Skip to main content

Sophos Central

This Integration is part of the Sophos Central Pack.#

The unified console for managing Sophos products.

Configure Sophos Central in Cortex#

ParameterDescriptionRequired
credentialsSophos client ID and secretTrue
Tenant IDTenant ID on which the commands would be executed by default. Required in case of partner/organization level credentialsFalse
isFetchFetch incidentsFalse
fetch_severityFetch SeverityFalse
fetch_categoryFetch CategoryFalse
max_fetchFetch LimitFalse
fetch_timeFirst Fetch TimeFalse
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sophos-central-alert-list#


List alerts.

Base Command#

sophos-central-alert-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the Alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-list limit=50

Context Example#

{
"SophosCentral": {
"Alert": [
{
"allowedActions": [
"clearThreat"
],
"category": "malware",
"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",
"id": "8e879165-81cb-4747-8608-1cc4e630a017",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T09:19:18.936Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CleanupFailed"
},
{
"allowedActions": [
"clearThreat"
],
"category": "runtimeDetections",
"description": "Malicious connection detected: 'C2/Generic-B' at 'C:\\Windows\\System32\\wscript.exe' (Technical Support reference: 277413403)",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q29tbWFuZEFuZENvbnRyb2xEZXRlY3RlZCwxNixDMiUyRkdlbmVyaWMtQg",
"id": "9641ba6e-3254-4726-962d-b2bc11e04131",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T10:36:31.603Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CommandAndControlDetected"
},
{
"allowedActions": [
"acknowledge"
],
"category": "updating",
"description": "Thunderbox is out of date.",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6Ok91dE9mRGF0ZSw1MTMs",
"id": "ee527ca8-cb54-4e11-b59f-2197910176f3",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T10:42:09.083Z",
"severity": "medium",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::OutOfDate"
}
]
}
}

Human Readable Output#

Listed Alerts:#

iddescriptionseverityraisedAtallowedActionsmanagedAgentIdcategorytype
8e879165-81cb-4747-8608-1cc4e630a017Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'high2020-11-25T09:19:18.936ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bmalwareEvent::Endpoint::Threat::CleanupFailed
9641ba6e-3254-4726-962d-b2bc11e04131Malicious connection detected: 'C2/Generic-B' at 'C:\Windows\System32\wscript.exe' (Technical Support reference: 277413403)high2020-11-25T10:36:31.603ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bruntimeDetectionsEvent::Endpoint::Threat::CommandAndControlDetected
ee527ca8-cb54-4e11-b59f-2197910176f3Thunderbox is out of date.medium2020-11-25T10:42:09.083Zacknowledge6e9567ea-bb50-40c5-9f12-42eb308e4c9bupdatingEvent::Endpoint::OutOfDate

Results on this page: 3.Maximum number of results allowed in a page: 100

sophos-central-alert-get#


Get a single alert by ID.

Base Command#

sophos-central-alert-get

Input#

Argument NameDescriptionRequired
alert_idThe alert ID.Required

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-get alert_id=8e879165-81cb-4747-8608-1cc4e630a017

Context Example#

{
"SophosCentral": {
"Alert": {
"allowedActions": [
"clearThreat"
],
"category": "malware",
"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",
"id": "8e879165-81cb-4747-8608-1cc4e630a017",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T09:19:18.936Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CleanupFailed"
}
}
}

Human Readable Output#

Found Alert:#

iddescriptionseverityraisedAtallowedActionsmanagedAgentIdcategorytype
8e879165-81cb-4747-8608-1cc4e630a017Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'high2020-11-25T09:19:18.936ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bmalwareEvent::Endpoint::Threat::CleanupFailed

sophos-central-alert-action#


Take an action against alerts.

Base Command#

sophos-central-alert-action

Input#

Argument NameDescriptionRequired
alert_idComma-separated list of alert IDs.Required
actionActions to perform on the alerts. Possible values are: "acknowledge", "cleanPua", "cleanVirus", "authPua", "clearThreat", "clearHmpa", "sendMsgPua", and "sendMsgThreat".Required
messageMessage to send for the action.Optional

Context Output#

PathTypeDescription
SophosCentral.AlertAction.actionStringActions that you can perform on the alert.
SophosCentral.AlertAction.alertIdStringAlert ID.
SophosCentral.AlertAction.completedAtDateTime when the action was completed.
SophosCentral.AlertAction.idStringAlert action ID.
SophosCentral.AlertAction.requestedAtDateTime when the action was requested.
SophosCentral.AlertAction.resultStringThe result of the action.
SophosCentral.AlertAction.startedAtDateTime when the action was started.
SophosCentral.AlertAction.statusStringStatus of an alert action.

Command Example#

!sophos-central-alert-action action=clearThreat alert_id=8e879165-81cb-4747-8608-1cc4e630a017 message=testmessage

Context Example#

{
"SophosCentral": {
"AlertAction": {
"action": "clearThreat",
"alertId": "8e879165-81cb-4747-8608-1cc4e630a017",
"completedAt": null,
"id": "c75b1e4d-c62c-4b3a-8ca5-dea658a18c1b",
"requestedAt": "2020-11-25T10:47:14.639Z",
"result": "success",
"startedAt": null,
"status": "requested"
}
}
}

Human Readable Output#

Alerts Acted Against:#

idactionalertIdresultrequestedAtstatus
c75b1e4d-c62c-4b3a-8ca5-dea658a18c1bclearThreat8e879165-81cb-4747-8608-1cc4e630a017success2020-11-25T10:47:14.639Zrequested

sophos-central-alert-search#


Get alerts matching request.

Base Command#

sophos-central-alert-search

Input#

Argument NameDescriptionRequired
group_keyAlert group key.Optional
startTime on which or after the alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).Optional
endTime before which alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).Optional
date_rangeThe date range in which to search from the current time instead of a start/end time in the format (<number> <time unit>, e.g., 12 hours, 7 days). date_range will overwrite the start and end arguments if defined.Optional
productAlerts for a product(s). Possible values are: "other", "endpoint", "server", "mobile", "encryption", "emailGateway", "webGateway", "phishThreat", "wireless", "iaas", and "firewall".Optional
categoryAlert category(s).Optional
severityAlerts for a specific severity level(s). Possible values are: "high", "medium", and "low".Optional
idsList of IDs.Optional
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-search category=general product=endpoint

Context Example#

{
"SophosCentral": {
"Alert": null
}
}

Human Readable Output#

Found Alerts:#

No entries. Results on this page: 0.Maximum number of results allowed in a page: 100

sophos-central-endpoint-list#


List all endpoints for a tenant.

Base Command#

sophos-central-endpoint-list

Input#

Argument NameDescriptionRequired
health_statusMatch endpoints that have any of the specified health statuses. Possible values are: "bad", "good", "suspicious", and "unknown".Optional
endpoint_typeMatch endpoints that have any of the specified endpoint types. Possible values are: "computer", "server", and "securityVm".Optional
tamper_protection_enabledWhether tamper protection is enabled. Possible values are: "true" and "false".Optional
lockdown_statusMatch endpoints that have any of the specified lockdown statuses. Possible values are: "creatingWhitelist", "installing", "locked", "notInstalled", "registering", "starting", "stopping", "unavailable", "uninstalled", and "unlocked".Optional
last_seen_beforeThe datetime before which the endpoints were last seen (UTC).Optional
last_seen_afterThe datetime on or after which the endpoints were last seen (UTC).Optional
idsList of IDs.Optional
viewType of view to be returned in the response. Possible values are: "basic", "summary", and "full".Optional
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Endpoint.assignedProductCodesStringCode of a product assigned to the endpoint.
SophosCentral.Endpoint.associatedPersonIdStringThe unique ID for the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonNameStringName of the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonViaLoginStringThe login of the person associated with the endpoint.
SophosCentral.Endpoint.groupIdStringThe unique ID for the endpoint group.
SophosCentral.Endpoint.groupNameStringEndpoint group name.
SophosCentral.Endpoint.hostnameStringThe hostname of the endpoint.
SophosCentral.Endpoint.idStringThe unique ID for the endpoint.
SophosCentral.Endpoint.healthStringHealth status of the endpoint.
SophosCentral.Endpoint.ipv4AddressesStringIPv4 address of the endpoint.
SophosCentral.Endpoint.ipv6AddressesStringIPv6 address of the endpoint.
SophosCentral.Endpoint.macAddressesStringMAC address of the endpoint.
SophosCentral.Endpoint.osBuildStringOperating system build.
SophosCentral.Endpoint.osIsServerBooleanWhether the operating system is a server operating system.
SophosCentral.Endpoint.osNameStringOperating system name as reported by the endpoint.
SophosCentral.Endpoint.osPlatformStringOperating system platform type.
SophosCentral.Endpoint.tamperProtectionEnabledBooleanWhether tamper protection is enabled.
SophosCentral.Endpoint.typeStringThe endpoint type.
SophosCentral.Endpoint.onlineBooleanWhether the endpoint is online.

Command Example#

!sophos-central-endpoint-list

Context Example#

{
"SophosCentral": {
"Endpoint": [
{
"assignedProductCodes": [
"endpointProtection",
"coreAgent"
],
"associatedPersonId": null,
"associatedPersonName": null,
"associatedPersonViaLogin": "THUNDERBOX\\JonDoe",
"health": "bad",
"hostname": "Thunderbox",
"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"ipv4Addresses": [
"1.1.1.1"
],
"ipv6Addresses": [
"fe80::9905:5b42:6605:5e93"
],
"macAddresses": [
"00:00:00:B0:00:BA"
],
"online": null,
"osBuild": 18363,
"osIsServer": false,
"osName": "Windows 10 Pro",
"osPlatform": "windows",
"tamperProtectionEnabled": false,
"type": "computer"
},
{
"assignedProductCodes": [
"coreAgent",
"endpointProtection"
],
"associatedPersonId": null,
"associatedPersonName": null,
"associatedPersonViaLogin": "WIN-CEAESQ7V08E\\Administrator",
"health": "good",
"hostname": "WIN-CEAESQ7V08E",
"id": "a24b74a2-68e3-4fa5-8119-95744e0ab421",
"ipv4Addresses": [
"1.1.1.1"
],
"ipv6Addresses": [
"fe80::9905:5b42:6605:5e93"
],
"macAddresses": [
"00:00:00:B0:00:BA"
],
"online": null,
"osBuild": 17763,
"osIsServer": true,
"osName": "Windows Server 2019 Standard Evaluation",
"osPlatform": "windows",
"tamperProtectionEnabled": false,
"type": "server"
}
]
}
}

Human Readable Output#

Listed Endpoints:#

idhostnameipv4Addressesipv6AddressesmacAddressestypetamperProtectionEnabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9bThunderbox1.1.1.1fe80::9905:5b42:6605:5e9300:00:00:B0:00:BAcomputerfalse
a24b74a2-68e3-4fa5-8119-95744e0ab421WIN-CEAESQ7V08E1.1.1.1fe80::9905:5b42:6605:5e9300:00:00:B0:00:BAserverfalse

Results on this page: 2.Maximum number of results allowed in a page: 500

sophos-central-endpoint-scan#


Scan endpoints of a tenant.

Base Command#

sophos-central-endpoint-scan

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointScan.idStringIdentifies a request to perform or configure the endpoint scan.
SophosCentral.EndpointScan.requestedAtDateTime when the scan was requested.
SophosCentral.EndpointScan.statusStringThe status of an endpoint scan.

Command Example#

!sophos-central-endpoint-scan endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointScan": {
"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"requestedAt": "2020-11-25T10:47:20.343Z",
"status": "requested"
}
}
}

Human Readable Output#

Scanning Endpoints:#

idstatusrequestedAt
6e9567ea-bb50-40c5-9f12-42eb308e4c9brequested2020-11-25T10:47:20.343Z

sophos-central-endpoint-tamper-get#


Get tamper protection information for one or more endpoints. Potentially harmful because of the password.

Base Command#

sophos-central-endpoint-tamper-get

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required
get_passwordWhether to return the tamper protection password. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointTamper.endpointIdStringID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabledStringWhether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.passwordStringCurrent tamper protection password.

Command Example#

!sophos-central-endpoint-tamper-get endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointTamper": {
"enabled": false,
"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"password": null
}
}
}

Human Readable Output#

Listed Endpoints Tamper Protection:#

endpointIdenabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9bfalse

sophos-central-endpoint-tamper-update#


Update tamper protection information for one or more endpoints. Potentially Harmful because of the password.

Base Command#

sophos-central-endpoint-tamper-update

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required
enabledWhether tamper protection should be turned on for the endpoint. Possible values are: "true" and "false".Required
get_passwordWhether to return the tamper protection password. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointTamper.endpointIdStringID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabledStringWhether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.passwordStringCurrent tamper protection password.

Command Example#

!sophos-central-endpoint-tamper-update enabled=true endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointTamper": {
"enabled": true,
"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"password": null
}
}
}

Human Readable Output#

Updated Endpoints Tamper Protection:#

endpointIdenabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9btrue

sophos-central-allowed-item-list#


List all allowed items.

Base Command#

sophos-central-allowed-item-list

Input#

Argument NameDescriptionRequired
page_sizehe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pagePage number to return. Default is "1".Optional

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-list page=1 page_size=50

Context Example#

{
"SophosCentral": {
"AllowedItem": [
{
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:19:37.608Z"
},
{
"certificateSigner": "notme",
"comment": "fordemo",
"createdAt": "2020-11-10T12:10:49.384Z",
"fileName": null,
"id": "718e991d-a99f-4193-b263-4eeebcac46fe",
"path": null,
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-10T12:10:49.384Z"
},
{
"certificateSigner": null,
"comment": "Test-Noam",
"createdAt": "2020-11-08T14:00:18.574Z",
"fileName": null,
"id": "f047c584-949a-4a59-aebd-9999ce323c1d",
"path": "c:\\test2.exe",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-08T14:00:18.574Z"
},
{
"certificateSigner": null,
"comment": "Test",
"createdAt": "2020-11-08T10:44:39.279Z",
"fileName": null,
"id": "345b4588-b843-45b1-9319-e529ddd741e6",
"path": "c:\\1.txt",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-08T10:58:14.622Z"
},
{
"certificateSigner": "hello",
"comment": "chaaned",
"createdAt": "2020-11-03T10:14:25.914Z",
"fileName": null,
"id": "6a2e26fb-6eb4-42ff-8201-6f7051757595",
"path": null,
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-03T10:15:32.819Z"
},
{
"certificateSigner": null,
"comment": "chaaned",
"createdAt": "2020-11-03T09:13:04.380Z",
"fileName": null,
"id": "2f804138-9632-4500-a13f-33342868e434",
"path": "root/hello/worldrsaard",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-03T10:15:08.159Z"
},
{
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-01T13:26:03.890Z",
"fileName": null,
"id": "73e555e9-3eee-42e1-879e-65d5ba968236",
"path": "/root/helloaworld/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T13:26:03.890Z"
},
{
"certificateSigner": null,
"comment": "hello world",
"createdAt": "2020-11-01T11:50:02.567Z",
"fileName": null,
"id": "595b2e6d-36b3-45bd-b94f-99a98a0a53f7",
"path": "/root/helloaworld",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T11:50:02.567Z"
},
{
"certificateSigner": null,
"comment": "helloworld",
"createdAt": "2020-11-01T11:00:47.441Z",
"fileName": null,
"id": "3533f7be-5064-44b6-9579-e4d7fa542444",
"path": "/root/what",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T11:00:47.441Z"
},
{
"certificateSigner": null,
"comment": "bad comment",
"createdAt": "2020-11-01T10:48:49.312Z",
"fileName": "zxdfzd",
"id": "85465c57-e598-4c8b-9c08-093c6f5eb239",
"path": "/root/hello/word",
"sha256": "C6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5",
"type": "path",
"updatedAt": "2020-11-01T10:48:49.312Z"
},
{
"certificateSigner": "xcvxcv",
"comment": "bad comment",
"createdAt": "2020-11-01T10:47:24.473Z",
"fileName": "xzcvxz",
"id": "cffaaae7-0b3a-4ec7-84a4-fee88d297abc",
"path": "/root",
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-01T10:47:24.473Z"
},
{
"certificateSigner": null,
"comment": "changedcomment",
"createdAt": "2020-10-29T13:31:40.963Z",
"fileName": null,
"id": "c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7",
"path": "/root/hello",
"sha256": null,
"type": "path",
"updatedAt": "2020-10-29T13:32:41.421Z"
},
{
"comment": "uh",
"createdAt": "2020-10-28T13:57:53.235Z",
"id": "41a56d0d-5272-4be4-92dc-1c2dd42c218a",
"type": "path",
"updatedAt": "2020-10-28T13:58:07.906Z"
}
]
}
}

Human Readable Output#

Listed Allowed Items:#

idcommentfileNamesha256pathcertificateSignercreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3chello world1/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:19:37.608Z
718e991d-a99f-4193-b263-4eeebcac46fefordemonotme2020-11-10T12:10:49.384ZcertificateSigner2020-11-10T12:10:49.384Z
f047c584-949a-4a59-aebd-9999ce323c1dTest-Noamc:\test2.exe2020-11-08T14:00:18.574Zpath2020-11-08T14:00:18.574Z
345b4588-b843-45b1-9319-e529ddd741e6Testc:\1.txt2020-11-08T10:44:39.279Zpath2020-11-08T10:58:14.622Z
6a2e26fb-6eb4-42ff-8201-6f7051757595chaanedhello2020-11-03T10:14:25.914ZcertificateSigner2020-11-03T10:15:32.819Z
2f804138-9632-4500-a13f-33342868e434chaanedroot/hello/worldrsaard2020-11-03T09:13:04.380Zpath2020-11-03T10:15:08.159Z
73e555e9-3eee-42e1-879e-65d5ba968236hello world1/root/helloaworld/12020-11-01T13:26:03.890Zpath2020-11-01T13:26:03.890Z
595b2e6d-36b3-45bd-b94f-99a98a0a53f7hello world/root/helloaworld2020-11-01T11:50:02.567Zpath2020-11-01T11:50:02.567Z
3533f7be-5064-44b6-9579-e4d7fa542444helloworld/root/what2020-11-01T11:00:47.441Zpath2020-11-01T11:00:47.441Z
85465c57-e598-4c8b-9c08-093c6f5eb239bad commentzxdfzdC6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5/root/hello/word2020-11-01T10:48:49.312Zpath2020-11-01T10:48:49.312Z
cffaaae7-0b3a-4ec7-84a4-fee88d297abcbad commentxzcvxz/rootxcvxcv2020-11-01T10:47:24.473ZcertificateSigner2020-11-01T10:47:24.473Z
c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7changedcomment/root/hello2020-10-29T13:31:40.963Zpath2020-10-29T13:32:41.421Z
41a56d0d-5272-4be4-92dc-1c2dd42c218auh2020-10-28T13:57:53.235Zpath2020-10-28T13:58:07.906Z

Current page: 1. Results on this page: 13. Maximum number of results allowed in a page: 100.

sophos-central-allowed-item-get#


Get a single allowed item by ID.

Base Command#

sophos-central-allowed-item-get

Input#

Argument NameDescriptionRequired
allowed_item_idThe ID of the allowed item.Required

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-get allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:19:37.608Z"
}
}
}

Human Readable Output#

Found Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3chello world1/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:19:37.608Z

sophos-central-allowed-item-add#


Add a new allowed item.

Base Command#

sophos-central-allowed-item-add

Input#

Argument NameDescriptionRequired
commentComment indicating why the item should be allowed.Required
certificate_signerThe value saved for the certificateSigner.Optional
file_nameThe file name.Optional
pathThe path for the application.Optional
sha256The SHA256 value for the application.Optional
item_typeThe property by which an item is allowed. Note that the specified item type requires the matching argument filled. For example, the item type "path" requires the path argument. Possible values are: "path", "sha256", and "certificateSigner".Required
origin_endpoint_idThe endpoint where the item to be allowed was last seen.Optional

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-add comment="hello world1" item_type=path path=/root/helloaworld/12

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:47:32.082Z",
"fileName": null,
"id": "c68f1abc-986d-43eb-b050-d9113959207a",
"path": "/root/helloaworld/12",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:47:32.082Z"
}
}
}

Human Readable Output#

Added Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
c68f1abc-986d-43eb-b050-d9113959207ahello world1/root/helloaworld/122020-11-25T10:47:32.082Zpath2020-11-25T10:47:32.082Z

sophos-central-allowed-item-update#


Update an existing allowed item.

Base Command#

sophos-central-allowed-item-update

Input#

Argument NameDescriptionRequired
allowed_item_idThe allowed item ID.Required
commentComment indicating why the item should be allowed.Required

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-update allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c comment=changedcomment

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "changedcomment",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:47:39.104Z"
}
}
}

Human Readable Output#

Updated Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3cchangedcomment/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:47:39.104Z

sophos-central-allowed-item-delete#


Delete an existing allowed item.

Base Command#

sophos-central-allowed-item-delete

Input#

Argument NameDescriptionRequired
allowed_item_idThe allowed item ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedAllowedItem.deletedItemIdStringThe ID of the deleted item.

Command Example#

!sophos-central-allowed-item-delete allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example#

{
"SophosCentral": {
"DeletedAllowedItem": {
"deletedItemId": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c"
}
}
}

Human Readable Output#

Success deleting allowed item: b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

sophos-central-blocked-item-list#


Get all blocked items.

Base Command#

sophos-central-blocked-item-list

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pagePage number to return. Default is "1"Optional

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-list page=1 page_size=50

Context Example#

{
"SophosCentral": {
"BlockedItem": [
{
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:19:54.523Z",
"fileName": null,
"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",
"path": null,
"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",
"type": "sha256",
"updatedAt": null
},
{
"certificateSigner": null,
"comment": "hello world",
"createdAt": "2020-11-01T12:55:47.476Z",
"fileName": null,
"id": "fd0f08db-966b-4979-8cbb-876a2bbd29c9",
"path": null,
"sha256": "c6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",
"type": "sha256",
"updatedAt": null
},
{
"certificateSigner": null,
"comment": "It's just a test",
"createdAt": "2020-11-01T10:22:55.556Z",
"fileName": null,
"id": "f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994",
"path": null,
"sha256": "b424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af",
"type": "sha256",
"updatedAt": null
}
]
}
}

Human Readable Output#

Listed Blocked Items:#

idcommentsha256createdAttype
9b44086b-95bd-43e5-b84b-82b91725f02bhello 2worldc7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de12020-11-25T10:19:54.523Zsha256
fd0f08db-966b-4979-8cbb-876a2bbd29c9hello worldc6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de42020-11-01T12:55:47.476Zsha256
f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994It's just a testb424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af2020-11-01T10:22:55.556Zsha256

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-blocked-item-get#


Get a single blocked item by ID.

Base Command#

sophos-central-blocked-item-get

Input#

Argument NameDescriptionRequired
blocked_item_idThe blocked item ID.Required

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-get blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example#

{
"SophosCentral": {
"BlockedItem": {
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:19:54.523Z",
"fileName": null,
"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",
"path": null,
"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",
"type": "sha256",
"updatedAt": null
}
}
}

Human Readable Output#

Found Blocked Item:#

idcommentsha256createdAttype
9b44086b-95bd-43e5-b84b-82b91725f02bhello 2worldc7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de12020-11-25T10:19:54.523Zsha256

sophos-central-blocked-item-add#


Add a new blocked item.

Base Command#

sophos-central-blocked-item-add

Input#

Argument NameDescriptionRequired
commentComment indicating why the item should be blocked.Required
certificate_signerThe value saved for the certificateSigner.Optional
file_nameThe file name.Optional
pathThe path for the application.Optional
sha256The SHA256 value for the application.Required
item_typeThe property by which an item is blocked. Possible value is sha256.Required

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-add comment="hello 2world" item_type=sha256 sha256=CAF4DB9B3191E6E693CE938BD74FAB37AEE71372C8A034F5040362D8C69E4DE4

Context Example#

{
"SophosCentral": {
"BlockedItem": {
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:47:46.428Z",
"fileName": null,
"id": "9535be44-40f3-4704-94df-6afa1e563f9c",
"path": null,
"sha256": "caf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",
"type": "sha256",
"updatedAt": null
}
}
}

Human Readable Output#

Added Blocked Item:#

idcommentsha256createdAttype
9535be44-40f3-4704-94df-6afa1e563f9chello 2worldcaf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de42020-11-25T10:47:46.428Zsha256

sophos-central-blocked-item-delete#


Delete an existing blocked item.

Base Command#

sophos-central-blocked-item-delete

Input#

Argument NameDescriptionRequired
blocked_item_idThe blocked item ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedBlockedItem.deletedItemIdStringThe ID of the deleted item.

Command Example#

!sophos-central-blocked-item-delete blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example#

{
"SophosCentral": {
"DeletedBlockedItem": {
"deletedItemId": "9b44086b-95bd-43e5-b84b-82b91725f02b"
}
}
}

Human Readable Output#

Success deleting blocked item: 9b44086b-95bd-43e5-b84b-82b91725f02b

sophos-central-scan-exclusion-list#


List all scan exclusions.

Base Command#

sophos-central-scan-exclusion-list

Input#

Argument NameDescriptionRequired
exclusion_typeScan exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral"Optional
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1"Optional

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-list

Context Example#

{
"SophosCentral": {
"ScanExclusion": [
{
"comment": "Sophos temporary exclusion see KBA 133945",
"description": "Sophos temporary exclusion see KBA 133945",
"id": "369b0956-a7b6-44fc-b1cc-bd7b3279c663",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "%programfiles(x86)%\\Sophos\\Sophos Anti-Virus\\"
},
{
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
},
{
"comment": "changed before demo",
"description": null,
"id": "16bac29f-17a4-4c3a-9370-8c5968c5ac7d",
"scanMode": "onAccess",
"type": "process",
"value": "changedvirus.exe"
}
]
}
}

Human Readable Output#

Listed Scan Exclusions:#

idvaluetypedescriptioncommentscanMode
369b0956-a7b6-44fc-b1cc-bd7b3279c663%programfiles(x86)%\Sophos\Sophos Anti-Virus\ pathSophos temporary exclusion see KBA 133945Sophos temporary exclusion see KBA 133945onDemandAndOnAccess
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess
16bac29f-17a4-4c3a-9370-8c5968c5ac7dchangedvirus.exeprocesschanged before demoonAccess

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-scan-exclusion-get#


Get a single scan exclusion by ID.

Base Command#

sophos-central-scan-exclusion-get

Input#

Argument NameDescriptionRequired
exclusion_idThe exclusion ID.Required

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-get exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
}
}
}

Human Readable Output#

Found Scan Exclusion:#

idvaluetypescanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess

sophos-central-scan-exclusion-add#


Add a new scan exclusion.

Base Command#

sophos-central-scan-exclusion-add

Input#

Argument NameDescriptionRequired
commentA comment indicating why the exclusion was created.Optional
scan_modeThe scan mode. Possible values are: "onDemand", "onAccess", and "onDemandAndOnAccess". Default is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.Optional
exclusion_typeThe scanning exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral".Required
valueThe exclusion value.Required

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-add exclusion_type=path value=avsdfasdfaa

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "be7b05bf-368b-4621-8131-0776486e1c7b",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "avsdfasdfaa"
}
}
}

Human Readable Output#

Added Scan Exclusion:#

idvaluetypescanMode
be7b05bf-368b-4621-8131-0776486e1c7bavsdfasdfaapathonDemandAndOnAccess

sophos-central-scan-exclusion-update#


Update an existing scan exclusion.

Base Command#

sophos-central-scan-exclusion-update

Input#

Argument NameDescriptionRequired
commentA comment indicating why the exclusion was created.Optional
scan_modeThe default value of scan mode is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.Optional
exclusion_idThe exclusion ID.Required
valueThe exclusion value.Optional

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-update exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
}
}
}

Human Readable Output#

Updated Scan Exclusion:#

idvaluetypescanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess

sophos-central-scan-exclusion-delete#


Delete an existing scan exclusion.

Base Command#

sophos-central-scan-exclusion-delete

Input#

Argument NameDescriptionRequired
exclusion_idThe exclusion ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedScanExclusion.deletedExclusionIdStringThe ID of the deleted exclusion.

Command Example#

!sophos-central-scan-exclusion-delete exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"DeletedScanExclusion": {
"deletedExclusionId": "6868151e-4eac-4d0a-8985-5db9bff9d6f2"
}
}
}

Human Readable Output#

Success deleting scan exclusion: 6868151e-4eac-4d0a-8985-5db9bff9d6f2

sophos-central-exploit-mitigation-list#


List exploit mitigation settings for all protected applications.

Base Command#

sophos-central-exploit-mitigation-list

Input#

Argument NameDescriptionRequired
mitigation_typeExploit mitigation type. Possible values are: "detected" and "custom".Optional
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1".Optional
modifiedWhether the Exploit Mitigation application has been customized. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-list

Context Example#

{
"SophosCentral": {
"ExploitMitigation": [
{
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"newnewnewnewnew"
],
"type": "custom"
},
{
"category": "browsers",
"id": "06aefe81-7f83-4768-9cec-59d86d7ee133",
"name": "Firefox",
"paths": [
"$programfiles\\Mozilla Firefox\\firefox.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cf",
"name": "Google Chrome",
"paths": [
"$programfiles\\Google\\Chrome\\Application\\chrome.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "df7c2b63-dda4-4dc4-a12d-471cad799dbd",
"name": "Internet Explorer",
"paths": [
"$programfiles\\Internet Explorer\\iexplore.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3",
"name": "Java(TM) Platform SE binary",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\java.exe",
"$programfiles\\java\\jre1.8.0_271\\bin\\javaw.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "9ddf4b33-9f65-4422-898e-d5b5b450e8d8",
"name": "Java(TM) Web Launcher",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\jp2launcher.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "b44f50e0-0332-444a-bdb0-cfec43fc2def",
"name": "Java(TM) Web Start Launcher",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\javaws.exe"
],
"type": "detected"
},
{
"category": "other",
"id": "a49af552-55e1-4dcd-a909-2310bcb8016f",
"name": "KeePass",
"paths": [
"$programfiles\\KeePass Password Safe 2\\KeePass.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "4178130a-0d4e-435d-b4bb-db594810a43a",
"name": "Microsoft Edge",
"paths": [
"$programfiles\\Microsoft\\Edge\\Application\\msedge.exe",
"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdge.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "ecbcd6a5-73d5-4060-b49f-b9de2e0587fc",
"name": "Microsoft Excel",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\EXCEL.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cf",
"name": "Microsoft Outlook",
"paths": [
"$programfiles\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fb",
"name": "Microsoft PowerPoint",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\POWERPNT.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "417fd1be-fafa-4e3b-9a9b-589f7f20b72c",
"name": "Microsoft Word",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"
],
"type": "detected"
},
{
"category": "browsers",
"id": "68026667-ca17-473d-b797-ccebe2d9da87",
"name": "MicrosoftEdgeCP.exe",
"paths": [
"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "01e26718-ddf3-4aad-b465-d7279b755c32",
"name": "OpenJDK Platform binary",
"paths": [
"$programfiles\\JetBrains\\PyCharm Community Edition 2020.1.2\\jbr\\bin\\java.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "9e378d93-4b62-4976-9a7c-5fdbbafa0b79",
"name": "Pick an app",
"paths": [
"$system32\\OpenWith.exe"
],
"type": "detected"
},
{
"category": "plugins",
"id": "a0b96b54-6895-408c-ac68-f84ca81c248a",
"name": "Plugin Container for Firefox",
"paths": [
"$programfiles\\Mozilla Firefox\\plugin-container.exe"
],
"type": "detected"
},
{
"category": "other",
"id": "3ac3fd9b-5b30-4e19-a9a4-303f553a4500",
"name": "Skype for Business",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\lync.exe"
],
"type": "detected"
},
{
"category": "media",
"id": "dbedc673-218a-4814-99f0-33642a65b1fd",
"name": "Windows Media Player",
"paths": [
"$programfiles\\Windows Media Player\\wmplayer.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "fd4f1dc8-4b4a-429e-ac27-bd757352f52c",
"name": "Windows Wordpad Application",
"paths": [
"$programfiles\\Windows NT\\Accessories\\WORDPAD.EXE"
],
"type": "detected"
},
{
"category": "other",
"id": "563f4022-0a28-47f8-9bb6-7774aa7794e3",
"name": "b2477368-4e58-4868-af90-554f948f4077",
"paths": [
"wooba"
],
"type": "custom"
},
{
"category": "other",
"id": "b19800cf-a98a-43dc-8efc-6de1f2a7321e",
"name": "cde78059-3164-46c6-903f-c27b9103ef37",
"paths": [
"testpathhhh"
],
"type": "custom"
},
{
"category": "other",
"id": "91fff008-3609-46f3-9fc7-44713635b775",
"name": "ce697cb7-06da-4e02-bcde-21f73b81d5ee",
"paths": [
"changed\\path"
],
"type": "custom"
}
]
}
}

Human Readable Output#

Listed Exploit Mitigations:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customothernewnewnewnewnew
06aefe81-7f83-4768-9cec-59d86d7ee133Firefoxdetectedbrowsers$programfiles\Mozilla Firefox\firefox.exe
b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cfGoogle Chromedetectedbrowsers$programfiles\Google\Chrome\Application\chrome.exe
df7c2b63-dda4-4dc4-a12d-471cad799dbdInternet Explorerdetectedbrowsers$programfiles\Internet Explorer\iexplore.exe
f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3Java(TM) Platform SE binarydetectedjava$programfiles\java\jre1.8.0_271\bin\java.exe,
$programfiles\java\jre1.8.0_271\bin\javaw.exe
9ddf4b33-9f65-4422-898e-d5b5b450e8d8Java(TM) Web Launcherdetectedjava$programfiles\java\jre1.8.0_271\bin\jp2launcher.exe
b44f50e0-0332-444a-bdb0-cfec43fc2defJava(TM) Web Start Launcherdetectedjava$programfiles\java\jre1.8.0_271\bin\javaws.exe
a49af552-55e1-4dcd-a909-2310bcb8016fKeePassdetectedother$programfiles\KeePass Password Safe 2\KeePass.exe
4178130a-0d4e-435d-b4bb-db594810a43aMicrosoft Edgedetectedbrowsers$programfiles\Microsoft\Edge\Application\msedge.exe,
$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
ecbcd6a5-73d5-4060-b49f-b9de2e0587fcMicrosoft Exceldetectedoffice$programfiles\Microsoft Office\Root\Office16\EXCEL.EXE
7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cfMicrosoft Outlookdetectedoffice$programfiles\Microsoft Office\root\Office16\OUTLOOK.EXE
6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fbMicrosoft PowerPointdetectedoffice$programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE
417fd1be-fafa-4e3b-9a9b-589f7f20b72cMicrosoft Worddetectedoffice$programfiles\Microsoft Office\Root\Office16\WINWORD.EXE
68026667-ca17-473d-b797-ccebe2d9da87MicrosoftEdgeCP.exedetectedbrowsers$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
01e26718-ddf3-4aad-b465-d7279b755c32OpenJDK Platform binarydetectedjava$programfiles\JetBrains\PyCharm Community Edition 2020.1.2\jbr\bin\java.exe
9e378d93-4b62-4976-9a7c-5fdbbafa0b79Pick an appdetectedoffice$system32\OpenWith.exe
a0b96b54-6895-408c-ac68-f84ca81c248aPlugin Container for Firefoxdetectedplugins$programfiles\Mozilla Firefox\plugin-container.exe
3ac3fd9b-5b30-4e19-a9a4-303f553a4500Skype for Businessdetectedother$programfiles\Microsoft Office\Root\Office16\lync.exe
dbedc673-218a-4814-99f0-33642a65b1fdWindows Media Playerdetectedmedia$programfiles\Windows Media Player\wmplayer.exe
fd4f1dc8-4b4a-429e-ac27-bd757352f52cWindows Wordpad Applicationdetectedoffice$programfiles\Windows NT\Accessories\WORDPAD.EXE
563f4022-0a28-47f8-9bb6-7774aa7794e3b2477368-4e58-4868-af90-554f948f4077customotherwooba
b19800cf-a98a-43dc-8efc-6de1f2a7321ecde78059-3164-46c6-903f-c27b9103ef37customothertestpathhhh
91fff008-3609-46f3-9fc7-44713635b775ce697cb7-06da-4e02-bcde-21f73b81d5eecustomotherchanged\path

Current page: 1. Results on this page: 23. Maximum number of results allowed in a page: 100.

sophos-central-exploit-mitigation-get#


Get exploit mitigation settings for a single application.

Base Command#

sophos-central-exploit-mitigation-get

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-get mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"newnewnewnewnew"
],
"type": "custom"
}
}
}

Human Readable Output#

Found Exploit Mitigation:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customothernewnewnewnewnew

sophos-central-exploit-mitigation-add#


Exclude a set of file paths from exploit mitigation.

Base Command#

sophos-central-exploit-mitigation-add

Input#

Argument NameDescriptionRequired
pathAn absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-add path=testestesteset

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "755ec991-c04f-498f-ab8e-20ef1a187b52",
"name": "d082226b-0c17-4959-a3ed-a6957f39c9bc",
"paths": [
"testestesteset"
],
"type": "custom"
}
}
}

Human Readable Output#

Added Exploit Mitigation:#

idnametypecategorypaths
755ec991-c04f-498f-ab8e-20ef1a187b52d082226b-0c17-4959-a3ed-a6957f39c9bccustomothertestestesteset

sophos-central-exploit-mitigation-update#


Update exploit mitigation settings for an application.

Base Command#

sophos-central-exploit-mitigation-update

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required
pathAn absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-update mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded path=changed

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"changed"
],
"type": "custom"
}
}
}

Human Readable Output#

Updated Exploit Mitigation:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customotherchanged

sophos-central-exploit-mitigation-delete#


Delete a custom (user-defined) exploit mitigation application by ID.

Base Command#

sophos-central-exploit-mitigation-delete

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedExploitMitigation.deletedMitigationIdStringThe ID of the deleted mitigation.

Command Example#

!sophos-central-exploit-mitigation-delete mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example#

{
"SophosCentral": {
"DeletedExploitMitigation": {
"deletedMitigationId": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded"
}
}
}

Human Readable Output#

Success deleting exploit mitigation: ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

sophos-central-detected-exploit-list#


List all detected exploits.

Base Command#

sophos-central-detected-exploit-list

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1".Optional
thumbprint_not_inFilter out detected exploits with these thumbprints.Optional

Context Output#

PathTypeDescription
SophosCentral.DetectedExploit.countNumberThe number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.descriptionStringThe English description of the exploit detected event.
SophosCentral.DetectedExploit.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.DetectedExploit.firstSeenAtDateWhen the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAtDateWhen the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostnameStringThe endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointIdStringThe unique endpoint ID.
SophosCentral.DetectedExploit.lastUserNameStringPerson's name.
SophosCentral.DetectedExploit.lastUserIdStringThe unique ID for the user.
SophosCentral.DetectedExploit.thumbprintStringMatches [0-9a-zA-Z]{64}.

Command Example#

!sophos-central-detected-exploit-list

Context Example#

{
"SophosCentral": {
"DetectedExploit": null
}
}

Human Readable Output#

Listed Detected Exploits:#

No entries. Current page: 1. Results on this page: 0. Maximum number of results allowed in a page: 100.

sophos-central-detected-exploit-get#


Get a single detected exploit.

Base Command#

sophos-central-detected-exploit-get

Input#

Argument NameDescriptionRequired
detected_exploit_idThe ID of a previously detected exploit.Required

Context Output#

PathTypeDescription
SophosCentral.DetectedExploit.countNumberThe number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.descriptionStringThe English description of the exploit detected event.
SophosCentral.DetectedExploit.idStringThe ID of this Exploit Mitigation application.
SophosCentral.DetectedExploit.firstSeenAtDateWhen the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAtDateWhen the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostnameStringThe endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointIdStringThe unique endpoint ID.
SophosCentral.DetectedExploit.lastUserNameStringPerson's name.
SophosCentral.DetectedExploit.lastUserIdStringThe unique ID for the user.
SophosCentral.DetectedExploit.thumbprintStringMatches [0-9a-zA-Z]{64}.

Command Example#

Human Readable Output#

sophos-central-isolate-endpoint#


Isolate one or more endpoints.

Base Command#

sophos-central-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_idID(s) of the endpoint(s) to be isolated.Required
commentComment indicating why the endpoint(s) should be isolated.Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointIsolation.items.idStringThe unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabledBooleanIsolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAtStringWhen isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.idStringPrincipal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAtStringWhen isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.idStringPrincipal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.commentStringReason endpoint should be isolated or not.

Command Example#

!sophos-central-isolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example#

{
"items": [
{
"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",
"isolation": {
"enabled": true,
"lastEnabledAt": "2021-08-13 09.07.03 GMT",
"lastEnabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"lastDisabledAt": "2021-08-13 09.54.02 GMT",
"lastDisabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"comment": "testing"
}
}
]
}

Human Readable Output#

Endpoint(s) isolated successfully.

sophos-central-deisolate-endpoint#


De-isolate one or more endpoints.

Base Command#

sophos-central-deisolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_idID(s) of the endpoint(s) to be de-isolated.Required
commentComment indicating why the endpoint(s) should be de-isolated.Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointIsolation.items.idStringThe unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabledBooleanIsolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAtStringWhen isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.idStringPrincipal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAtStringWhen isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.idStringPrincipal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.commentStringReason endpoint should be isolated or not.

Command Example#

!sophos-central-deisolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example#

{
"items": [
{
"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",
"isolation": {
"enabled": false,
"lastEnabledAt": "2021-08-13 09.07.03 GMT",
"lastEnabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"lastDisabledAt": "2021-08-13 09.54.02 GMT",
"lastDisabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"comment": "testing"
}
}
]
}

Human Readable Output#

Endpoint(s) de-isolated successfully.

sophos-central-usergroups-users-add#


Add multiple users to the specified group.

Base Command#

sophos-central-usergroups-users-add

Input#

Argument NameDescriptionRequired
groupIdUnique UUID of Group.Required
userIdsComma-separated list of User UUIDs. Maximum 1000 unique User IDs are allowed (You can retrieve the userIds from the sophos-central-users-list).Required

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringThe Group ID.
SophosCentral.UserGroups.addedUsers.idStringUser ID.
SophosCentral.UserGroups.addedUsers.nameStringUser's full name.

Command example#

!sophos-central-usergroups-users-add groupId="733cce06-5ad0-487b-9547-03af02b5722e" userIds="09c515b2-009e-4e78-a83f-a5423e6def9a, f9029e98-311a-4c19-9908-15bafff9f39f, 86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"addedUsers": [
{
"id": "f9029e98-311a-4c19-9908-15bafff9f39f",
"name": "Domain\\User"
},
{
"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",
"name": "GREEN\\testUser"
},
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
}
],
"id": "733cce06-5ad0-487b-9547-03af02b5722e"
}
}
}

Human Readable Output#

User(s) added to the specified group.

sophos-central-usergroups-user-delete#


Remove a specific User from the group.

Base Command#

sophos-central-usergroups-user-delete

Input#

Argument NameDescriptionRequired
groupIdUnique UUID of Group (You can retrieve the group ID from the sophos-central-usergroups-list).Required
userIdUnique UUID of User (You can retrieve the user ID from the sophos-central-users-list).Required

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringThe Group ID.
SophosCentral.UserGroups.users.removedUserStringThe User ID.

Command example#

!sophos-central-usergroups-user-delete groupId="733cce06-5ad0-487b-9547-03af02b5722e" userId="86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"removedUser": "86e0ae0f-77ef-423a-bbbf-d95e49edd468"
}
}
}

Human Readable Output#

User removed from group.

sophos-central-usergroups-membership-get#


List all users in a specific group.

Base Command#

sophos-central-usergroups-membership-get

Input#

Argument NameDescriptionRequired
groupIdUnique Group UUID (You can retrieve the group ID from the sophos-central-usergroups-list).Required
searchSearch for items that match the given terms.Optional
searchFieldsSearch only within the specified comma-separated field values. The following values are allowed: name, firstName, lastName, email, exchangeLogin When not specified, the default behavior is to search the full names of users, only.Optional
domainList the items that match the given domain.Optional
sourceTypeTypes of sources of directory information. The following values are allowed: custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.Optional
pageThe page number to fetch. Default is "1". Default is 1.Optional
pageSizeSize of the page requested. Default is "50". Maximum is "100". Default is 50.Optional

Context Output#

PathTypeDescription
SophosCentral.UserGroups.users.idStringUser ID.
SophosCentral.UserGroups.users.nameStringUser's name.
SophosCentral.UserGroups.users.firstNameStringUser's first name or given name.
SophosCentral.UserGroups.users.lastNameStringUser's last name or surname.
SophosCentral.UserGroups.users.emailAddressStringUser's email address.
SophosCentral.UserGroups.users.groups.totalnumberTotal number of groups.
SophosCentral.UserGroups.users.groups.itemsCountnumberItem count.
SophosCentral.UserGroups.users.groups.items.idStringGroup ID.
SophosCentral.UserGroups.users.groups.items.nameStringGroup name.
SophosCentral.UserGroups.users.groups.items.displayNameStringGroup display name.
SophosCentral.UserGroups.users.groups.tenant.idStringTenant ID.
SophosCentral.UserGroups.users.groups.source.typeStringTypes of sources of directory information.

Command example#

!sophos-central-usergroups-membership-get groupId="6ed5e258-b427-4fa0-a9cf-568d130796c3"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",
"users": [
{
"createdAt": "2022-03-28T05:09:51.524Z",
"email": "ruqdxvd1g7@lightning.example.com",
"firstName": "Administrator",
"groups": {
"items": [
{
"displayName": "GroupNameTestReadMe",
"id": "03d1fcb2-246e-4307-b570-82dcf9083686",
"name": "GroupNameTestReadMe"
},
{
"displayName": "Group 2-Updated",
"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",
"name": "Group 2-Updated"
},
{
"displayName": "Group1",
"id": "552f6e04-559e-4225-b6a4-870155de8979",
"name": "Group1"
}
],
"itemsCount": 3,
"total": 3
},
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"lastName": "",
"name": "Administrator",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-03-28T12:43:26.994Z"
},
{
"createdAt": "2022-06-15T06:14:14.832Z",
"groups": {
"items": [
{
"displayName": "Group 2-Updated",
"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",
"name": "Group 2-Updated"
},
{
"displayName": "TestGroupName-2",
"id": "28fd524c-e7ae-476e-87c6-0f0a2ac47592",
"name": "TestGroupName-2"
},
{
"displayName": "Group&123",
"id": "17d33950-4980-4dfc-83c9-d0b8dce0deaa",
"name": "Group&123"
}
],
"itemsCount": 3,
"total": 3
},
"id": "c1552a7b-efe9-4a45-8168-72489e44a3f3",
"name": "Lightning-8483qawudl\\Lightning",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
}
},
{
"createdAt": "2022-06-15T09:52:37.921Z",
"groups": {
"items": [
{
"displayName": "Group 2-Updated",
"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",
"name": "Group 2-Updated"
}
],
"itemsCount": 1,
"total": 1
},
"id": "69d3d421-f4cc-4a24-b093-8b2e5c6d20a4",
"name": "Lightning-gm4vu3jxek\\Lightning",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
}
},
{
"createdAt": "2022-07-07T06:18:55.746Z",
"groups": {
"items": [
{
"displayName": "Group 2-Updated",
"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",
"name": "Group 2-Updated"
}
],
"itemsCount": 1,
"total": 1
},
"id": "9f59b08a-2cfd-476a-af9e-f1c039284c09",
"name": "Lightning-nlr7f2n6zd\\Lightning",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
}
}
]
}
}
}

Human Readable Output#

Total Records: 4#

Page: 1/1

Listed 4 User(s) in Usergroup:

idnameemail
86e0ae0f-77ef-423a-bbbf-d95e49edd468Administratorruqdxvd1g7@lightning.example.com
c1552a7b-efe9-4a45-8168-72489e44a3f3Lightning-8483qawudl\Lightning
69d3d421-f4cc-4a24-b093-8b2e5c6d20a4Lightning-gm4vu3jxek\Lightning
9f59b08a-2cfd-476a-af9e-f1c039284c09Lightning-nlr7f2n6zd\Lightning

sophos-central-usergroups-get#


Returns the details of the GroupID specified.

Base Command#

sophos-central-usergroups-get

Input#

Argument NameDescriptionRequired
groupIdUnique ID of the group whose details to be retrieved (You can retrieve the group ID from the sophos-central-usergroups-list).Required

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringGroup ID.
SophosCentral.UserGroups.nameStringGroup name.
SophosCentral.UserGroups.displayNameStringGroup display name.
SophosCentral.UserGroups.descriptionStringGroup description.
SophosCentral.UserGroups.groups.totalNumberCount of total groups.
SophosCentral.UserGroups.groups.itemsCountNumberCount of items.
SophosCentral.UserGroups.source.typeStringTypes of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotalNumberTotal count of users.
SophosCentral.UserGroups.usersItemsCountNumberCount of items.
SophosCentral.UserGroups.users.idStringUser ID.
SophosCentral.UserGroups.users.nameStringUser Name.
SophosCentral.UserGroups.tenant.idStringTenant ID.
SophosCentral.UserGroups.createdAtDateWhen the group was created.
SophosCentral.UserGroups.updatedAtDateWhen the group was last updated.

Command example#

!sophos-central-usergroups-get groupId="733cce06-5ad0-487b-9547-03af02b5722e"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"createdAt": "2022-10-06T06:19:13.462Z",
"description": "NewDescriptionReadMe",
"displayName": "NewGroupNameReadMe",
"groups": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-06T06:42:24.713Z",
"users": [
{
"id": "f9029e98-311a-4c19-9908-15bafff9f39f",
"name": "Domain\\User"
},
{
"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",
"name": "GREEN\\testUser"
},
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
},
{
"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",
"name": "Group 04/10/22"
}
],
"usersItemsCount": 4,
"usersTotal": 4
}
}
}

Human Readable Output#

Found User Groups#

idnamedescriptionsourceType
733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMeNewDescriptionReadMecustom

sophos-central-usergroups-create#


Creates a new “custom” (Centrally Managed) Group

Base Command#

sophos-central-usergroups-create

Input#

Argument NameDescriptionRequired
groupNameProvide a unique name of the group to create a usergroup in a directory.Required
descriptionDescription of the user group.Optional
userIdsComma-separated list of User UUIDs. Maximum 1000 unique User IDs are allowed (You can retrieve the userIds from the sophos-central-users-list).Optional

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringGroup ID.
SophosCentral.UserGroups.nameStringGroup name.
SophosCentral.UserGroups.displayNameStringGroup display name.
SophosCentral.UserGroups.descriptionStringGroup description.
SophosCentral.UserGroups.groups.totalNumberTotal count of groups.
SophosCentral.UserGroups.groups.itemsCountNumberCount of items.
SophosCentral.UserGroups.source.typeStringTypes of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotalNumberTotal count of users.
SophosCentral.UserGroups.usersItemsCountNumberCount of items.
SophosCentral.UserGroups.users.idStringUser ID.
SophosCentral.UserGroups.users.nameStringUser Name.
SophosCentral.UserGroups.tenant.idStringTenant ID.
SophosCentral.UserGroups.createdAtDateWhen the group was created.
SophosCentral.UserGroups.updatedAtDateWhen the group was last updated.

Command example#

!sophos-central-usergroups-create groupName=GroupNameTestReadMe groupDescription=GroupDescriptionReadMe userIds="86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"createdAt": "2022-10-06T06:42:22.023Z",
"id": "03d1fcb2-246e-4307-b570-82dcf9083686",
"name": "GroupNameTestReadMe",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-06T06:42:22.023Z",
"users": [
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
}
],
"usersItemsCount": 1,
"usersTotal": 1
}
}
}

Human Readable Output#

Successfully created a user group with ID: 03d1fcb2-246e-4307-b570-82dcf9083686.

sophos-central-usergroups-update#


Allows for the editing of the group name and description for a usergroup.

Base Command#

sophos-central-usergroups-update

Input#

Argument NameDescriptionRequired
groupIdUnique ID of the group whose details to be updated (You can retrieve the group ID from the sophos-central-usergroups-list).Required
groupNameGroup Name.Required
descriptionGroup Description.Optional

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringGroup ID.
SophosCentral.UserGroups.nameStringGroup name.
SophosCentral.UserGroups.displayNameStringGroup display name.
SophosCentral.UserGroups.descriptionStringGroup description.
SophosCentral.UserGroups.groups.totalNumberTotal count of groups.
SophosCentral.UserGroups.groups.itemsCountNumberCount of items.
SophosCentral.UserGroups.source.typeStringTypes of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotalNumberTotal count of users.
SophosCentral.UserGroups.usersItemsCountNumberCount of items.
SophosCentral.UserGroups.users.idStringUser ID.
SophosCentral.UserGroups.users.nameStringUser Name.
SophosCentral.UserGroups.tenant.idStringTenant ID.
SophosCentral.UserGroups.createdAtDateWhen the group was created.
SophosCentral.UserGroups.updatedAtDateWhen the group was last updated.

Command example#

!sophos-central-usergroups-update groupId="733cce06-5ad0-487b-9547-03af02b5722e" groupName=NewGroupNameReadMe description=NewDescriptionReadMe

Context Example#

{
"SophosCentral": {
"UserGroups": {
"createdAt": "2022-10-06T06:19:13.462Z",
"description": "NewDescriptionReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-06T06:42:24.713Z",
"users": [
{
"id": "f9029e98-311a-4c19-9908-15bafff9f39f",
"name": "Domain\\User"
},
{
"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",
"name": "GREEN\\testUser"
},
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
},
{
"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",
"name": "Group 04/10/22"
}
],
"usersItemsCount": 4,
"usersTotal": 4
}
}
}

Human Readable Output#

Successfully updated the user group with ID: 733cce06-5ad0-487b-9547-03af02b5722e.

sophos-central-usergroups-delete#


Deletes the specified group.

Base Command#

sophos-central-usergroups-delete

Input#

Argument NameDescriptionRequired
groupIdUnique id of the usergroup to be deleted. Users in the usergroup should be removed first in order to delete the usergroup (You can retrieve the group ID from the sophos-central-usergroups-list).Required

Context Output#

PathTypeDescription
SophosCentral.DeletedUserGroups.deletedUserGroupIdStringDeleted Group ID.

Command example#

!sophos-central-usergroups-delete groupId="0210d539-66ab-46ac-afa2-eb8928856340"

Context Example#

{
"SophosCentral": {
"UserGroups": {
"deletedUserGroupId": "0210d539-66ab-46ac-afa2-eb8928856340"
}
}
}

Human Readable Output#

Successfully deleted the user group with ID: 0210d539-66ab-46ac-afa2-eb8928856340.

sophos-central-usergroups-list#


Returns a list of all user groups that match the search criteria (optional).

Base Command#

sophos-central-usergroups-list

Input#

Argument NameDescriptionRequired
groupsIdsComma separated list of group UUIDs.Optional
searchSearch for items that match the given terms.Optional
searchFieldsSearch only within the allowed comma-separated field values. When not specified, the default behavior is to search group by names only. The following are Group fields values allowed to be searched:- name,description.Optional
domainList the items that match the given domain.Optional
sourceTypeTypes of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed:- custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.Optional
userIdSearch groups associated with the given user ID.Optional
pageThe page number to fetch. Default is "1". Default is 1.Optional
pageSizeSize of the page requested. Default is "50". Maximum is "100". Default is 50.Optional

Context Output#

PathTypeDescription
SophosCentral.UserGroups.idStringGroup ID.
SophosCentral.UserGroups.nameStringGroup name.
SophosCentral.UserGroups.displayNameStringGroup display name.
SophosCentral.UserGroups.descriptionStringGroup description.
SophosCentral.UserGroups.groups.totalNumberTotal Count of groups.
SophosCentral.UserGroups.groups.itemsCountNumberCount of items.
SophosCentral.UserGroups.source.typeStringTypes of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotalNumberTotal count of users.
SophosCentral.UserGroups.usersItemsCountNumberCount of items.
SophosCentral.UserGroups.users.idStringUser ID.
SophosCentral.UserGroups.users.nameStringUser Name.
SophosCentral.UserGroups.tenant.idStringTenant ID.
SophosCentral.UserGroups.createdAtDateWhen the group was created.
SophosCentral.UserGroups.updatedAtDateWhen the group was last updated.

Command example#

!sophos-central-usergroups-list groupsIds="733cce06-5ad0-487b-9547-03af02b5722e, 03d1fcb2-246e-4307-b570-82dcf9083686" search=GroupName searchFields=name,description sourceType=custom userId="86e0ae0f-77ef-423a-bbbf-d95e49edd468" page=1 pageSize=10

Context Example#

{
"SophosCentral": {
"UserGroups": [
{
"createdAt": "2022-10-06T06:42:22.023Z",
"displayName": "GroupNameTestReadMe",
"groups": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "03d1fcb2-246e-4307-b570-82dcf9083686",
"name": "GroupNameTestReadMe",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-06T06:42:22.023Z",
"users": [
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
}
],
"usersItemsCount": 1,
"usersTotal": 1
},
{
"createdAt": "2022-10-06T06:19:13.462Z",
"description": "NewDescriptionReadMe",
"displayName": "NewGroupNameReadMe",
"groups": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-06T06:42:24.713Z",
"users": [
{
"id": "f9029e98-311a-4c19-9908-15bafff9f39f",
"name": "Domain\\User"
},
{
"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",
"name": "GREEN\\testUser"
},
{
"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",
"name": "Administrator"
},
{
"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",
"name": "Group 04/10/22"
}
],
"usersItemsCount": 4,
"usersTotal": 4
}
]
}
}

Human Readable Output#

Total Records: 2#

Page: 1/1

Listed 2 User Groups:

idnamedescriptionsourceType
03d1fcb2-246e-4307-b570-82dcf9083686GroupNameTestReadMecustom
733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMeNewDescriptionReadMecustom

sophos-central-group-membership-get#


Get endpoints in a group.

Base Command#

sophos-central-group-membership-get

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.idStringGroup ID.
SophosCentral.EndpointGroups.typeStringEndpoint group types.
SophosCentral.EndpointGroups.tenant.idStringTenant ID.
SophosCentral.EndpointGroups.hostnameStringHostname of the endpoint.
SophosCentral.EndpointGroups.os.isServerBooleanWhether the OS is a server OS.
SophosCentral.EndpointGroups.os.platformStringOS platform type.
SophosCentral.EndpointGroups.os.nameStringOS name as reported by the endpoint.
SophosCentral.EndpointGroups.os.majorVersionNumberOS major version.
SophosCentral.EndpointGroups.os.minorVersionNumberOS minor version.
SophosCentral.EndpointGroups.os.buildNumberOS build.
SophosCentral.EndpointGroups.ipv4AddressesStringList of IPv4 addresses.
SophosCentral.EndpointGroups.ipv6AddressesStringList of IPv6 addresses.
SophosCentral.EndpointGroups.macAddressesStringList of MAC addresses.
SophosCentral.EndpointGroups.group.nameStringEndpoint group name.
SophosCentral.EndpointGroups.group.idStringUnique ID for endpoint group.
SophosCentral.EndpointGroups.associatedPerson.nameStringPerson's name.
SophosCentral.EndpointGroups.associatedPerson.viaLoginStringPerson's login on the endpoint.
SophosCentral.EndpointGroups.associatedPerson.idStringUnique ID for endpoint group.
SophosCentral.EndpointGroups.tamperProtectionEnabledBooleanWhether Tamper Protection is turned on.
SophosCentral.EndpointGroups.lastSeenAtDateDate and time (UTC) when the endpoint last communicated with Sophos Central.

Command example#

!sophos-central-group-membership-get groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example#

{
"SophosCentral": {
"EndpointGroups": [
{
"assignedProducts": [],
"associatedPerson": {
"id": "4af78a04-659d-4b68-8ab4-5e1c1bfd7672",
"name": "Lightning-efxqeo9t2w\\Lightning",
"viaLogin": "Lightning-efxqeo9t2w\\Lightning"
},
"group": {
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"name": "Name-readme2-update"
},
"hostname": "Lightning-uz1lwmqwqk",
"id": "1abcf612-d426-457b-8088-10d921112f1b",
"ipv4Addresses": [
"8.8.8.8"
],
"ipv6Addresses": [
"fe80::ad60:91b0:95fb:2c22"
],
"lastSeenAt": "2022-07-07T06:35:20.897Z",
"macAddresses": [
"00:50:56:83:08:E2"
],
"os": {
"build": 19044,
"isServer": false,
"majorVersion": 10,
"minorVersion": 0,
"name": "Windows 10 Enterprise",
"platform": "windows"
},
"tamperProtectionEnabled": false,
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer"
},
{
"assignedProducts": [],
"associatedPerson": {
"id": "120ca229-fa0d-4aa7-9dec-206b6099e974",
"name": "Lightning-pa0tcy4opl\\Lightning",
"viaLogin": "Lightning-pa0tcy4opl\\Lightning"
},
"group": {
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"name": "Name-readme2-update"
},
"hostname": "Lightning-r8s9l77e5g",
"id": "3413a306-5227-40f1-8b86-53195d927566",
"ipv4Addresses": [
"8.8.8.8"
],
"ipv6Addresses": [
"fe80::ad60:91b0:95fb:2c22"
],
"lastSeenAt": "2022-07-07T06:11:57.505Z",
"macAddresses": [
"00:50:56:83:08:E2"
],
"os": {
"build": 19044,
"isServer": false,
"majorVersion": 10,
"minorVersion": 0,
"name": "Windows 10 Enterprise",
"platform": "windows"
},
"tamperProtectionEnabled": false,
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer"
}
]
}
}

Human Readable Output#

Fetched 2 Endpoint(s) Successfully#

idtypehostname
1abcf612-d426-457b-8088-10d921112f1bcomputerLightning-uz1lwmqwqk
3413a306-5227-40f1-8b86-53195d927566computerLightning-r8s9l77e5g

sophos-central-group-create#


Create a new endpoint group.

Base Command#

sophos-central-group-create

Input#

Argument NameDescriptionRequired
nameGroup name.Required
descriptionGroup description.Optional
typeGroup type. The following values are allowed: computer, server. Possible values are: server, computer.Required
endpointIdsComma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.idStringGroup ID.
SophosCentral.EndpointGroups.nameStringGroup name.
SophosCentral.EndpointGroups.descriptionStringGroup description.
SophosCentral.EndpointGroups.typeStringEndpoint group types.
SophosCentral.EndpointGroups.endpoints.totalNumberTotal number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCountNumberTotal number of items in the list.
SophosCentral.EndpointGroups.tenant.idStringTenant ID.
SophosCentral.EndpointGroups.createdAtDateWhen the group was created.

Command example#

!sophos-central-group-create name="Name-readme2" description=description type=computer endpointIds="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"createdAt": "2022-10-06T09:38:16.651Z",
"description": "description",
"endpoints": {
"items": [
{
"hostname": "Lightning-uz1lwmqwqk",
"id": "1abcf612-d426-457b-8088-10d921112f1b"
},
{
"hostname": "Lightning-r8s9l77e5g",
"id": "3413a306-5227-40f1-8b86-53195d927566"
}
],
"itemsCount": 2,
"total": 2
},
"id": "3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d",
"name": "Name-readme2",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer"
}
}
}

Human Readable Output#

EndpointGroup Created Successfully#

idnametype
3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3dName-readme2computer

sophos-central-group-update#


Update an endpoint group.

Base Command#

sophos-central-group-update

Input#

Argument NameDescriptionRequired
nameGroup name.Optional
descriptionGroup description.Optional
groupIdUUID of Endpoint group ID.Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.idStringGroup ID.
SophosCentral.EndpointGroups.nameStringGroup name.
SophosCentral.EndpointGroups.descriptionStringGroup description.
SophosCentral.EndpointGroups.typeStringEndpoint group types.
SophosCentral.EndpointGroups.endpoints.totalNumberTotal number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCountNumberTotal number of items in the list.
SophosCentral.EndpointGroups.tenant.idStringTenant ID.
SophosCentral.EndpointGroups.createdAtDateWhen the group was created.
SophosCentral.EndpointGroups.updatedAtDateWhen the group was updated.

Command example#

!sophos-central-group-update name="Name-readme2-update" groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"createdAt": "2022-10-06T09:16:51.382Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"name": "Name-readme2-update",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer",
"updatedAt": "2022-10-06T09:38:19.776Z"
}
}
}

Human Readable Output#

EndpointGroup Updated Successfully#

idnamedescription
f1ff9020-f101-42c7-a5eb-06e9ef35e7afName-readme2-updatedescription

sophos-central-group-get#


Get an endpoint group by ID.

Base Command#

sophos-central-group-get

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.idStringGroup ID.
SophosCentral.EndpointGroups.nameStringGroup name.
SophosCentral.EndpointGroups.descriptionStringGroup description.
SophosCentral.EndpointGroups.typeStringEndpoint group types.
SophosCentral.EndpointGroups.endpoints.totalNumberTotal number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCountNumberTotal number of items in the list.
SophosCentral.EndpointGroups.tenant.idStringTenant ID.
SophosCentral.EndpointGroups.createdAtDateWhen the group was created.
SophosCentral.EndpointGroups.updatedAtDateWhen the group was updated.

Command example#

!sophos-central-group-get groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"createdAt": "2022-10-06T09:16:51.382Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"name": "Name-readme2-update",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer",
"updatedAt": "2022-10-06T09:38:19.776Z"
}
}
}

Human Readable Output#

Fetched EndpointGroup Successfully#

descriptionname
descriptionName-readme2-update

sophos-central-group-endpoints-add#


Add endpoints in a group.

Base Command#

sophos-central-group-endpoints-add

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).Required
endpointIdsComma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.endpoints.idStringUnique endpoint ID.
SophosCentral.EndpointGroups.endpoints.hostnameStringEndpoint hostname.
SophosCentral.EndpointGroups.idStringUnique group ID.

Command example#

!sophos-central-group-endpoints-add groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" ids="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"endpoints": [
{
"hostname": "Lightning-r8s9l77e5g",
"id": "3413a306-5227-40f1-8b86-53195d927566"
},
{
"hostname": "Lightning-uz1lwmqwqk",
"id": "1abcf612-d426-457b-8088-10d921112f1b"
}
],
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af"
}
}
}

Human Readable Output#

2 Endpoint(s) Added Successfully#

idhostname
3413a306-5227-40f1-8b86-53195d927566Lightning-r8s9l77e5g
1abcf612-d426-457b-8088-10d921112f1bLightning-uz1lwmqwqk

sophos-central-group-endpoint-remove#


Remove endpoint from a group.

Base Command#

sophos-central-group-endpoint-remove

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).Required
endpointIdComma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.removedEndpointBooleanEndpointId of removed endpoint.
SophosCentral.EndpointGroups.idStringGroup Id.

Command example#

!sophos-central-group-endpoint-remove groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" endpointId="3413a306-5227-40f1-8b86-53195d927566"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"removedEndpoint": "3413a306-5227-40f1-8b86-53195d927566"
}
}
}

Human Readable Output#

Endpoint removed successfully

sophos-central-group-endpoints-remove#


Remove endpoints from a group.

Base Command#

sophos-central-group-endpoints-remove

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).Required
endpointIdsComma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.endpoints.idStringUnique endpoint ID.
SophosCentral.EndpointGroups.endpoints.hostnameStringEndpoint hostname.
SophosCentral.EndpointGroups.idStringUnique group ID.
SophosCentral.EndpointGroups.removedEndpointsStringList of removed EndpointIds from the group.

Command example#

!sophos-central-group-endpoints-remove groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" ids="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"endpoints": [
{
"hostname": "Lightning-uz1lwmqwqk",
"id": "1abcf612-d426-457b-8088-10d921112f1b"
}
],
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"removedEndpoints": "3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"
}
}
}

Human Readable Output#

1 EndPoint(s) Removed Successfully#

idhostname
1abcf612-d426-457b-8088-10d921112f1bLightning-uz1lwmqwqk

sophos-central-group-list#


List endpoint groups.

Base Command#

sophos-central-group-list

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "1000". Default is 50.Optional
pagePage number to return. Default is "1". Default is 1.Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.idStringGroup ID.
SophosCentral.EndpointGroups.nameStringGroup name.
SophosCentral.EndpointGroups.typeStringEndpoint group types.
SophosCentral.EndpointGroups.endpoints.totalNumberTotal number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCountNumberTotal number of items in the list.
SophosCentral.EndpointGroups.tenant.idStringTenant ID.
SophosCentral.EndpointGroups.createdAtDateWhen the group was created.
SophosCentral.EndpointGroups.descriptionStringGroup description.

Command example#

!sophos-central-group-list page_size=10

Context Example#

{
"SophosCentral": {
"EndpointGroups": [
{
"createdAt": "2022-10-06T09:06:16.825Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "b8c0428e-a422-4db6-a72f-5af4844ed418",
"name": "Name-readme",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer"
},
{
"createdAt": "2022-10-06T09:37:33.566Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "b3dec702-5d56-4cb9-8961-b0dba3194c94",
"name": "Name-readme-temp",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer"
},
{
"createdAt": "2022-10-06T09:38:16.651Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d",
"name": "Name-readme2",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer",
"updatedAt": "2022-10-06T09:38:27.895Z"
},
{
"createdAt": "2022-10-06T09:16:51.382Z",
"description": "description",
"endpoints": {
"items": [],
"itemsCount": 0,
"total": 0
},
"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",
"name": "Name-readme2-update",
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"type": "computer",
"updatedAt": "2022-10-06T09:38:32.519Z"
}
]
}
}

Human Readable Output#

Found 4 records#

Page : 1/1

Listed 4 EndpointGroups:

idnametypecount
b8c0428e-a422-4db6-a72f-5af4844ed418Name-readmecomputer0
b3dec702-5d56-4cb9-8961-b0dba3194c94Name-readme-tempcomputer0
3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3dName-readme2computer0
f1ff9020-f101-42c7-a5eb-06e9ef35e7afName-readme2-updatecomputer0

sophos-central-group-delete#


Delete an endpoint group by ID.

Base Command#

sophos-central-group-delete

Input#

Argument NameDescriptionRequired
groupIdUUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointGroups.deletedBooleanEndpoint group deleted.
SophosCentral.EndpointGroups.idStringGroup Id.

Command example#

!sophos-central-group-delete groupId="b3dec702-5d56-4cb9-8961-b0dba3194c94"

Context Example#

{
"SophosCentral": {
"EndpointGroups": {
"deleted": true,
"id": "b3dec702-5d56-4cb9-8961-b0dba3194c94"
}
}
}

Human Readable Output#

EndpointGroup Deleted Successfully

sophos-central-users-list#


List users for the given tenant.

Base Command#

sophos-central-users-list

Input#

Argument NameDescriptionRequired
pageSizeThe maximum number of items to return. Default is "50". Maximum is "100". Default is 50.Optional
pagePage number to return. Default is "1". Default is 1.Optional
searchSearch for items that match the given terms.Optional
searchFieldsSearch only within the specified comma-seperated field values. The following values are allowed: name, firstName, lastName, email, exchangeLogin When not specified, the default behavior is to search the full names of users, only.Optional
sourceTypeTypes of sources of directory information. The following values are allowed: custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.Optional
groupIdSearch for users in a group that has this ID (You can get the group ID from sophos-central-usergroups-list command).Optional
domainList the items that match the given domain.Optional

Context Output#

PathTypeDescription
SophosCentral.Users.idStringUser ID.
SophosCentral.Users.nameStringUser's name.
SophosCentral.Users.firstNameStringUser's first name or given name.
SophosCentral.Users.lastNameStringUser's last name or surname.
SophosCentral.Users.emailStringUser's email address.
SophosCentral.Users.groups.totalNumberTotal users
SophosCentral.Users.groups.itemsCountNumberTotal number of groups in which user is exists.
SophosCentral.Users.groups.items.idstringGroup ID.
SophosCentral.Users.groups.items.namestringGroup name.
SophosCentral.Users.groups.items.displayNamestringGroup display name.
SophosCentral.Users.tenant.idStringTenant ID.
SophosCentral.Users.source.typeStringSourceType of the user.
SophosCentral.Users.createdAtDateWhen the user was created.

Command example#

!sophos-central-users-list searchFields="firstname, lastname, email" search="playbook" pageSize=5

Context Example#

{
"SophosCentral": {
"Users": [
{
"createdAt": "2022-10-10T12:30:57.876Z",
"email": "updatedemail.forplaybook@playbook.com",
"exchangeLogin": "",
"firstName": "updatedPlaybook",
"groups": {
"items": [
{
"displayName": "NewGroupNameReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe"
}
],
"itemsCount": 1,
"total": 1
},
"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",
"lastName": "updatedTest",
"name": "playbook test",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-10T12:41:24.568Z"
},
{
"createdAt": "2022-10-10T12:31:46.606Z",
"email": "email.forplaybook1@playbook.com",
"exchangeLogin": "",
"firstName": "playbook",
"groups": {
"items": [
{
"displayName": "NewGroupNameReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe"
}
],
"itemsCount": 1,
"total": 1
},
"id": "111a4a5c-4c9e-449e-88fb-19a2ce5752c6",
"lastName": "test",
"name": "playbook test",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-10T12:31:46.609Z"
},
{
"createdAt": "2022-10-10T12:48:23.980Z",
"email": "email.forplaybook2@playbook.com",
"exchangeLogin": "",
"firstName": "playbook",
"groups": {
"items": [
{
"displayName": "NewGroupNameReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe"
}
],
"itemsCount": 1,
"total": 1
},
"id": "f6032b13-f001-4bae-adf2-a0fb6f344fbd",
"lastName": "test",
"name": "playbook test",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-10T12:48:23.982Z"
}
]
}
}

Human Readable Output#

Total Records: 3#

Page: 1/1

Listed 3 User(s):

idfirstNamelastNameemailgroupIdsgroupNames
4c994c63-c252-4ac9-8840-bcccb095d5a2updatedPlaybookupdatedTestupdatedemail.forplaybook@playbook.com733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMe
111a4a5c-4c9e-449e-88fb-19a2ce5752c6playbooktestemail.forplaybook1@playbook.com733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMe
f6032b13-f001-4bae-adf2-a0fb6f344fbdplaybooktestemail.forplaybook2@playbook.com733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMe

sophos-central-users-get#


List user with userId for the given tenant.

Base Command#

sophos-central-users-get

Input#

Argument NameDescriptionRequired
userIdUnique User UUID (You can get the user ID from sophos-central-users-list command).Required

Context Output#

PathTypeDescription
SophosCentral.Users.idStringUser ID.
SophosCentral.Users.nameStringUser's name.
SophosCentral.Users.firstNameStringUser's first name or given name.
SophosCentral.Users.lastNameStringUser's last name or surname.
SophosCentral.Users.emailStringUser's email address.
SophosCentral.Users.groups.totalNumberTotal users.
SophosCentral.Users.groups.itemsCountNumberTotal number of groups in which user is exists.
SophosCentral.Users.groups.items.idstringGroup ID.
SophosCentral.Users.groups.items.namestringGroup name.
SophosCentral.Users.groups.items.displayNamestringGroup display name.
SophosCentral.Users.tenant.idStringTenant ID.
SophosCentral.Users.source.typeStringSourceType of the user.
SophosCentral.Users.createdAtDateWhen the user was created.
SophosCentral.Users.updatedAtDateWhen the user was updated.

Command example#

!sophos-central-users-get userId=4c994c63-c252-4ac9-8840-bcccb095d5a2

Context Example#

{
"SophosCentral": {
"Users": {
"email": "updatedemail.forplaybook@playbook.com",
"exchangeLogin": "",
"firstName": "updatedPlaybook",
"groupIds": [
"733cce06-5ad0-487b-9547-03af02b5722e"
],
"groupNames": [
"NewGroupNameReadMe"
],
"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",
"lastName": "updatedTest"
}
}
}

Human Readable Output#

Found User:#

idfirstNamelastNameemailexchangeLogingroupIdsgroupNames
4c994c63-c252-4ac9-8840-bcccb095d5a2updatedPlaybookupdatedTestupdatedemail.forplaybook@playbook.com733cce06-5ad0-487b-9547-03af02b5722eNewGroupNameReadMe

sophos-central-users-add#


Add a new user.

Base Command#

sophos-central-users-add

Input#

Argument NameDescriptionRequired
firstNameFirst Name of the user. This must not include a space. Maximum length should be 250 characters.Required
lastNameLast Name of the user. This must not include a space. Maximum length should be 250 characters.Required
emailEmail Address of the user.Required
exchangeLoginExchange Login for the user.Optional
groupIdsComma-separated list of GroupIds to be enrolled in (You can get the list of user IDs from sophos-central-usergroups-list command).Optional

Context Output#

PathTypeDescription
SophosCentral.Users.idStringUser ID.
SophosCentral.Users.nameStringUser's name.
SophosCentral.Users.firstNameStringUser's first name or given name.
SophosCentral.Users.lastNameStringUser's last name or surname.
SophosCentral.Users.emailStringUser's email address.
SophosCentral.Users.groups.totalNumberTotal users.
SophosCentral.Users.groups.itemsCountNumberTotal number of groups in which user is exists.
SophosCentral.Users.groups.items.idstringGroup ID.
SophosCentral.Users.groups.items.namestringGroup name.
SophosCentral.Users.groups.items.displayNamestringGroup display name.
SophosCentral.Users.tenant.idStringTenant ID.
SophosCentral.Users.source.typeStringSourceType of the user.
SophosCentral.Users.createdAtDateWhen the user was created.
SophosCentral.Users.updatedAtDateWhen the user was updated.

Command example#

!sophos-central-users-add firstName=playbook lastName=test email=email.forplaybook2@playbook.com groupIds=733cce06-5ad0-487b-9547-03af02b5722e

Context Example#

{
"SophosCentral": {
"Users": {
"createdAt": "2022-10-10T12:48:23.980Z",
"email": "email.forplaybook2@playbook.com",
"exchangeLogin": "",
"firstName": "playbook",
"groups": {
"items": [
{
"displayName": "NewGroupNameReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe"
}
],
"itemsCount": 1,
"total": 1
},
"id": "f6032b13-f001-4bae-adf2-a0fb6f344fbd",
"lastName": "test",
"name": "playbook test",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-10T12:48:23.982Z"
}
}
}

Human Readable Output#

A new User was added to the Directory.

sophos-central-users-update#


Update a user.

Base Command#

sophos-central-users-update

Input#

Argument NameDescriptionRequired
userIdUnique User UUID (You can get the user ID from sophos-central-users-list command).Required
nameUser's fullname.Optional
firstNameFirst Name of the user. This must not include a space. Maximum length should be 250 characters.Optional
lastNameLast Name of the user. This must not include a space. Maximum length should be 250 characters.Optional
emailEmail Address of the user.Optional
exchangeLoginExchange Login for the user.Optional

Context Output#

PathTypeDescription
SophosCentral.Users.idStringUser ID.
SophosCentral.Users.nameStringUser's name.
SophosCentral.Users.firstNameStringUser's first name or given name.
SophosCentral.Users.lastNameStringUser's last name or surname.
SophosCentral.Users.emailStringUser's email address.
SophosCentral.Users.groups.totalNumberTotal users.
SophosCentral.Users.groups.itemsCountNumberTotal number of groups in which user is exists.
SophosCentral.Users.groups.items.idstringGroup ID.
SophosCentral.Users.groups.items.namestringGroup name.
SophosCentral.Users.groups.items.displayNamestringGroup display name.
SophosCentral.Users.tenant.idStringTenant ID.
SophosCentral.Users.source.typeStringSourceType of the user.
SophosCentral.Users.createdAtDateWhen the user was created.
SophosCentral.Users.updatedAtDateWhen the user was updated.

Command example#

!sophos-central-users-update userId=4c994c63-c252-4ac9-8840-bcccb095d5a2 firstName="updatedPlaybook" lastName="updatedTest" email="updatedemail.forplaybook@playbook.com"

Context Example#

{
"SophosCentral": {
"Users": {
"createdAt": "2022-10-10T12:30:57.876Z",
"email": "updatedemail.forplaybook@playbook.com",
"exchangeLogin": "",
"firstName": "updatedPlaybook",
"groups": {
"items": [
{
"displayName": "NewGroupNameReadMe",
"id": "733cce06-5ad0-487b-9547-03af02b5722e",
"name": "NewGroupNameReadMe"
}
],
"itemsCount": 1,
"total": 1
},
"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",
"lastName": "updatedTest",
"name": "playbook test",
"source": {
"type": "custom"
},
"tenant": {
"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"
},
"updatedAt": "2022-10-10T12:41:24.568Z"
}
}
}

Human Readable Output#

User updated.

sophos-central-users-delete#


Delete a user.

Base Command#

sophos-central-users-delete

Input#

Argument NameDescriptionRequired
userIdUnique User UUID (You can get user ID from sophos-central-users-list command).Required

Context Output#

PathTypeDescription
SophosCentral.DeletedUsers.deletedUserIdStringDeleted User's Id.

Command example#

!sophos-central-users-delete userId=9d79e670-3846-45b7-a119-12ca1ee46933

Context Example#

{
"SophosCentral": {
"DeletedUsers": {
"deletedUserId": "9d79e670-3846-45b7-a119-12ca1ee46933"
}
}
}

Human Readable Output#

User deleted.

sophos-central-endpoint-policy-search#


Get all endpoint policy.

Base Command#

sophos-central-endpoint-policy-search

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "200". Default is 50.Optional
pagePage number to return. Default is "1". Default is 1.Optional
policy_typeFetch the policies based on policy_type value. Possible values are: "threat-protection", "peripheral-control", "application-control", "data-loss-prevention", "device-encryption", "web-control", "agent-updating", "windows-firewall", "server-threat-protection", "server-peripheral-control", "server-application-control", "server-web-control", "server-lockdown", "server-data-loss-prevention", "server-agent-updating", "server-windows-firewall", "server-file-integrity-monitoring". Possible values are: threat-protection, peripheral-control, application-control, data-loss-prevention, device-encryption, web-control, agent-updating, windows-firewall, server-threat-protection, server-peripheral-control, server-application-control, server-web-control, server-lockdown, server-data-loss-prevention, server-agent-updating, server-windows-firewall, server-file-integrity-monitoring.Optional

Context Output#

PathTypeDescription
SophosCentral.PolicyAndEnumeration.idStringPolicy ID
SophosCentral.PolicyAndEnumeration.featureStringFeature
SophosCentral.PolicyAndEnumeration.settingsStringSettings
SophosCentral.PolicyAndEnumeration.orderPriorityStringOrder priority
SophosCentral.PolicyAndEnumeration.nameStringName
SophosCentral.PolicyAndEnumeration.enforcedBooleanEnforced (T
SophosCentral.PolicyAndEnumeration.typeSingleStringType Single
SophosCentral.PolicyAndEnumeration.typeGroupStringType Group
SophosCentral.PolicyAndEnumeration.lastModifiedStringLast Modified

Command example#

!sophos-central-endpoint-policy-search page_size=10 page=1

Context Example#

{
"SophosCentral": {
"PolicyAndEnumeration": [
{
"enforced": false,
"feature": "agent-updating",
"id": "67074d6e-ce83-40c2-a7f4-8a94a1beac10",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 3)",
"orderPriority": 9,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "b3715f16-b675-4978-927d-2e0fb206b6e9",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 3)",
"orderPriority": 8,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "e4a9ec1e-a5e3-4072-825f-701b8e1e33fe",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 3)",
"orderPriority": 7,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "df3bdaa7-c156-4580-baa6-30e2bf118502",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 2)",
"orderPriority": 6,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "c4887d95-d099-4ae1-9290-1fe316a24d59",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned)",
"orderPriority": 5,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "a18aafe1-eb86-46c0-ba2f-1f64f1e5b16e",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 2)",
"orderPriority": 4,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "694f8591-217c-44a0-99f1-f7331bf1bf33",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "12",
"orderPriority": 3,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "09eff4b3-14f1-4a42-a47c-c0382066d094",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 2)",
"orderPriority": 2,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": false,
"feature": "agent-updating",
"id": "875166af-1848-463a-a853-bed673cad119",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned)",
"orderPriority": 1,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
},
{
"enforced": true,
"feature": "agent-updating",
"id": "3f863d0a-4405-4c6d-a035-4215db53b087",
"lastModified": "2022-05-07T01:16:26.767Z",
"name": "Base Policy",
"orderPriority": 0,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
}
]
}
}

Human Readable Output#

Total Record(s): 24#

Current page: 1/3#

Listed 10 Endpoint Policies:#

idfeaturesettingsorderPrioritynameenforcedtypeSingletypeGrouplastModified
67074d6e-ce83-40c2-a7f4-8a94a1beac10agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
9Base Policy (cloned 3)false2022-10-11T06:13:07.146Z
b3715f16-b675-4978-927d-2e0fb206b6e9agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
8Base Policy (cloned 3)false2022-10-11T06:13:07.146Z
e4a9ec1e-a5e3-4072-825f-701b8e1e33feagent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
7Base Policy (cloned 3)false2022-10-11T06:13:07.146Z
df3bdaa7-c156-4580-baa6-30e2bf118502agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
6Base Policy (cloned 2)false2022-10-11T06:13:07.146Z
c4887d95-d099-4ae1-9290-1fe316a24d59agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
5Base Policy (cloned)false2022-10-11T06:13:07.146Z
a18aafe1-eb86-46c0-ba2f-1f64f1e5b16eagent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
4Base Policy (cloned 2)false2022-10-11T06:13:07.146Z
694f8591-217c-44a0-99f1-f7331bf1bf33agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
312false2022-10-11T06:13:07.146Z
09eff4b3-14f1-4a42-a47c-c0382066d094agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
2Base Policy (cloned 2)false2022-10-11T06:13:07.146Z
875166af-1848-463a-a853-bed673cad119agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
1Base Policy (cloned)false2022-10-11T06:13:07.146Z
3f863d0a-4405-4c6d-a035-4215db53b087agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
0Base Policytrue2022-05-07T01:16:26.767Z

sophos-central-endpoint-policy-get#


Get details of Policy by id.

Base Command#

sophos-central-endpoint-policy-get

Input#

Argument NameDescriptionRequired
policy_idThe policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.Required

Context Output#

PathTypeDescription
SophosCentral.PolicyAndEnumeration.idStringPolicy ID
SophosCentral.PolicyAndEnumeration.featureStringFeature
SophosCentral.PolicyAndEnumeration.settingsStringSettings
SophosCentral.PolicyAndEnumeration.orderPriorityStringOrder priority
SophosCentral.PolicyAndEnumeration.nameStringName
SophosCentral.PolicyAndEnumeration.enforcedBooleanEnforced (T
SophosCentral.PolicyAndEnumeration.typeSingleStringType Single
SophosCentral.PolicyAndEnumeration.typeGroupStringType Group
SophosCentral.PolicyAndEnumeration.lastModifiedStringLast Modified

Command example#

!sophos-central-endpoint-policy-get policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10

Context Example#

{
"SophosCentral": {
"PolicyAndEnumeration": {
"enforced": false,
"feature": "agent-updating",
"id": "67074d6e-ce83-40c2-a7f4-8a94a1beac10",
"lastModified": "2022-10-11T06:13:07.146Z",
"name": "Base Policy (cloned 3)",
"orderPriority": 9,
"settings": {
"endpoint.agent-updating.dont-use-update-caches.enabled": {
"value": false
},
"endpoint.agent-updating.fixed-version.mac": {
"value": "recommended"
},
"endpoint.agent-updating.fixed-version.windows": {
"value": "recommended"
},
"endpoint.agent-updating.scheduled-updates.day": {
"unit": "day",
"value": 3
},
"endpoint.agent-updating.scheduled-updates.enabled": {
"value": false
},
"endpoint.agent-updating.scheduled-updates.time": {
"format": "hourMinute",
"value": "14:00"
}
}
}
}
}

Human Readable Output#

67074d6e-ce83-40c2-a7f4-8a94a1beac10 Policy Details:#

idfeaturesettingsorderPrioritynameenforcedtypeSingletypeGrouplastModified
67074d6e-ce83-40c2-a7f4-8a94a1beac10agent-updatingendpoint.agent-updating.dont-use-update-caches.enabled: {"value": false}
endpoint.agent-updating.fixed-version.mac: {"value": "recommended"}
endpoint.agent-updating.fixed-version.windows: {"value": "recommended"}
endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"}
endpoint.agent-updating.scheduled-updates.enabled: {"value": false}
endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}
9Base Policy (cloned 3)false2022-10-11T06:13:07.146Z

sophos-central-endpoint-policy-reorder#


Update Policy priority for non-base policies.

Base Command#

sophos-central-endpoint-policy-reorder

Input#

Argument NameDescriptionRequired
policy_idThe policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.Required
priorityUpdate Policy Order priority for non-base policies.Required

Context Output#

PathTypeDescription
SophosCentral.PolicyAndEnumeration.updatedPolicyIdStringThe ID of the updated policy.

Command example#

!sophos-central-endpoint-policy-reorder policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10 priority=1

Context Example#

{
"SophosCentral": {
"PolicyAndEnumeration": {
"updatedPolicyId": "67074d6e-ce83-40c2-a7f4-8a94a1beac10"
}
}
}

Human Readable Output#

Success updating endpoint policy: 67074d6e-ce83-40c2-a7f4-8a94a1beac10

sophos-central-endpoint-policy-search-delete#


Delete an existing endpoint policy.

Base Command#

sophos-central-endpoint-policy-search-delete

Input#

Argument NameDescriptionRequired
policy_idThe policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.Required

Context Output#

PathTypeDescription
SophosCentral.PolicyAndEnumeration.deletedPolicyIdStringThe ID of the deleted policy.

Command example#

!sophos-central-endpoint-policy-search-delete policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10

Context Example#

{
"SophosCentral": {
"PolicyAndEnumeration": {
"deletedPolicyId": "67074d6e-ce83-40c2-a7f4-8a94a1beac10"
}
}
}

Human Readable Output#

Success deleting endpoint policy: 67074d6e-ce83-40c2-a7f4-8a94a1beac10

sophos-central-endpoint-policy-clone#


Clone an existing endpoint policy.

Base Command#

sophos-central-endpoint-policy-clone

Input#

Argument NameDescriptionRequired
policy_idThe policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.Required
namePolicy name of the newly cloned policy.Optional

Context Output#

PathTypeDescription
SophosCentral.PolicyAndEnumeration.clonedPolicyIdStringThe ID of the cloned policy.

Command example#

!sophos-central-endpoint-policy-clone policy_id=b3715f16-b675-4978-927d-2e0fb206b6e9 name=testclonenew

Context Example#

{
"SophosCentral": {
"PolicyAndEnumeration": {
"clonedPolicyId": "28d9b869-ba28-420f-87da-98a8e1b1656f"
}
}
}

Human Readable Output#

Success cloning endpoint policy: 28d9b869-ba28-420f-87da-98a8e1b1656f