Sophos Central
Sophos Central Pack.#
This Integration is part of theThe unified console for managing Sophos products.
#
Configure Sophos Central in CortexParameter | Description | Required |
---|---|---|
credentials | Sophos client ID and secret | True |
Tenant ID | Tenant ID on which the commands would be executed by default. Required in case of partner/organization level credentials | False |
isFetch | Fetch incidents | False |
fetch_severity | Fetch Severity | False |
fetch_category | Fetch Category | False |
max_fetch | Fetch Limit | False |
fetch_time | First Fetch Time | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
sophos-central-alert-listList alerts.
#
Base Commandsophos-central-alert-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of items to return. Default is "50". Maximum is "100". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.Alert.allowedActions | String | Actions that you can perform on these alerts. |
SophosCentral.Alert.category | String | Alert category. |
SophosCentral.Alert.description | String | Alert description. |
SophosCentral.Alert.groupKey | String | Alert group key. |
SophosCentral.Alert.id | String | The alert ID. |
SophosCentral.Alert.managedAgentId | String | The alert source ID. |
SophosCentral.Alert.managedAgentName | String | The alert source name. |
SophosCentral.Alert.managedAgentType | String | The source that triggered the Alert. |
SophosCentral.Alert.person | String | The ID of the referenced person object. |
SophosCentral.Alert.personName | String | The name of the referenced person object. |
SophosCentral.Alert.product | String | Product type. |
SophosCentral.Alert.raisedAt | Date | When the alert was triggered. |
SophosCentral.Alert.severity | String | Severity level for the alert. |
SophosCentral.Alert.tenantId | String | Tenant ID for the alert. |
SophosCentral.Alert.tenantName | String | Tenant name. |
SophosCentral.Alert.type | String | Alert type. |
#
Command Example!sophos-central-alert-list limit=50
#
Context Example#
Human Readable Output#
Listed Alerts
id description severity raisedAt allowedActions managedAgentId category type 8e879165-81cb-4747-8608-1cc4e630a017 Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip' high 2020-11-25T09:19:18.936Z clearThreat 6e9567ea-bb50-40c5-9f12-42eb308e4c9b malware Event::Endpoint::Threat::CleanupFailed 9641ba6e-3254-4726-962d-b2bc11e04131 Malicious connection detected: 'C2/Generic-B' at 'C:\Windows\System32\wscript.exe' (Technical Support reference: 277413403) high 2020-11-25T10:36:31.603Z clearThreat 6e9567ea-bb50-40c5-9f12-42eb308e4c9b runtimeDetections Event::Endpoint::Threat::CommandAndControlDetected ee527ca8-cb54-4e11-b59f-2197910176f3 Thunderbox is out of date. medium 2020-11-25T10:42:09.083Z acknowledge 6e9567ea-bb50-40c5-9f12-42eb308e4c9b updating Event::Endpoint::OutOfDate Results on this page: 3.Maximum number of results allowed in a page: 100
#
sophos-central-alert-getGet a single alert by ID.
#
Base Commandsophos-central-alert-get
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | The alert ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.Alert.allowedActions | String | Actions that you can perform on these alerts. |
SophosCentral.Alert.category | String | Alert category. |
SophosCentral.Alert.description | String | Alert description. |
SophosCentral.Alert.groupKey | String | Alert group key. |
SophosCentral.Alert.id | String | The alert ID. |
SophosCentral.Alert.managedAgentId | String | The alert source ID. |
SophosCentral.Alert.managedAgentName | String | The alert source name. |
SophosCentral.Alert.managedAgentType | String | The source that triggered the alert. |
SophosCentral.Alert.person | String | The ID of the referenced person object. |
SophosCentral.Alert.personName | String | The name of the referenced person object. |
SophosCentral.Alert.product | String | Product type. |
SophosCentral.Alert.raisedAt | Date | When the alert was triggered. |
SophosCentral.Alert.severity | String | Severity level for the alert. |
SophosCentral.Alert.tenantId | String | Tenant ID for the alert. |
SophosCentral.Alert.tenantName | String | Tenant name. |
SophosCentral.Alert.type | String | Alert type. |
#
Command Example!sophos-central-alert-get alert_id=8e879165-81cb-4747-8608-1cc4e630a017
#
Context Example#
Human Readable Output#
Found Alert
id description severity raisedAt allowedActions managedAgentId category type 8e879165-81cb-4747-8608-1cc4e630a017 Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip' high 2020-11-25T09:19:18.936Z clearThreat 6e9567ea-bb50-40c5-9f12-42eb308e4c9b malware Event::Endpoint::Threat::CleanupFailed
#
sophos-central-alert-actionTake an action against alerts.
#
Base Commandsophos-central-alert-action
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Comma-separated list of alert IDs. | Required |
action | Actions to perform on the alerts. Possible values are: "acknowledge", "cleanPua", "cleanVirus", "authPua", "clearThreat", "clearHmpa", "sendMsgPua", and "sendMsgThreat". | Required |
message | Message to send for the action. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.AlertAction.action | String | Actions that you can perform on the alert. |
SophosCentral.AlertAction.alertId | String | Alert ID. |
SophosCentral.AlertAction.completedAt | Date | Time when the action was completed. |
SophosCentral.AlertAction.id | String | Alert action ID. |
SophosCentral.AlertAction.requestedAt | Date | Time when the action was requested. |
SophosCentral.AlertAction.result | String | The result of the action. |
SophosCentral.AlertAction.startedAt | Date | Time when the action was started. |
SophosCentral.AlertAction.status | String | Status of an alert action. |
#
Command Example!sophos-central-alert-action action=clearThreat alert_id=8e879165-81cb-4747-8608-1cc4e630a017 message=testmessage
#
Context Example#
Human Readable Output#
Alerts Acted Against
id action alertId result requestedAt status c75b1e4d-c62c-4b3a-8ca5-dea658a18c1b clearThreat 8e879165-81cb-4747-8608-1cc4e630a017 success 2020-11-25T10:47:14.639Z requested
#
sophos-central-alert-searchGet alerts matching request.
#
Base Commandsophos-central-alert-search
#
InputArgument Name | Description | Required |
---|---|---|
group_key | Alert group key. | Optional |
start | Time on which or after the alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ). | Optional |
end | Time before which alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ). | Optional |
date_range | The date range in which to search from the current time instead of a start/end time in the format (<number> <time unit> , e.g., 12 hours, 7 days). date_range will overwrite the start and end arguments if defined. | Optional |
product | Alerts for a product(s). Possible values are: "other", "endpoint", "server", "mobile", "encryption", "emailGateway", "webGateway", "phishThreat", "wireless", "iaas", and "firewall". | Optional |
category | Alert category(s). | Optional |
severity | Alerts for a specific severity level(s). Possible values are: "high", "medium", and "low". | Optional |
ids | List of IDs. | Optional |
limit | The maximum number of items to return. Default is "50". Maximum is "100". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.Alert.allowedActions | String | Actions that you can perform on these alerts. |
SophosCentral.Alert.category | String | Alert category. |
SophosCentral.Alert.description | String | Alert description. |
SophosCentral.Alert.groupKey | String | Alert group key. |
SophosCentral.Alert.id | String | The alert ID. |
SophosCentral.Alert.managedAgentId | String | The alert source ID. |
SophosCentral.Alert.managedAgentName | String | The alert source name. |
SophosCentral.Alert.managedAgentType | String | The source that triggered the alert. |
SophosCentral.Alert.person | String | The ID of the referenced person object. |
SophosCentral.Alert.personName | String | The name of the referenced person object. |
SophosCentral.Alert.product | String | Product type. |
SophosCentral.Alert.raisedAt | Date | When the alert was triggered. |
SophosCentral.Alert.severity | String | Severity level for the alert. |
SophosCentral.Alert.tenantId | String | Tenant ID for the alert. |
SophosCentral.Alert.tenantName | String | Tenant name. |
SophosCentral.Alert.type | String | Alert type. |
#
Command Example!sophos-central-alert-search category=general product=endpoint
#
Context Example#
Human Readable Output#
Found AlertsNo entries. Results on this page: 0.Maximum number of results allowed in a page: 100
#
sophos-central-endpoint-listList all endpoints for a tenant.
#
Base Commandsophos-central-endpoint-list
#
InputArgument Name | Description | Required |
---|---|---|
health_status | Match endpoints that have any of the specified health statuses. Possible values are: "bad", "good", "suspicious", and "unknown". | Optional |
endpoint_type | Match endpoints that have any of the specified endpoint types. Possible values are: "computer", "server", and "securityVm". | Optional |
tamper_protection_enabled | Whether tamper protection is enabled. Possible values are: "true" and "false". | Optional |
lockdown_status | Match endpoints that have any of the specified lockdown statuses. Possible values are: "creatingWhitelist", "installing", "locked", "notInstalled", "registering", "starting", "stopping", "unavailable", "uninstalled", and "unlocked". | Optional |
last_seen_before | The datetime before which the endpoints were last seen (UTC). | Optional |
last_seen_after | The datetime on or after which the endpoints were last seen (UTC). | Optional |
ids | List of IDs. | Optional |
view | Type of view to be returned in the response. Possible values are: "basic", "summary", and "full". | Optional |
limit | The maximum number of items to return. Default is "50". Maximum is "100". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.Endpoint.assignedProductCodes | String | Code of a product assigned to the endpoint. |
SophosCentral.Endpoint.associatedPersonId | String | The unique ID for the person associated with the endpoint. |
SophosCentral.Endpoint.associatedPersonName | String | Name of the person associated with the endpoint. |
SophosCentral.Endpoint.associatedPersonViaLogin | String | The login of the person associated with the endpoint. |
SophosCentral.Endpoint.groupId | String | The unique ID for the endpoint group. |
SophosCentral.Endpoint.groupName | String | Endpoint group name. |
SophosCentral.Endpoint.hostname | String | The hostname of the endpoint. |
SophosCentral.Endpoint.id | String | The unique ID for the endpoint. |
SophosCentral.Endpoint.health | String | Health status of the endpoint. |
SophosCentral.Endpoint.ipv4Addresses | String | IPv4 address of the endpoint. |
SophosCentral.Endpoint.ipv6Addresses | String | IPv6 address of the endpoint. |
SophosCentral.Endpoint.macAddresses | String | MAC address of the endpoint. |
SophosCentral.Endpoint.osBuild | String | Operating system build. |
SophosCentral.Endpoint.osIsServer | Boolean | Whether the operating system is a server operating system. |
SophosCentral.Endpoint.osName | String | Operating system name as reported by the endpoint. |
SophosCentral.Endpoint.osPlatform | String | Operating system platform type. |
SophosCentral.Endpoint.tamperProtectionEnabled | Boolean | Whether tamper protection is enabled. |
SophosCentral.Endpoint.type | String | The endpoint type. |
SophosCentral.Endpoint.online | Boolean | Whether the endpoint is online. |
#
Command Example!sophos-central-endpoint-list
#
Context Example#
Human Readable Output#
Listed Endpoints
id hostname ipv4Addresses ipv6Addresses macAddresses type tamperProtectionEnabled 6e9567ea-bb50-40c5-9f12-42eb308e4c9b Thunderbox 1.1.1.1 fe80::9905:5b42:6605:5e93 00:00:00:B0:00:BA computer false a24b74a2-68e3-4fa5-8119-95744e0ab421 WIN-CEAESQ7V08E 1.1.1.1 fe80::9905:5b42:6605:5e93 00:00:00:B0:00:BA server false Results on this page: 2.Maximum number of results allowed in a page: 500
#
sophos-central-endpoint-scanScan endpoints of a tenant.
#
Base Commandsophos-central-endpoint-scan
#
InputArgument Name | Description | Required |
---|---|---|
endpoint_id | The endpoint ID(s). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.EndpointScan.id | String | Identifies a request to perform or configure the endpoint scan. |
SophosCentral.EndpointScan.requestedAt | Date | Time when the scan was requested. |
SophosCentral.EndpointScan.status | String | The status of an endpoint scan. |
#
Command Example!sophos-central-endpoint-scan endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b
#
Context Example#
Human Readable Output#
Scanning Endpoints
id status requestedAt 6e9567ea-bb50-40c5-9f12-42eb308e4c9b requested 2020-11-25T10:47:20.343Z
#
sophos-central-endpoint-tamper-getGet tamper protection information for one or more endpoints. Potentially harmful because of the password.
#
Base Commandsophos-central-endpoint-tamper-get
#
InputArgument Name | Description | Required |
---|---|---|
endpoint_id | The endpoint ID(s). | Required |
get_password | Whether to return the tamper protection password. Possible values are: "true" and "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.EndpointTamper.endpointId | String | ID of the endpoint in regards to the tamper settings. |
SophosCentral.EndpointTamper.enabled | String | Whether tamper protection should be turned on for the endpoint. |
SophosCentral.EndpointTamper.password | String | Current tamper protection password. |
#
Command Example!sophos-central-endpoint-tamper-get endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b
#
Context Example#
Human Readable Output#
Listed Endpoints Tamper Protection
endpointId enabled 6e9567ea-bb50-40c5-9f12-42eb308e4c9b false
#
sophos-central-endpoint-tamper-updateUpdate tamper protection information for one or more endpoints. Potentially Harmful because of the password.
#
Base Commandsophos-central-endpoint-tamper-update
#
InputArgument Name | Description | Required |
---|---|---|
endpoint_id | The endpoint ID(s). | Required |
enabled | Whether tamper protection should be turned on for the endpoint. Possible values are: "true" and "false". | Required |
get_password | Whether to return the tamper protection password. Possible values are: "true" and "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.EndpointTamper.endpointId | String | ID of the endpoint in regards to the tamper settings. |
SophosCentral.EndpointTamper.enabled | String | Whether tamper protection should be turned on for the endpoint. |
SophosCentral.EndpointTamper.password | String | Current tamper protection password. |
#
Command Example!sophos-central-endpoint-tamper-update enabled=true endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b
#
Context Example#
Human Readable Output#
Updated Endpoints Tamper Protection
endpointId enabled 6e9567ea-bb50-40c5-9f12-42eb308e4c9b true
#
sophos-central-allowed-item-listList all allowed items.
#
Base Commandsophos-central-allowed-item-list
#
InputArgument Name | Description | Required |
---|---|---|
page_size | he maximum size of the page requested. Default is "50". Maximum is "100". | Optional |
page | Page number to return. Default is "1". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.AllowedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.AllowedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.AllowedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.AllowedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.AllowedItem.id | String | The unique ID for the allowed application. |
SophosCentral.AllowedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.AllowedItem.fileName | String | The file name. |
SophosCentral.AllowedItem.path | String | The path for the application. |
SophosCentral.AllowedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.AllowedItem.type | String | The property by which an item is allowed. |
SophosCentral.AllowedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.AllowedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.AllowedItem.originPersonId | String | ID of the originating person. |
SophosCentral.AllowedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-allowed-item-list page=1 page_size=50
#
Context Example#
Human Readable Output#
Listed Allowed Items
id comment fileName sha256 path certificateSigner createdAt type updatedAt b2148cc0-6ee8-440e-9c4b-cd5486b36c3c hello world1 /root/helloaworld/1/1 2020-11-25T10:19:37.608Z path 2020-11-25T10:19:37.608Z 718e991d-a99f-4193-b263-4eeebcac46fe fordemo notme 2020-11-10T12:10:49.384Z certificateSigner 2020-11-10T12:10:49.384Z f047c584-949a-4a59-aebd-9999ce323c1d Test-Noam c:\test2.exe 2020-11-08T14:00:18.574Z path 2020-11-08T14:00:18.574Z 345b4588-b843-45b1-9319-e529ddd741e6 Test c:\1.txt 2020-11-08T10:44:39.279Z path 2020-11-08T10:58:14.622Z 6a2e26fb-6eb4-42ff-8201-6f7051757595 chaaned hello 2020-11-03T10:14:25.914Z certificateSigner 2020-11-03T10:15:32.819Z 2f804138-9632-4500-a13f-33342868e434 chaaned root/hello/worldrsaard 2020-11-03T09:13:04.380Z path 2020-11-03T10:15:08.159Z 73e555e9-3eee-42e1-879e-65d5ba968236 hello world1 /root/helloaworld/1 2020-11-01T13:26:03.890Z path 2020-11-01T13:26:03.890Z 595b2e6d-36b3-45bd-b94f-99a98a0a53f7 hello world /root/helloaworld 2020-11-01T11:50:02.567Z path 2020-11-01T11:50:02.567Z 3533f7be-5064-44b6-9579-e4d7fa542444 helloworld /root/what 2020-11-01T11:00:47.441Z path 2020-11-01T11:00:47.441Z 85465c57-e598-4c8b-9c08-093c6f5eb239 bad comment zxdfzd C6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5 /root/hello/word 2020-11-01T10:48:49.312Z path 2020-11-01T10:48:49.312Z cffaaae7-0b3a-4ec7-84a4-fee88d297abc bad comment xzcvxz /root xcvxcv 2020-11-01T10:47:24.473Z certificateSigner 2020-11-01T10:47:24.473Z c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7 changedcomment /root/hello 2020-10-29T13:31:40.963Z path 2020-10-29T13:32:41.421Z 41a56d0d-5272-4be4-92dc-1c2dd42c218a uh 2020-10-28T13:57:53.235Z path 2020-10-28T13:58:07.906Z Current page: 1. Results on this page: 13. Maximum number of results allowed in a page: 100.
#
sophos-central-allowed-item-getGet a single allowed item by ID.
#
Base Commandsophos-central-allowed-item-get
#
InputArgument Name | Description | Required |
---|---|---|
allowed_item_id | The ID of the allowed item. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.AllowedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.AllowedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.AllowedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.AllowedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.AllowedItem.id | String | The unique ID for the allowed application. |
SophosCentral.AllowedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.AllowedItem.fileName | String | The file name. |
SophosCentral.AllowedItem.path | String | The path for the application. |
SophosCentral.AllowedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.AllowedItem.type | String | The property by which an item is allowed. |
SophosCentral.AllowedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.AllowedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.AllowedItem.originPersonId | String | ID of the originating person. |
SophosCentral.AllowedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-allowed-item-get allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c
#
Context Example#
Human Readable Output#
Found Allowed Item
id comment path createdAt type updatedAt b2148cc0-6ee8-440e-9c4b-cd5486b36c3c hello world1 /root/helloaworld/1/1 2020-11-25T10:19:37.608Z path 2020-11-25T10:19:37.608Z
#
sophos-central-allowed-item-addAdd a new allowed item.
#
Base Commandsophos-central-allowed-item-add
#
InputArgument Name | Description | Required |
---|---|---|
comment | Comment indicating why the item should be allowed. | Required |
certificate_signer | The value saved for the certificateSigner. | Optional |
file_name | The file name. | Optional |
path | The path for the application. | Optional |
sha256 | The SHA256 value for the application. | Optional |
item_type | The property by which an item is allowed. Note that the specified item type requires the matching argument filled. For example, the item type "path" requires the path argument. Possible values are: "path", "sha256", and "certificateSigner". | Required |
origin_endpoint_id | The endpoint where the item to be allowed was last seen. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.AllowedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.AllowedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.AllowedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.AllowedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.AllowedItem.id | String | The unique ID for the allowed application. |
SophosCentral.AllowedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.AllowedItem.fileName | String | The file name. |
SophosCentral.AllowedItem.path | String | The path for the application. |
SophosCentral.AllowedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.AllowedItem.type | String | The property by which an item is allowed. |
SophosCentral.AllowedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.AllowedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.AllowedItem.originPersonId | String | ID of the originating person. |
SophosCentral.AllowedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-allowed-item-add comment="hello world1" item_type=path path=/root/helloaworld/12
#
Context Example#
Human Readable Output#
Added Allowed Item
id comment path createdAt type updatedAt c68f1abc-986d-43eb-b050-d9113959207a hello world1 /root/helloaworld/12 2020-11-25T10:47:32.082Z path 2020-11-25T10:47:32.082Z
#
sophos-central-allowed-item-updateUpdate an existing allowed item.
#
Base Commandsophos-central-allowed-item-update
#
InputArgument Name | Description | Required |
---|---|---|
allowed_item_id | The allowed item ID. | Required |
comment | Comment indicating why the item should be allowed. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.AllowedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.AllowedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.AllowedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.AllowedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.AllowedItem.id | String | The unique ID for the allowed application. |
SophosCentral.AllowedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.AllowedItem.fileName | String | The file name. |
SophosCentral.AllowedItem.path | String | The path for the application. |
SophosCentral.AllowedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.AllowedItem.type | String | The property by which an item is allowed. |
SophosCentral.AllowedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.AllowedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.AllowedItem.originPersonId | String | ID of the originating person. |
SophosCentral.AllowedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-allowed-item-update allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c comment=changedcomment
#
Context Example#
Human Readable Output#
Updated Allowed Item
id comment path createdAt type updatedAt b2148cc0-6ee8-440e-9c4b-cd5486b36c3c changedcomment /root/helloaworld/1/1 2020-11-25T10:19:37.608Z path 2020-11-25T10:47:39.104Z
#
sophos-central-allowed-item-deleteDelete an existing allowed item.
#
Base Commandsophos-central-allowed-item-delete
#
InputArgument Name | Description | Required |
---|---|---|
allowed_item_id | The allowed item ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DeletedAllowedItem.deletedItemId | String | The ID of the deleted item. |
#
Command Example!sophos-central-allowed-item-delete allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c
#
Context Example#
Human Readable OutputSuccess deleting allowed item: b2148cc0-6ee8-440e-9c4b-cd5486b36c3c
#
sophos-central-blocked-item-listGet all blocked items.
#
Base Commandsophos-central-blocked-item-list
#
InputArgument Name | Description | Required |
---|---|---|
page_size | The maximum size of the page requested. Default is "50". Maximum is "100". | Optional |
page | Page number to return. Default is "1" | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.BlockedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.BlockedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.BlockedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.BlockedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.BlockedItem.id | String | The unique ID for the allowed application. |
SophosCentral.BlockedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.BlockedItem.fileName | String | The file name. |
SophosCentral.BlockedItem.path | String | The path for the application. |
SophosCentral.BlockedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.BlockedItem.type | String | The property by which an item is allowed. |
SophosCentral.BlockedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.BlockedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.BlockedItem.originPersonId | String | ID of the originating person. |
SophosCentral.BlockedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-blocked-item-list page=1 page_size=50
#
Context Example#
Human Readable Output#
Listed Blocked Items
id comment sha256 createdAt type 9b44086b-95bd-43e5-b84b-82b91725f02b hello 2world c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1 2020-11-25T10:19:54.523Z sha256 fd0f08db-966b-4979-8cbb-876a2bbd29c9 hello world c6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4 2020-11-01T12:55:47.476Z sha256 f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994 It's just a test b424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af 2020-11-01T10:22:55.556Z sha256 Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.
#
sophos-central-blocked-item-getGet a single blocked item by ID.
#
Base Commandsophos-central-blocked-item-get
#
InputArgument Name | Description | Required |
---|---|---|
blocked_item_id | The blocked item ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.BlockedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.BlockedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.BlockedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.BlockedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.BlockedItem.id | String | The unique ID for the allowed application. |
SophosCentral.BlockedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.BlockedItem.fileName | String | The file name. |
SophosCentral.BlockedItem.path | String | The path for the application. |
SophosCentral.BlockedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.BlockedItem.type | String | The property by which an item is allowed. |
SophosCentral.BlockedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.BlockedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.BlockedItem.originPersonId | String | ID of the originating person. |
SophosCentral.BlockedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-blocked-item-get blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b
#
Context Example#
Human Readable Output#
Found Blocked Item
id comment sha256 createdAt type 9b44086b-95bd-43e5-b84b-82b91725f02b hello 2world c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1 2020-11-25T10:19:54.523Z sha256
#
sophos-central-blocked-item-addAdd a new blocked item.
#
Base Commandsophos-central-blocked-item-add
#
InputArgument Name | Description | Required |
---|---|---|
comment | Comment indicating why the item should be blocked. | Required |
certificate_signer | The value saved for the certificateSigner. | Optional |
file_name | The file name. | Optional |
path | The path for the application. | Optional |
sha256 | The SHA256 value for the application. | Required |
item_type | The property by which an item is blocked. Possible value is sha256. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.BlockedItem.comment | String | A comment indicating why the item was allowed. |
SophosCentral.BlockedItem.createdAt | Date | Date and time (UTC) when the allowed application was created. |
SophosCentral.BlockedItem.createdById | String | The unique ID for the user who created the item. |
SophosCentral.BlockedItem.createdByName | String | The name for the user who created the item. |
SophosCentral.BlockedItem.id | String | The unique ID for the allowed application. |
SophosCentral.BlockedItem.certificateSigner | String | The value saved for the certificateSigner. |
SophosCentral.BlockedItem.fileName | String | The file name. |
SophosCentral.BlockedItem.path | String | The path for the application. |
SophosCentral.BlockedItem.sha256 | String | The SHA256 value for the application. |
SophosCentral.BlockedItem.type | String | The property by which an item is allowed. |
SophosCentral.BlockedItem.updatedAt | Date | Date and time (UTC) when the allowed application was updated. |
SophosCentral.BlockedItem.originEndpointId | String | ID of the originating endpoint. |
SophosCentral.BlockedItem.originPersonId | String | ID of the originating person. |
SophosCentral.BlockedItem.originPersonName | String | Name of the originating person. |
#
Command Example!sophos-central-blocked-item-add comment="hello 2world" item_type=sha256 sha256=CAF4DB9B3191E6E693CE938BD74FAB37AEE71372C8A034F5040362D8C69E4DE4
#
Context Example#
Human Readable Output#
Added Blocked Item
id comment sha256 createdAt type 9535be44-40f3-4704-94df-6afa1e563f9c hello 2world caf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4 2020-11-25T10:47:46.428Z sha256
#
sophos-central-blocked-item-deleteDelete an existing blocked item.
#
Base Commandsophos-central-blocked-item-delete
#
InputArgument Name | Description | Required |
---|---|---|
blocked_item_id | The blocked item ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DeletedBlockedItem.deletedItemId | String | The ID of the deleted item. |
#
Command Example!sophos-central-blocked-item-delete blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b
#
Context Example#
Human Readable OutputSuccess deleting blocked item: 9b44086b-95bd-43e5-b84b-82b91725f02b
#
sophos-central-scan-exclusion-listList all scan exclusions.
#
Base Commandsophos-central-scan-exclusion-list
#
InputArgument Name | Description | Required |
---|---|---|
exclusion_type | Scan exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral" | Optional |
page_size | The maximum size of the page requested. Default is "50". Maximum is "100". | Optional |
page | The page number to fetch. Default is "1" | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ScanExclusion.comment | String | A comment indicating why the exclusion was updated. |
SophosCentral.ScanExclusion.description | String | The exclusion description added by the system. |
SophosCentral.ScanExclusion.id | String | The unique ID for the scanning exclusion setting. |
SophosCentral.ScanExclusion.scanMode | String | The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
SophosCentral.ScanExclusion.type | String | The scanning exclusion type. |
SophosCentral.ScanExclusion.value | String | The exclusion value. |
#
Command Example!sophos-central-scan-exclusion-list
#
Context Example#
Human Readable Output#
Listed Scan Exclusions
id value type description comment scanMode 369b0956-a7b6-44fc-b1cc-bd7b3279c663 %programfiles(x86)%\Sophos\Sophos Anti-Virus\ path Sophos temporary exclusion see KBA 133945 Sophos temporary exclusion see KBA 133945 onDemandAndOnAccess 6868151e-4eac-4d0a-8985-5db9bff9d6f2 testpathhzh path onDemandAndOnAccess 16bac29f-17a4-4c3a-9370-8c5968c5ac7d changedvirus.exe process changed before demo onAccess Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.
#
sophos-central-scan-exclusion-getGet a single scan exclusion by ID.
#
Base Commandsophos-central-scan-exclusion-get
#
InputArgument Name | Description | Required |
---|---|---|
exclusion_id | The exclusion ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ScanExclusion.comment | String | A comment indicating why the exclusion was updated. |
SophosCentral.ScanExclusion.description | String | The exclusion description added by the system. |
SophosCentral.ScanExclusion.id | String | The unique ID for the scanning exclusion setting. |
SophosCentral.ScanExclusion.scanMode | String | The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
SophosCentral.ScanExclusion.type | String | The scanning exclusion type. |
SophosCentral.ScanExclusion.value | String | The exclusion value. |
#
Command Example!sophos-central-scan-exclusion-get exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2
#
Context Example#
Human Readable Output#
Found Scan Exclusion
id value type scanMode 6868151e-4eac-4d0a-8985-5db9bff9d6f2 testpathhzh path onDemandAndOnAccess
#
sophos-central-scan-exclusion-addAdd a new scan exclusion.
#
Base Commandsophos-central-scan-exclusion-add
#
InputArgument Name | Description | Required |
---|---|---|
comment | A comment indicating why the exclusion was created. | Optional |
scan_mode | The scan mode. Possible values are: "onDemand", "onAccess", and "onDemandAndOnAccess". Default is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. | Optional |
exclusion_type | The scanning exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral". | Required |
value | The exclusion value. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ScanExclusion.comment | String | A comment indicating why the exclusion was updated. |
SophosCentral.ScanExclusion.description | String | The exclusion description added by the system. |
SophosCentral.ScanExclusion.id | String | The unique ID for the scanning exclusion setting. |
SophosCentral.ScanExclusion.scanMode | String | The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
SophosCentral.ScanExclusion.type | String | The scanning exclusion type. |
SophosCentral.ScanExclusion.value | String | The exclusion value. |
#
Command Example!sophos-central-scan-exclusion-add exclusion_type=path value=avsdfasdfaa
#
Context Example#
Human Readable Output#
Added Scan Exclusion
id value type scanMode be7b05bf-368b-4621-8131-0776486e1c7b avsdfasdfaa path onDemandAndOnAccess
#
sophos-central-scan-exclusion-updateUpdate an existing scan exclusion.
#
Base Commandsophos-central-scan-exclusion-update
#
InputArgument Name | Description | Required |
---|---|---|
comment | A comment indicating why the exclusion was created. | Optional |
scan_mode | The default value of scan mode is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. | Optional |
exclusion_id | The exclusion ID. | Required |
value | The exclusion value. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ScanExclusion.comment | String | A comment indicating why the exclusion was updated. |
SophosCentral.ScanExclusion.description | String | The exclusion description added by the system. |
SophosCentral.ScanExclusion.id | String | The unique ID for the scanning exclusion setting. |
SophosCentral.ScanExclusion.scanMode | String | The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode. |
SophosCentral.ScanExclusion.type | String | The scanning exclusion type. |
SophosCentral.ScanExclusion.value | String | The exclusion value. |
#
Command Example!sophos-central-scan-exclusion-update exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2
#
Context Example#
Human Readable Output#
Updated Scan Exclusion
id value type scanMode 6868151e-4eac-4d0a-8985-5db9bff9d6f2 testpathhzh path onDemandAndOnAccess
#
sophos-central-scan-exclusion-deleteDelete an existing scan exclusion.
#
Base Commandsophos-central-scan-exclusion-delete
#
InputArgument Name | Description | Required |
---|---|---|
exclusion_id | The exclusion ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DeletedScanExclusion.deletedExclusionId | String | The ID of the deleted exclusion. |
#
Command Example!sophos-central-scan-exclusion-delete exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2
#
Context Example#
Human Readable OutputSuccess deleting scan exclusion: 6868151e-4eac-4d0a-8985-5db9bff9d6f2
#
sophos-central-exploit-mitigation-listList exploit mitigation settings for all protected applications.
#
Base Commandsophos-central-exploit-mitigation-list
#
InputArgument Name | Description | Required |
---|---|---|
mitigation_type | Exploit mitigation type. Possible values are: "detected" and "custom". | Optional |
page_size | The maximum size of the page requested. Default is "50". Maximum is "100". | Optional |
page | The page number to fetch. Default is "1". | Optional |
modified | Whether the Exploit Mitigation application has been customized. Possible values are: "true" and "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ExploitMitigation.category | String | The Exploit Mitigation category ID. |
SophosCentral.ExploitMitigation.name | String | The name given to this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.id | String | The ID of this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.paths | String | Paths included in this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.type | String | Whether the application was detected by the system or created by the user. |
#
Command Example!sophos-central-exploit-mitigation-list
#
Context Example#
Human Readable Output#
Listed Exploit Mitigations
id name type category paths ff9d87d0-c944-4ca5-9f76-c5efd1f89ded 3bf6f110-48d8-4114-95e3-a286ac50d722 custom other newnewnewnewnew 06aefe81-7f83-4768-9cec-59d86d7ee133 Firefox detected browsers $programfiles\Mozilla Firefox\firefox.exe b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cf Google Chrome detected browsers $programfiles\Google\Chrome\Application\chrome.exe df7c2b63-dda4-4dc4-a12d-471cad799dbd Internet Explorer detected browsers $programfiles\Internet Explorer\iexplore.exe f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3 Java(TM) Platform SE binary detected java $programfiles\java\jre1.8.0_271\bin\java.exe,
$programfiles\java\jre1.8.0_271\bin\javaw.exe9ddf4b33-9f65-4422-898e-d5b5b450e8d8 Java(TM) Web Launcher detected java $programfiles\java\jre1.8.0_271\bin\jp2launcher.exe b44f50e0-0332-444a-bdb0-cfec43fc2def Java(TM) Web Start Launcher detected java $programfiles\java\jre1.8.0_271\bin\javaws.exe a49af552-55e1-4dcd-a909-2310bcb8016f KeePass detected other $programfiles\KeePass Password Safe 2\KeePass.exe 4178130a-0d4e-435d-b4bb-db594810a43a Microsoft Edge detected browsers $programfiles\Microsoft\Edge\Application\msedge.exe,
$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exeecbcd6a5-73d5-4060-b49f-b9de2e0587fc Microsoft Excel detected office $programfiles\Microsoft Office\Root\Office16\EXCEL.EXE 7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cf Microsoft Outlook detected office $programfiles\Microsoft Office\root\Office16\OUTLOOK.EXE 6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fb Microsoft PowerPoint detected office $programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE 417fd1be-fafa-4e3b-9a9b-589f7f20b72c Microsoft Word detected office $programfiles\Microsoft Office\Root\Office16\WINWORD.EXE 68026667-ca17-473d-b797-ccebe2d9da87 MicrosoftEdgeCP.exe detected browsers $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe 01e26718-ddf3-4aad-b465-d7279b755c32 OpenJDK Platform binary detected java $programfiles\JetBrains\PyCharm Community Edition 2020.1.2\jbr\bin\java.exe 9e378d93-4b62-4976-9a7c-5fdbbafa0b79 Pick an app detected office $system32\OpenWith.exe a0b96b54-6895-408c-ac68-f84ca81c248a Plugin Container for Firefox detected plugins $programfiles\Mozilla Firefox\plugin-container.exe 3ac3fd9b-5b30-4e19-a9a4-303f553a4500 Skype for Business detected other $programfiles\Microsoft Office\Root\Office16\lync.exe dbedc673-218a-4814-99f0-33642a65b1fd Windows Media Player detected media $programfiles\Windows Media Player\wmplayer.exe fd4f1dc8-4b4a-429e-ac27-bd757352f52c Windows Wordpad Application detected office $programfiles\Windows NT\Accessories\WORDPAD.EXE 563f4022-0a28-47f8-9bb6-7774aa7794e3 b2477368-4e58-4868-af90-554f948f4077 custom other wooba b19800cf-a98a-43dc-8efc-6de1f2a7321e cde78059-3164-46c6-903f-c27b9103ef37 custom other testpathhhh 91fff008-3609-46f3-9fc7-44713635b775 ce697cb7-06da-4e02-bcde-21f73b81d5ee custom other changed\path Current page: 1. Results on this page: 23. Maximum number of results allowed in a page: 100.
#
sophos-central-exploit-mitigation-getGet exploit mitigation settings for a single application.
#
Base Commandsophos-central-exploit-mitigation-get
#
InputArgument Name | Description | Required |
---|---|---|
mitigation_id | The Exploit Mitigation application ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ExploitMitigation.category | String | The Exploit Mitigation category ID. |
SophosCentral.ExploitMitigation.name | String | The name given to this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.id | String | The ID of this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.paths | String | Paths included in this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.type | String | Whether the application was detected by the system or created by the user. |
#
Command Example!sophos-central-exploit-mitigation-get mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded
#
Context Example#
Human Readable Output#
Found Exploit Mitigation
id name type category paths ff9d87d0-c944-4ca5-9f76-c5efd1f89ded 3bf6f110-48d8-4114-95e3-a286ac50d722 custom other newnewnewnewnew
#
sophos-central-exploit-mitigation-addExclude a set of file paths from exploit mitigation.
#
Base Commandsophos-central-exploit-mitigation-add
#
InputArgument Name | Description | Required |
---|---|---|
path | An absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ExploitMitigation.category | String | The Exploit Mitigation category ID. |
SophosCentral.ExploitMitigation.name | String | The name given to this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.id | String | The ID of this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.paths | String | Paths included in this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.type | String | Whether the application was detected by the system or created by the user. |
#
Command Example!sophos-central-exploit-mitigation-add path=testestesteset
#
Context Example#
Human Readable Output#
Added Exploit Mitigation
id name type category paths 755ec991-c04f-498f-ab8e-20ef1a187b52 d082226b-0c17-4959-a3ed-a6957f39c9bc custom other testestesteset
#
sophos-central-exploit-mitigation-updateUpdate exploit mitigation settings for an application.
#
Base Commandsophos-central-exploit-mitigation-update
#
InputArgument Name | Description | Required |
---|---|---|
mitigation_id | The Exploit Mitigation application ID. | Required |
path | An absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.ExploitMitigation.category | String | The Exploit Mitigation category ID. |
SophosCentral.ExploitMitigation.name | String | The name given to this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.id | String | The ID of this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.paths | String | Paths included in this Exploit Mitigation Application. |
SophosCentral.ExploitMitigation.type | String | Whether the application was detected by the system or created by the user. |
#
Command Example!sophos-central-exploit-mitigation-update mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded path=changed
#
Context Example#
Human Readable Output#
Updated Exploit Mitigation
id name type category paths ff9d87d0-c944-4ca5-9f76-c5efd1f89ded 3bf6f110-48d8-4114-95e3-a286ac50d722 custom other changed
#
sophos-central-exploit-mitigation-deleteDelete a custom (user-defined) exploit mitigation application by ID.
#
Base Commandsophos-central-exploit-mitigation-delete
#
InputArgument Name | Description | Required |
---|---|---|
mitigation_id | The Exploit Mitigation application ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DeletedExploitMitigation.deletedMitigationId | String | The ID of the deleted mitigation. |
#
Command Example!sophos-central-exploit-mitigation-delete mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded
#
Context Example#
Human Readable OutputSuccess deleting exploit mitigation: ff9d87d0-c944-4ca5-9f76-c5efd1f89ded
#
sophos-central-detected-exploit-listList all detected exploits.
#
Base Commandsophos-central-detected-exploit-list
#
InputArgument Name | Description | Required |
---|---|---|
page_size | The maximum size of the page requested. Default is "50". Maximum is "100". | Optional |
page | The page number to fetch. Default is "1". | Optional |
thumbprint_not_in | Filter out detected exploits with these thumbprints. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DetectedExploit.count | Number | The number of times the same exploit has been detected, potentially across multiple endpoints. |
SophosCentral.DetectedExploit.description | String | The English description of the exploit detected event. |
SophosCentral.DetectedExploit.id | String | The ID of this Exploit Mitigation Application. |
SophosCentral.DetectedExploit.firstSeenAt | Date | When the exploit was first seen. |
SophosCentral.DetectedExploit.lastSeenAt | Date | When the exploit was last seen. |
SophosCentral.DetectedExploit.lastEndpointHostname | String | The endpoint hostname. |
SophosCentral.DetectedExploit.lastEndpointId | String | The unique endpoint ID. |
SophosCentral.DetectedExploit.lastUserName | String | Person's name. |
SophosCentral.DetectedExploit.lastUserId | String | The unique ID for the user. |
SophosCentral.DetectedExploit.thumbprint | String | Matches [0-9a-zA-Z]{64}. |
#
Command Example!sophos-central-detected-exploit-list
#
Context Example#
Human Readable Output#
Listed Detected ExploitsNo entries. Current page: 1. Results on this page: 0. Maximum number of results allowed in a page: 100.
#
sophos-central-detected-exploit-getGet a single detected exploit.
#
Base Commandsophos-central-detected-exploit-get
#
InputArgument Name | Description | Required |
---|---|---|
detected_exploit_id | The ID of a previously detected exploit. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SophosCentral.DetectedExploit.count | Number | The number of times the same exploit has been detected, potentially across multiple endpoints. |
SophosCentral.DetectedExploit.description | String | The English description of the exploit detected event. |
SophosCentral.DetectedExploit.id | String | The ID of this Exploit Mitigation application. |
SophosCentral.DetectedExploit.firstSeenAt | Date | When the exploit was first seen. |
SophosCentral.DetectedExploit.lastSeenAt | Date | When the exploit was last seen. |
SophosCentral.DetectedExploit.lastEndpointHostname | String | The endpoint hostname. |
SophosCentral.DetectedExploit.lastEndpointId | String | The unique endpoint ID. |
SophosCentral.DetectedExploit.lastUserName | String | Person's name. |
SophosCentral.DetectedExploit.lastUserId | String | The unique ID for the user. |
SophosCentral.DetectedExploit.thumbprint | String | Matches [0-9a-zA-Z]{64}. |