETE /endpoint/v1/settings/blocked-items/{blockedItemId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Blocked Item*

Sophos Blocked Item

None Provided


Property - Blocked Items​

KeyTypeDescription

File Name*

String (?)

File name

Path*

String (?)

Path for the application

Sha256*

String (?)

Sha256 value for the application

Certificate Signer*

String (?)

Value saved for the certificateSigner

Directory Management

List Users​

List users in the directory

GET /common/v1/directory/users

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

IDs

String (?)

List of item IDs to match

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Source Type

String

Source directory type

User Group

Sophos User Group

None Provided

Domain

String (?)

List the items that match the given domain

Create User​

Add a new user to the directory

POST /common/v1/directory/users

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Fields

String (?)

The fields to return in a partial response

Name

String (?)

User's full name

First Name

String (?)

None Provided

Last Name

String (?)

None Provided

Email

String (?)

User's email address

Exchange Login

String (?)

User's Exchange login

User Group

Array

Groups that the user should be added to

Get User​

Get a user by ID

GET /common/v1/directory/users/{userId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

Fields

String (?)

The fields to return in a partial response

Delete User​

Delete a user by ID

DELETE /common/v1/directory/users/{userId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

Update User​

Update an existing user

PATCH /common/v1/directory/users/{userId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

Fields

String (?)

The fields to return in a partial response

Name

String (?)

User's full name

First Name

String (?)

None Provided

Last Name

String (?)

None Provided

Email

String (?)

User's email address

Exchange Login

String (?)

User's Exchange login

List User Groups​

List user groups in the directory

GET /common/v1/directory/user-groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

IDs

String (?)

List of item IDs to match

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Source Type

String

Source directory type

User

Sophos User

None Provided

Domain

String (?)

List the items that match the given domain

Create User Group​

Add a new group to the directory

POST /common/v1/directory/user-groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Fields

String (?)

The fields to return in a partial response

Name

String (?)

Group name

Description

String (?)

Group description

Users

Array

Users in the group

Get User Group​

Get a user group by ID

GET /common/v1/directory/user-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Fields

String (?)

The fields to return in a partial response

Delete User Group​

Deletes the specified user group. The group must be empty.

DELETE /common/v1/directory/user-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Update User Group​

Update a user group

PATCH /common/v1/directory/user-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Fields

String (?)

The fields to return in a partial response

Name

String (?)

New group name

Description

String (?)

Group description

Get User Group Membership​

List groups that a user belongs to

GET /common/v1/directory/users/{userId}/groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Source Type

String

Source directory type

Domain

String (?)

List the items that match the given domain

Add User To Group(S)​

Add a user to multiple groups

POST /common/v1/directory/users/{userId}/groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

IDs

String (?)

List of group IDs

Remove User From Group(S)​

Remove a user from multiple groups

DELETE /common/v1/directory/users/{userId}/groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User*

Sophos User

None Provided

User Groups

String (?)

List of group IDs

List Users In Group​

List users in the specified group

GET /common/v1/directory/user-groups/{groupId}/users

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Source Type

String

Source directory type

Domain

String (?)

List the items that match the given domain

Add User(S) To Group​

Add multiple users to the specified group

POST /common/v1/directory/user-groups/{groupId}/users

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Users

String (?)

List of user IDs

Remove User(S) From Group​

Remove multiple users from a group

DELETE /common/v1/directory/user-groups/{groupId}/users

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

User Group*

Sophos User Group

None Provided

Users

String (?)

List of user IDs

Downloads

Get all the endpoint installer links for a tenant

GET /endpoint/v1/downloads

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Requested Products

Array

Products to include in the installers. All values are given if you don't use filters

Platforms

Array

Specify which platforms to include. All values are given if you don't use filters

Endpoint Groups Management

List Endpoint Groups​

Endpoint groups in the directory

GET /endpoint/v1/endpoint-groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Group Type

String

Endpoint group type

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

Endpoint Groups

String (?)

IDs to match

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Endpoints

Array

Endpoints UUIDs

Create Endpoint Group​

Add a new endpoint group to the directory

POST /endpoint/v1/endpoint-groups

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Fields

String (?)

The fields to return in a partial response

Name*

String (?)

Group name

Description

String (?)

Group description

Type*

String (?)

Endpoint group types

Endpoints

Array

Endpoints UUIDs

List Endpoint Groups By Type​

Endpoint groups of your specified type in the directory

GET /endpoint/v1/endpoint-groups/types/{groupType}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Group Type*

String

Endpoint group type

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

IDs

String (?)

IDs to match

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Endpoints

Array

Endpoints UUIDs

Get Endpoint Group​

Get endpoint group by ID

GET /endpoint/v1/endpoint-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Fields

String (?)

The fields to return in a partial response

Delete Endpoint Group​

Delete endpoint group

DELETE /endpoint/v1/endpoint-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Update Endpoint Group​

Update endpoint group

PATCH /endpoint/v1/endpoint-groups/{groupId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Fields

String (?)

The fields to return in a partial response

Name

String (?)

New group name

Description

String (?)

Group description

List Endpoints In Group​

Endpoints in your specified group

GET /endpoint/v1/endpoint-groups/{groupId}/endpoints

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Sort

Array

Defines how to sort the data

Fields

String (?)

The fields to return in a partial response

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

Add Endpoint(S) To Group​

Add endpoints to your group

POST /endpoint-groups/{groupId}/endpoints

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Endpoints

String (?)

List of endpoint IDs

Remove From Group​

Remove endpoints from a group

DELETE /endpoint-groups/{groupId}/endpoints

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

IDs

String (?)

Endpoint IDs

Remove Single Endpoint From Group​

Remove endpoint from a group

DELETE /endpoint-groups/{groupId}/endpoints/{endpointId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Groups*

Sophos Endpoint Group

None Provided

Endpoint*

Sophos Endpoint

None Provided

Endpoint Isolation

Configure Endpoint(s) Isolation Settings​

Turn on or off endpoint isolation for multiple endpoints

POST /endpoint/v1/endpoints/isolation

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Enabled

String (?)

Whether Tamper Protection should be turned on for the endpoint

Comment*

String (?)

Comment indicating why the item should be allowed

IDs

String (?)

List of endpoints IDs

Get Endpoint's Isolation Settings​

Get isolation settings for an endpoint

GET /endpoint/v1/endpoints/{endpointId}/isolation

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint*

Sophos Endpoint

None Provided

Update Endpoint's Isolation Settings​

Update isolation settings for an endpoint

PATCH /endpoint/v1/endpoints/{endpointId}/isolation

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint*

Sophos Endpoint

None Provided

Enabled

String (?)

Whether Tamper Protection should be turned on for the endpoint

Comment*

String (?)

Comment indicating why the item should be allowed

Endpoints

List Endpoints​

Get all the endpoints for the specified tenant

GET /endpoint/v1/endpoints

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Sort

Array

Defines how to sort the data

Health Status

Array

Find endpoints by health status

Type

String (?)

Find endpoints by type

Tamper Protection Enabled

String (?)

Find endpoints by whether Tamper Protection is turned on

Lockdown Status

Array

Find endpoints by lockdown status

Last Seen Before

String (?)

Find endpoints that were last seen before the given date and time (UTC) or a duration relative to the current date and time (exclusive).

Last Seen After

String (?)

Find endpoints that were last seen after the given date and time (UTC) or a duration relative to the current date and time (inclusive).

IDs

String (?)

Find endpoints with the specified IDs

Isolation Status

String

Find endpoints by isolation status

Hostname Contains

String (?)

Find endpoints where the hostname contains the given string Only the first 10 characters of the given string are matched.

Associated Person Contains

String (?)

Find endpoints where the name of the person associated with the endpoint contains the given string Only the first 10 characters of the given string are matched.

Group Name Contains

String (?)

Find endpoints where the name of the group the endpoint is in contains the given string Only the first 10 characters of the given string are matched.

Search

String (?)

Search for items that match the given terms

Search Fields

Array

Search only within the specified fields, username field is default if search query is specified

IP Addresses

Array

Find endpoints by IP addresses

Cloud

Array

Find endpoints that are cloud instances. You must use URL encoding

Fields

String (?)

The fields to return in a partial response

View

String

Type of view to be returned in response

Assigned To Group

String (?)

Whether endpoint is assigned to a group

Endpoint Groups

Array

Groups that the endpoint should be added to

MAC Addresses

Array

Find endpoints by MAC Addresses Can be in EUI-48 or EUI-64 format, case insensitive, colon, hyphen or dot separated, or with no separator e.g. 01:23:45:67:89:AB, 01-23-45-67-89-ab, 0123.4567.89ab, 0123456789ab, 01:23:45:67:89πŸ†Žcd:ef.

Get Endpoint​

Get an endpoint based on ID

GET /endpoint/v1/endpoints/{endpointId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint*

Sophos Endpoint

None Provided

Fields

String (?)

The fields to return in a partial response

View

String

Type of view to be returned in response

Delete Endpoint​

Deletes a specified endpoint

DELETE /endpoint/v1/endpoints/{endpointId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint*

Sophos Endpoint

None Provided

Event Journal

List Event Journal Settings​

Get all event journal settings

GET /endpoint/v1/settings/event-journal/{endpointType}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Type*

String

Endpoint type

Update Event Journal Settings​

Update settings for event journal size and disk space limits If you specify both a maximum disk space and a maximum journal size, the lower of these limits is used

PATCH /endpoint/v1/settings/event-journal/{endpointType}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Endpoint Type*

String

Endpoint type

Use Recommended

String (?)

Shows if the recommended setting is required

Disk Space Limit In Mb

String (?)

Maximum size of the event journal (MB)

Disk Space Limit As Percentage

String

Disk space limit for the event journal (percentage). The value 0 will mean Disk space limit is not specified.

Events

Get Events​

Get events with timestamps within the last 24 hours

GET /siem/v1/events

KeyTypeDescription

X-Tenant-ID

Sophos Tenant

None Provided

limit

String (?)

The maximum number of items to return, default is 200, max is 1000

cursor

String (?)

Identifier for next item in the list, this value is available in response as next_cursor Response will default to last 24 hours if cursor is not within last 24 hours.

from_date

String (?)

The starting date from which alerts will be retrieved defined as Unix timestamp in UTCIgnored if cursor is set. Must be within last 24 hours.

exclude_types

String (?)

The String of list of types of events to be excluded

Exploit Mitigation

List Detected Exploits​

Get detected exploits and the number of each detected exploit

GET /endpoint/v1/settings/exploit-mitigation/detected-exploits

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Thumbprint Not In

Array

Filter out detected exploits with these thumbprints

Get Detected Exploit​

Get a detected exploit by ID

GET /endpoint/v1/settings/exploit-mitigation/detected-exploits/{detectedExploitId}

KeyTypeDescription

Tenant

Sophos Tenant

The Tenant that you want to perform the action on. If you are a partner account, you must specify the tenant IDof the tenant you want to perform the action on. If you are a tenant account, you can omit this field.

Detected Exploit*

Sophos Detected Exploit

None Provided

List Exploit Mitigation Categories​

Lists all the Exploit Mitigation categories

GET /endpoint/v1/settings/exploit-mitigation/categories