Sophos Central

This Integration is part of the Sophos Central Pack.

The unified console for managing Sophos products.

Configure Sophos Central on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.
2. Search for Sophos Central.
3. Click Add instance to create and configure a new integration instance.

Parameter	Description	Required
credentials	Sophos client ID and secret	True
Tenant ID	Tenant ID on which the commands would be executed by default. Required in case of partner/organization level credentials	False
isFetch	Fetch incidents	False
fetch_severity	Fetch Severity	False
fetch_category	Fetch Category	False
max_fetch	Fetch Limit	False
fetch_time	First Fetch Time	False
proxy	Use system proxy settings	False

4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sophos-central-alert-list

---

List alerts.

Base Command

sophos-central-alert-list

Input

Argument Name	Description	Required
limit	The maximum number of items to return. Default is "50". Maximum is "100".	Optional

Context Output

Path	Type	Description
SophosCentral.Alert.allowedActions	String	Actions that you can perform on these alerts.
SophosCentral.Alert.category	String	Alert category.
SophosCentral.Alert.description	String	Alert description.
SophosCentral.Alert.groupKey	String	Alert group key.
SophosCentral.Alert.id	String	The alert ID.
SophosCentral.Alert.managedAgentId	String	The alert source ID.
SophosCentral.Alert.managedAgentName	String	The alert source name.
SophosCentral.Alert.managedAgentType	String	The source that triggered the Alert.
SophosCentral.Alert.person	String	The ID of the referenced person object.
SophosCentral.Alert.personName	String	The name of the referenced person object.
SophosCentral.Alert.product	String	Product type.
SophosCentral.Alert.raisedAt	Date	When the alert was triggered.
SophosCentral.Alert.severity	String	Severity level for the alert.
SophosCentral.Alert.tenantId	String	Tenant ID for the alert.
SophosCentral.Alert.tenantName	String	Tenant name.
SophosCentral.Alert.type	String	Alert type.

Command Example

!sophos-central-alert-list limit=50

Context Example

{

"SophosCentral": {

"Alert": [

{

"allowedActions": [

"clearThreat"

],

"category": "malware",

"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",

"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",

"id": "8e879165-81cb-4747-8608-1cc4e630a017",

"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"managedAgentType": "computer",

"person": "5d407889-8659-46ab-86c5-4f227302df78",

"product": "endpoint",

"raisedAt": "2020-11-25T09:19:18.936Z",

"severity": "high",

"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",

"tenantName": "Cortex XSOAR",

"type": "Event::Endpoint::Threat::CleanupFailed"

},

{

"allowedActions": [

"clearThreat"

],

"category": "runtimeDetections",

"description": "Malicious connection detected: 'C2/Generic-B' at 'C:\\Windows\\System32\\wscript.exe' (Technical Support reference: 277413403)",

"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q29tbWFuZEFuZENvbnRyb2xEZXRlY3RlZCwxNixDMiUyRkdlbmVyaWMtQg",

"id": "9641ba6e-3254-4726-962d-b2bc11e04131",

"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"managedAgentType": "computer",

"person": "5d407889-8659-46ab-86c5-4f227302df78",

"product": "endpoint",

"raisedAt": "2020-11-25T10:36:31.603Z",

"severity": "high",

"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",

"tenantName": "Cortex XSOAR",

"type": "Event::Endpoint::Threat::CommandAndControlDetected"

},

{

"allowedActions": [

"acknowledge"

],

"category": "updating",

"description": "Thunderbox is out of date.",

"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6Ok91dE9mRGF0ZSw1MTMs",

"id": "ee527ca8-cb54-4e11-b59f-2197910176f3",

"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"managedAgentType": "computer",

"person": "5d407889-8659-46ab-86c5-4f227302df78",

"product": "endpoint",

"raisedAt": "2020-11-25T10:42:09.083Z",

"severity": "medium",

"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",

"tenantName": "Cortex XSOAR",

"type": "Event::Endpoint::OutOfDate"

}

]

}

}

Human Readable Output

Listed Alerts:

id	description	severity	raisedAt	allowedActions	managedAgentId	category	type
8e879165-81cb-4747-8608-1cc4e630a017	Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'	high	2020-11-25T09:19:18.936Z	clearThreat	6e9567ea-bb50-40c5-9f12-42eb308e4c9b	malware	Event::Endpoint::Threat::CleanupFailed
9641ba6e-3254-4726-962d-b2bc11e04131	Malicious connection detected: 'C2/Generic-B' at 'C:\Windows\System32\wscript.exe' (Technical Support reference: 277413403)	high	2020-11-25T10:36:31.603Z	clearThreat	6e9567ea-bb50-40c5-9f12-42eb308e4c9b	runtimeDetections	Event::Endpoint::Threat::CommandAndControlDetected
ee527ca8-cb54-4e11-b59f-2197910176f3	Thunderbox is out of date.	medium	2020-11-25T10:42:09.083Z	acknowledge	6e9567ea-bb50-40c5-9f12-42eb308e4c9b	updating	Event::Endpoint::OutOfDate

Results on this page: 3.Maximum number of results allowed in a page: 100

sophos-central-alert-get

---

Get a single alert by ID.

Base Command

sophos-central-alert-get

Input

Argument Name	Description	Required
alert_id	The alert ID.	Required

Context Output

Path	Type	Description
SophosCentral.Alert.allowedActions	String	Actions that you can perform on these alerts.
SophosCentral.Alert.category	String	Alert category.
SophosCentral.Alert.description	String	Alert description.
SophosCentral.Alert.groupKey	String	Alert group key.
SophosCentral.Alert.id	String	The alert ID.
SophosCentral.Alert.managedAgentId	String	The alert source ID.
SophosCentral.Alert.managedAgentName	String	The alert source name.
SophosCentral.Alert.managedAgentType	String	The source that triggered the alert.
SophosCentral.Alert.person	String	The ID of the referenced person object.
SophosCentral.Alert.personName	String	The name of the referenced person object.
SophosCentral.Alert.product	String	Product type.
SophosCentral.Alert.raisedAt	Date	When the alert was triggered.
SophosCentral.Alert.severity	String	Severity level for the alert.
SophosCentral.Alert.tenantId	String	Tenant ID for the alert.
SophosCentral.Alert.tenantName	String	Tenant name.
SophosCentral.Alert.type	String	Alert type.

Command Example

!sophos-central-alert-get alert_id=8e879165-81cb-4747-8608-1cc4e630a017

Context Example

{

"SophosCentral": {

"Alert": {

"allowedActions": [

"clearThreat"

],

"category": "malware",

"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",

"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",

"id": "8e879165-81cb-4747-8608-1cc4e630a017",

"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"managedAgentType": "computer",

"person": "5d407889-8659-46ab-86c5-4f227302df78",

"product": "endpoint",

"raisedAt": "2020-11-25T09:19:18.936Z",

"severity": "high",

"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",

"tenantName": "Cortex XSOAR",

"type": "Event::Endpoint::Threat::CleanupFailed"

}

}

}

Human Readable Output

Found Alert:

id	description	severity	raisedAt	allowedActions	managedAgentId	category	type
8e879165-81cb-4747-8608-1cc4e630a017	Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'	high	2020-11-25T09:19:18.936Z	clearThreat	6e9567ea-bb50-40c5-9f12-42eb308e4c9b	malware	Event::Endpoint::Threat::CleanupFailed

sophos-central-alert-action

---

Take an action against alerts.

Base Command

sophos-central-alert-action

Input

Argument Name	Description	Required
alert_id	Comma-separated list of alert IDs.	Required
action	Actions to perform on the alerts. Possible values are: "acknowledge", "cleanPua", "cleanVirus", "authPua", "clearThreat", "clearHmpa", "sendMsgPua", and "sendMsgThreat".	Required
message	Message to send for the action.	Optional

Context Output

Path	Type	Description
SophosCentral.AlertAction.action	String	Actions that you can perform on the alert.
SophosCentral.AlertAction.alertId	String	Alert ID.
SophosCentral.AlertAction.completedAt	Date	Time when the action was completed.
SophosCentral.AlertAction.id	String	Alert action ID.
SophosCentral.AlertAction.requestedAt	Date	Time when the action was requested.
SophosCentral.AlertAction.result	String	The result of the action.
SophosCentral.AlertAction.startedAt	Date	Time when the action was started.
SophosCentral.AlertAction.status	String	Status of an alert action.

Command Example

!sophos-central-alert-action action=clearThreat alert_id=8e879165-81cb-4747-8608-1cc4e630a017 message=testmessage

Context Example

{

"SophosCentral": {

"AlertAction": {

"action": "clearThreat",

"alertId": "8e879165-81cb-4747-8608-1cc4e630a017",

"completedAt": null,

"id": "c75b1e4d-c62c-4b3a-8ca5-dea658a18c1b",

"requestedAt": "2020-11-25T10:47:14.639Z",

"result": "success",

"startedAt": null,

"status": "requested"

}

}

}

Human Readable Output

Alerts Acted Against:

id	action	alertId	result	requestedAt	status
c75b1e4d-c62c-4b3a-8ca5-dea658a18c1b	clearThreat	8e879165-81cb-4747-8608-1cc4e630a017	success	2020-11-25T10:47:14.639Z	requested

sophos-central-alert-search

---

Get alerts matching request.

Base Command

sophos-central-alert-search

Input

Argument Name	Description	Required
group_key	Alert group key.	Optional
start	Time on which or after the alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).	Optional
end	Time before which alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).	Optional
date_range	The date range in which to search from the current time instead of a start/end time in the format (<number> <time unit>, e.g., 12 hours, 7 days). date_range will overwrite the start and end arguments if defined.	Optional
product	Alerts for a product(s). Possible values are: "other", "endpoint", "server", "mobile", "encryption", "emailGateway", "webGateway", "phishThreat", "wireless", "iaas", and "firewall".	Optional
category	Alert category(s).	Optional
severity	Alerts for a specific severity level(s). Possible values are: "high", "medium", and "low".	Optional
ids	List of IDs.	Optional
limit	The maximum number of items to return. Default is "50". Maximum is "100".	Optional

Context Output

Path	Type	Description
SophosCentral.Alert.allowedActions	String	Actions that you can perform on these alerts.
SophosCentral.Alert.category	String	Alert category.
SophosCentral.Alert.description	String	Alert description.
SophosCentral.Alert.groupKey	String	Alert group key.
SophosCentral.Alert.id	String	The alert ID.
SophosCentral.Alert.managedAgentId	String	The alert source ID.
SophosCentral.Alert.managedAgentName	String	The alert source name.
SophosCentral.Alert.managedAgentType	String	The source that triggered the alert.
SophosCentral.Alert.person	String	The ID of the referenced person object.
SophosCentral.Alert.personName	String	The name of the referenced person object.
SophosCentral.Alert.product	String	Product type.
SophosCentral.Alert.raisedAt	Date	When the alert was triggered.
SophosCentral.Alert.severity	String	Severity level for the alert.
SophosCentral.Alert.tenantId	String	Tenant ID for the alert.
SophosCentral.Alert.tenantName	String	Tenant name.
SophosCentral.Alert.type	String	Alert type.

Command Example

!sophos-central-alert-search category=general product=endpoint

Context Example

{

"SophosCentral": {

"Alert": null

}

}

Human Readable Output

Found Alerts:

No entries. Results on this page: 0.Maximum number of results allowed in a page: 100

sophos-central-endpoint-list

---

List all endpoints for a tenant.

Base Command

sophos-central-endpoint-list

Input

Argument Name	Description	Required
health_status	Match endpoints that have any of the specified health statuses. Possible values are: "bad", "good", "suspicious", and "unknown".	Optional
endpoint_type	Match endpoints that have any of the specified endpoint types. Possible values are: "computer", "server", and "securityVm".	Optional
tamper_protection_enabled	Whether tamper protection is enabled. Possible values are: "true" and "false".	Optional
lockdown_status	Match endpoints that have any of the specified lockdown statuses. Possible values are: "creatingWhitelist", "installing", "locked", "notInstalled", "registering", "starting", "stopping", "unavailable", "uninstalled", and "unlocked".	Optional
last_seen_before	The datetime before which the endpoints were last seen (UTC).	Optional
last_seen_after	The datetime on or after which the endpoints were last seen (UTC).	Optional
ids	List of IDs.	Optional
view	Type of view to be returned in the response. Possible values are: "basic", "summary", and "full".	Optional
limit	The maximum number of items to return. Default is "50". Maximum is "100".	Optional

Context Output

Path	Type	Description
SophosCentral.Endpoint.assignedProductCodes	String	Code of a product assigned to the endpoint.
SophosCentral.Endpoint.associatedPersonId	String	The unique ID for the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonName	String	Name of the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonViaLogin	String	The login of the person associated with the endpoint.
SophosCentral.Endpoint.groupId	String	The unique ID for the endpoint group.
SophosCentral.Endpoint.groupName	String	Endpoint group name.
SophosCentral.Endpoint.hostname	String	The hostname of the endpoint.
SophosCentral.Endpoint.id	String	The unique ID for the endpoint.
SophosCentral.Endpoint.health	String	Health status of the endpoint.
SophosCentral.Endpoint.ipv4Addresses	String	IPv4 address of the endpoint.
SophosCentral.Endpoint.ipv6Addresses	String	IPv6 address of the endpoint.
SophosCentral.Endpoint.macAddresses	String	MAC address of the endpoint.
SophosCentral.Endpoint.osBuild	String	Operating system build.
SophosCentral.Endpoint.osIsServer	Boolean	Whether the operating system is a server operating system.
SophosCentral.Endpoint.osName	String	Operating system name as reported by the endpoint.
SophosCentral.Endpoint.osPlatform	String	Operating system platform type.
SophosCentral.Endpoint.tamperProtectionEnabled	Boolean	Whether tamper protection is enabled.
SophosCentral.Endpoint.type	String	The endpoint type.
SophosCentral.Endpoint.online	Boolean	Whether the endpoint is online.

Command Example

!sophos-central-endpoint-list

Context Example

{

"SophosCentral": {

"Endpoint": [

{

"assignedProductCodes": [

"endpointProtection",

"coreAgent"

],

"associatedPersonId": null,

"associatedPersonName": null,

"associatedPersonViaLogin": "THUNDERBOX\\JonDoe",

"health": "bad",

"hostname": "Thunderbox",

"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"ipv4Addresses": [

"1.1.1.1"

],

"ipv6Addresses": [

"fe80::9905:5b42:6605:5e93"

],

"macAddresses": [

"00:00:00:B0:00:BA"

],

"online": null,

"osBuild": 18363,

"osIsServer": false,

"osName": "Windows 10 Pro",

"osPlatform": "windows",

"tamperProtectionEnabled": false,

"type": "computer"

},

{

"assignedProductCodes": [

"coreAgent",

"endpointProtection"

],

"associatedPersonId": null,

"associatedPersonName": null,

"associatedPersonViaLogin": "WIN-CEAESQ7V08E\\Administrator",

"health": "good",

"hostname": "WIN-CEAESQ7V08E",

"id": "a24b74a2-68e3-4fa5-8119-95744e0ab421",

"ipv4Addresses": [

"1.1.1.1"

],

"ipv6Addresses": [

"fe80::9905:5b42:6605:5e93"

],

"macAddresses": [

"00:00:00:B0:00:BA"

],

"online": null,

"osBuild": 17763,

"osIsServer": true,

"osName": "Windows Server 2019 Standard Evaluation",

"osPlatform": "windows",

"tamperProtectionEnabled": false,

"type": "server"

}

]

}

}

Human Readable Output

Listed Endpoints:

id	hostname	ipv4Addresses	ipv6Addresses	macAddresses	type	tamperProtectionEnabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9b	Thunderbox	1.1.1.1	fe80::9905:5b42:6605:5e93	00:00:00:B0:00:BA	computer	false
a24b74a2-68e3-4fa5-8119-95744e0ab421	WIN-CEAESQ7V08E	1.1.1.1	fe80::9905:5b42:6605:5e93	00:00:00:B0:00:BA	server	false

Results on this page: 2.Maximum number of results allowed in a page: 500

sophos-central-endpoint-scan

---

Scan endpoints of a tenant.

Base Command

sophos-central-endpoint-scan

Input

Argument Name	Description	Required
endpoint_id	The endpoint ID(s).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointScan.id	String	Identifies a request to perform or configure the endpoint scan.
SophosCentral.EndpointScan.requestedAt	Date	Time when the scan was requested.
SophosCentral.EndpointScan.status	String	The status of an endpoint scan.

Command Example

!sophos-central-endpoint-scan endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example

{

"SophosCentral": {

"EndpointScan": {

"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"requestedAt": "2020-11-25T10:47:20.343Z",

"status": "requested"

}

}

}

Human Readable Output

Scanning Endpoints:

id	status	requestedAt
6e9567ea-bb50-40c5-9f12-42eb308e4c9b	requested	2020-11-25T10:47:20.343Z

sophos-central-endpoint-tamper-get

---

Get tamper protection information for one or more endpoints. Potentially harmful because of the password.

Base Command

sophos-central-endpoint-tamper-get

Input

Argument Name	Description	Required
endpoint_id	The endpoint ID(s).	Required
get_password	Whether to return the tamper protection password. Possible values are: "true" and "false".	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointTamper.endpointId	String	ID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabled	String	Whether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.password	String	Current tamper protection password.

Command Example

!sophos-central-endpoint-tamper-get endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example

{

"SophosCentral": {

"EndpointTamper": {

"enabled": false,

"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"password": null

}

}

}

Human Readable Output

Listed Endpoints Tamper Protection:

endpointId	enabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9b	false

sophos-central-endpoint-tamper-update

---

Update tamper protection information for one or more endpoints. Potentially Harmful because of the password.

Base Command

sophos-central-endpoint-tamper-update

Input

Argument Name	Description	Required
endpoint_id	The endpoint ID(s).	Required
enabled	Whether tamper protection should be turned on for the endpoint. Possible values are: "true" and "false".	Required
get_password	Whether to return the tamper protection password. Possible values are: "true" and "false".	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointTamper.endpointId	String	ID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabled	String	Whether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.password	String	Current tamper protection password.

Command Example

!sophos-central-endpoint-tamper-update enabled=true endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example

{

"SophosCentral": {

"EndpointTamper": {

"enabled": true,

"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",

"password": null

}

}

}

Human Readable Output

Updated Endpoints Tamper Protection:

endpointId	enabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9b	true

sophos-central-allowed-item-list

---

List all allowed items.

Base Command

sophos-central-allowed-item-list

Input

Argument Name	Description	Required
page_size	he maximum size of the page requested. Default is "50". Maximum is "100".	Optional
page	Page number to return. Default is "1".	Optional

Context Output

Path	Type	Description
SophosCentral.AllowedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByName	String	The name for the user who created the item.
SophosCentral.AllowedItem.id	String	The unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.AllowedItem.fileName	String	The file name.
SophosCentral.AllowedItem.path	String	The path for the application.
SophosCentral.AllowedItem.sha256	String	The SHA256 value for the application.
SophosCentral.AllowedItem.type	String	The property by which an item is allowed.
SophosCentral.AllowedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.AllowedItem.originPersonId	String	ID of the originating person.
SophosCentral.AllowedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-allowed-item-list page=1 page_size=50

Context Example

{

"SophosCentral": {

"AllowedItem": [

{

"certificateSigner": null,

"comment": "hello world1",

"createdAt": "2020-11-25T10:19:37.608Z",

"fileName": null,

"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",

"path": "/root/helloaworld/1/1",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-25T10:19:37.608Z"

},

{

"certificateSigner": "notme",

"comment": "fordemo",

"createdAt": "2020-11-10T12:10:49.384Z",

"fileName": null,

"id": "718e991d-a99f-4193-b263-4eeebcac46fe",

"path": null,

"sha256": null,

"type": "certificateSigner",

"updatedAt": "2020-11-10T12:10:49.384Z"

},

{

"certificateSigner": null,

"comment": "Test-Noam",

"createdAt": "2020-11-08T14:00:18.574Z",

"fileName": null,

"id": "f047c584-949a-4a59-aebd-9999ce323c1d",

"path": "c:\\test2.exe",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-08T14:00:18.574Z"

},

{

"certificateSigner": null,

"comment": "Test",

"createdAt": "2020-11-08T10:44:39.279Z",

"fileName": null,

"id": "345b4588-b843-45b1-9319-e529ddd741e6",

"path": "c:\\1.txt",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-08T10:58:14.622Z"

},

{

"certificateSigner": "hello",

"comment": "chaaned",

"createdAt": "2020-11-03T10:14:25.914Z",

"fileName": null,

"id": "6a2e26fb-6eb4-42ff-8201-6f7051757595",

"path": null,

"sha256": null,

"type": "certificateSigner",

"updatedAt": "2020-11-03T10:15:32.819Z"

},

{

"certificateSigner": null,

"comment": "chaaned",

"createdAt": "2020-11-03T09:13:04.380Z",

"fileName": null,

"id": "2f804138-9632-4500-a13f-33342868e434",

"path": "root/hello/worldrsaard",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-03T10:15:08.159Z"

},

{

"certificateSigner": null,

"comment": "hello world1",

"createdAt": "2020-11-01T13:26:03.890Z",

"fileName": null,

"id": "73e555e9-3eee-42e1-879e-65d5ba968236",

"path": "/root/helloaworld/1",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-01T13:26:03.890Z"

},

{

"certificateSigner": null,

"comment": "hello world",

"createdAt": "2020-11-01T11:50:02.567Z",

"fileName": null,

"id": "595b2e6d-36b3-45bd-b94f-99a98a0a53f7",

"path": "/root/helloaworld",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-01T11:50:02.567Z"

},

{

"certificateSigner": null,

"comment": "helloworld",

"createdAt": "2020-11-01T11:00:47.441Z",

"fileName": null,

"id": "3533f7be-5064-44b6-9579-e4d7fa542444",

"path": "/root/what",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-01T11:00:47.441Z"

},

{

"certificateSigner": null,

"comment": "bad comment",

"createdAt": "2020-11-01T10:48:49.312Z",

"fileName": "zxdfzd",

"id": "85465c57-e598-4c8b-9c08-093c6f5eb239",

"path": "/root/hello/word",

"sha256": "C6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5",

"type": "path",

"updatedAt": "2020-11-01T10:48:49.312Z"

},

{

"certificateSigner": "xcvxcv",

"comment": "bad comment",

"createdAt": "2020-11-01T10:47:24.473Z",

"fileName": "xzcvxz",

"id": "cffaaae7-0b3a-4ec7-84a4-fee88d297abc",

"path": "/root",

"sha256": null,

"type": "certificateSigner",

"updatedAt": "2020-11-01T10:47:24.473Z"

},

{

"certificateSigner": null,

"comment": "changedcomment",

"createdAt": "2020-10-29T13:31:40.963Z",

"fileName": null,

"id": "c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7",

"path": "/root/hello",

"sha256": null,

"type": "path",

"updatedAt": "2020-10-29T13:32:41.421Z"

},

{

"comment": "uh",

"createdAt": "2020-10-28T13:57:53.235Z",

"id": "41a56d0d-5272-4be4-92dc-1c2dd42c218a",

"type": "path",

"updatedAt": "2020-10-28T13:58:07.906Z"

}

]

}

}

Human Readable Output

Listed Allowed Items:

id	comment	fileName	sha256	path	certificateSigner	createdAt	type	updatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3c	hello world1			/root/helloaworld/1/1		2020-11-25T10:19:37.608Z	path	2020-11-25T10:19:37.608Z
718e991d-a99f-4193-b263-4eeebcac46fe	fordemo				notme	2020-11-10T12:10:49.384Z	certificateSigner	2020-11-10T12:10:49.384Z
f047c584-949a-4a59-aebd-9999ce323c1d	Test-Noam			c:\test2.exe		2020-11-08T14:00:18.574Z	path	2020-11-08T14:00:18.574Z
345b4588-b843-45b1-9319-e529ddd741e6	Test			c:\1.txt		2020-11-08T10:44:39.279Z	path	2020-11-08T10:58:14.622Z
6a2e26fb-6eb4-42ff-8201-6f7051757595	chaaned				hello	2020-11-03T10:14:25.914Z	certificateSigner	2020-11-03T10:15:32.819Z
2f804138-9632-4500-a13f-33342868e434	chaaned			root/hello/worldrsaard		2020-11-03T09:13:04.380Z	path	2020-11-03T10:15:08.159Z
73e555e9-3eee-42e1-879e-65d5ba968236	hello world1			/root/helloaworld/1		2020-11-01T13:26:03.890Z	path	2020-11-01T13:26:03.890Z
595b2e6d-36b3-45bd-b94f-99a98a0a53f7	hello world			/root/helloaworld		2020-11-01T11:50:02.567Z	path	2020-11-01T11:50:02.567Z
3533f7be-5064-44b6-9579-e4d7fa542444	helloworld			/root/what		2020-11-01T11:00:47.441Z	path	2020-11-01T11:00:47.441Z
85465c57-e598-4c8b-9c08-093c6f5eb239	bad comment	zxdfzd	C6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5	/root/hello/word		2020-11-01T10:48:49.312Z	path	2020-11-01T10:48:49.312Z
cffaaae7-0b3a-4ec7-84a4-fee88d297abc	bad comment	xzcvxz		/root	xcvxcv	2020-11-01T10:47:24.473Z	certificateSigner	2020-11-01T10:47:24.473Z
c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7	changedcomment			/root/hello		2020-10-29T13:31:40.963Z	path	2020-10-29T13:32:41.421Z
41a56d0d-5272-4be4-92dc-1c2dd42c218a	uh					2020-10-28T13:57:53.235Z	path	2020-10-28T13:58:07.906Z

Current page: 1. Results on this page: 13. Maximum number of results allowed in a page: 100.

sophos-central-allowed-item-get

---

Get a single allowed item by ID.

Base Command

sophos-central-allowed-item-get

Input

Argument Name	Description	Required
allowed_item_id	The ID of the allowed item.	Required

Context Output

Path	Type	Description
SophosCentral.AllowedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByName	String	The name for the user who created the item.
SophosCentral.AllowedItem.id	String	The unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.AllowedItem.fileName	String	The file name.
SophosCentral.AllowedItem.path	String	The path for the application.
SophosCentral.AllowedItem.sha256	String	The SHA256 value for the application.
SophosCentral.AllowedItem.type	String	The property by which an item is allowed.
SophosCentral.AllowedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.AllowedItem.originPersonId	String	ID of the originating person.
SophosCentral.AllowedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-allowed-item-get allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example

{

"SophosCentral": {

"AllowedItem": {

"certificateSigner": null,

"comment": "hello world1",

"createdAt": "2020-11-25T10:19:37.608Z",

"fileName": null,

"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",

"path": "/root/helloaworld/1/1",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-25T10:19:37.608Z"

}

}

}

Human Readable Output

Found Allowed Item:

id	comment	path	createdAt	type	updatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3c	hello world1	/root/helloaworld/1/1	2020-11-25T10:19:37.608Z	path	2020-11-25T10:19:37.608Z

sophos-central-allowed-item-add

---

Add a new allowed item.

Base Command

sophos-central-allowed-item-add

Input

Argument Name	Description	Required
comment	Comment indicating why the item should be allowed.	Required
certificate_signer	The value saved for the certificateSigner.	Optional
file_name	The file name.	Optional
path	The path for the application.	Optional
sha256	The SHA256 value for the application.	Optional
item_type	The property by which an item is allowed. Note that the specified item type requires the matching argument filled. For example, the item type "path" requires the path argument. Possible values are: "path", "sha256", and "certificateSigner".	Required
origin_endpoint_id	The endpoint where the item to be allowed was last seen.	Optional

Context Output

Path	Type	Description
SophosCentral.AllowedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByName	String	The name for the user who created the item.
SophosCentral.AllowedItem.id	String	The unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.AllowedItem.fileName	String	The file name.
SophosCentral.AllowedItem.path	String	The path for the application.
SophosCentral.AllowedItem.sha256	String	The SHA256 value for the application.
SophosCentral.AllowedItem.type	String	The property by which an item is allowed.
SophosCentral.AllowedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.AllowedItem.originPersonId	String	ID of the originating person.
SophosCentral.AllowedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-allowed-item-add comment="hello world1" item_type=path path=/root/helloaworld/12

Context Example

{

"SophosCentral": {

"AllowedItem": {

"certificateSigner": null,

"comment": "hello world1",

"createdAt": "2020-11-25T10:47:32.082Z",

"fileName": null,

"id": "c68f1abc-986d-43eb-b050-d9113959207a",

"path": "/root/helloaworld/12",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-25T10:47:32.082Z"

}

}

}

Human Readable Output

Added Allowed Item:

id	comment	path	createdAt	type	updatedAt
c68f1abc-986d-43eb-b050-d9113959207a	hello world1	/root/helloaworld/12	2020-11-25T10:47:32.082Z	path	2020-11-25T10:47:32.082Z

sophos-central-allowed-item-update

---

Update an existing allowed item.

Base Command

sophos-central-allowed-item-update

Input

Argument Name	Description	Required
allowed_item_id	The allowed item ID.	Required
comment	Comment indicating why the item should be allowed.	Required

Context Output

Path	Type	Description
SophosCentral.AllowedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByName	String	The name for the user who created the item.
SophosCentral.AllowedItem.id	String	The unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.AllowedItem.fileName	String	The file name.
SophosCentral.AllowedItem.path	String	The path for the application.
SophosCentral.AllowedItem.sha256	String	The SHA256 value for the application.
SophosCentral.AllowedItem.type	String	The property by which an item is allowed.
SophosCentral.AllowedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.AllowedItem.originPersonId	String	ID of the originating person.
SophosCentral.AllowedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-allowed-item-update allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c comment=changedcomment

Context Example

{

"SophosCentral": {

"AllowedItem": {

"certificateSigner": null,

"comment": "changedcomment",

"createdAt": "2020-11-25T10:19:37.608Z",

"fileName": null,

"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",

"path": "/root/helloaworld/1/1",

"sha256": null,

"type": "path",

"updatedAt": "2020-11-25T10:47:39.104Z"

}

}

}

Human Readable Output

Updated Allowed Item:

id	comment	path	createdAt	type	updatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3c	changedcomment	/root/helloaworld/1/1	2020-11-25T10:19:37.608Z	path	2020-11-25T10:47:39.104Z

sophos-central-allowed-item-delete

---

Delete an existing allowed item.

Base Command

sophos-central-allowed-item-delete

Input

Argument Name	Description	Required
allowed_item_id	The allowed item ID.	Required

Context Output

Path	Type	Description
SophosCentral.DeletedAllowedItem.deletedItemId	String	The ID of the deleted item.

Command Example

!sophos-central-allowed-item-delete allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example

{

"SophosCentral": {

"DeletedAllowedItem": {

"deletedItemId": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c"

}

}

}

Human Readable Output

Success deleting allowed item: b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

sophos-central-blocked-item-list

---

Get all blocked items.

Base Command

sophos-central-blocked-item-list

Input

Argument Name	Description	Required
page_size	The maximum size of the page requested. Default is "50". Maximum is "100".	Optional
page	Page number to return. Default is "1"	Optional

Context Output

Path	Type	Description
SophosCentral.BlockedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByName	String	The name for the user who created the item.
SophosCentral.BlockedItem.id	String	The unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.BlockedItem.fileName	String	The file name.
SophosCentral.BlockedItem.path	String	The path for the application.
SophosCentral.BlockedItem.sha256	String	The SHA256 value for the application.
SophosCentral.BlockedItem.type	String	The property by which an item is allowed.
SophosCentral.BlockedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.BlockedItem.originPersonId	String	ID of the originating person.
SophosCentral.BlockedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-blocked-item-list page=1 page_size=50

Context Example

{

"SophosCentral": {

"BlockedItem": [

{

"certificateSigner": null,

"comment": "hello 2world",

"createdAt": "2020-11-25T10:19:54.523Z",

"fileName": null,

"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",

"path": null,

"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",

"type": "sha256",

"updatedAt": null

},

{

"certificateSigner": null,

"comment": "hello world",

"createdAt": "2020-11-01T12:55:47.476Z",

"fileName": null,

"id": "fd0f08db-966b-4979-8cbb-876a2bbd29c9",

"path": null,

"sha256": "c6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",

"type": "sha256",

"updatedAt": null

},

{

"certificateSigner": null,

"comment": "It's just a test",

"createdAt": "2020-11-01T10:22:55.556Z",

"fileName": null,

"id": "f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994",

"path": null,

"sha256": "b424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af",

"type": "sha256",

"updatedAt": null

}

]

}

}

Human Readable Output

Listed Blocked Items:

id	comment	sha256	createdAt	type
9b44086b-95bd-43e5-b84b-82b91725f02b	hello 2world	c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1	2020-11-25T10:19:54.523Z	sha256
fd0f08db-966b-4979-8cbb-876a2bbd29c9	hello world	c6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4	2020-11-01T12:55:47.476Z	sha256
f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994	It's just a test	b424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af	2020-11-01T10:22:55.556Z	sha256

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-blocked-item-get

---

Get a single blocked item by ID.

Base Command

sophos-central-blocked-item-get

Input

Argument Name	Description	Required
blocked_item_id	The blocked item ID.	Required

Context Output

Path	Type	Description
SophosCentral.BlockedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByName	String	The name for the user who created the item.
SophosCentral.BlockedItem.id	String	The unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.BlockedItem.fileName	String	The file name.
SophosCentral.BlockedItem.path	String	The path for the application.
SophosCentral.BlockedItem.sha256	String	The SHA256 value for the application.
SophosCentral.BlockedItem.type	String	The property by which an item is allowed.
SophosCentral.BlockedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.BlockedItem.originPersonId	String	ID of the originating person.
SophosCentral.BlockedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-blocked-item-get blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example

{

"SophosCentral": {

"BlockedItem": {

"certificateSigner": null,

"comment": "hello 2world",

"createdAt": "2020-11-25T10:19:54.523Z",

"fileName": null,

"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",

"path": null,

"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",

"type": "sha256",

"updatedAt": null

}

}

}

Human Readable Output

Found Blocked Item:

id	comment	sha256	createdAt	type
9b44086b-95bd-43e5-b84b-82b91725f02b	hello 2world	c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1	2020-11-25T10:19:54.523Z	sha256

sophos-central-blocked-item-add

---

Add a new blocked item.

Base Command

sophos-central-blocked-item-add

Input

Argument Name	Description	Required
comment	Comment indicating why the item should be blocked.	Required
certificate_signer	The value saved for the certificateSigner.	Optional
file_name	The file name.	Optional
path	The path for the application.	Optional
sha256	The SHA256 value for the application.	Required
item_type	The property by which an item is blocked. Possible value is sha256.	Required

Context Output

Path	Type	Description
SophosCentral.BlockedItem.comment	String	A comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAt	Date	Date and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdById	String	The unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByName	String	The name for the user who created the item.
SophosCentral.BlockedItem.id	String	The unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSigner	String	The value saved for the certificateSigner.
SophosCentral.BlockedItem.fileName	String	The file name.
SophosCentral.BlockedItem.path	String	The path for the application.
SophosCentral.BlockedItem.sha256	String	The SHA256 value for the application.
SophosCentral.BlockedItem.type	String	The property by which an item is allowed.
SophosCentral.BlockedItem.updatedAt	Date	Date and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointId	String	ID of the originating endpoint.
SophosCentral.BlockedItem.originPersonId	String	ID of the originating person.
SophosCentral.BlockedItem.originPersonName	String	Name of the originating person.

Command Example

!sophos-central-blocked-item-add comment="hello 2world" item_type=sha256 sha256=CAF4DB9B3191E6E693CE938BD74FAB37AEE71372C8A034F5040362D8C69E4DE4

Context Example

{

"SophosCentral": {

"BlockedItem": {

"certificateSigner": null,

"comment": "hello 2world",

"createdAt": "2020-11-25T10:47:46.428Z",

"fileName": null,

"id": "9535be44-40f3-4704-94df-6afa1e563f9c",

"path": null,

"sha256": "caf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",

"type": "sha256",

"updatedAt": null

}

}

}

Human Readable Output

Added Blocked Item:

id	comment	sha256	createdAt	type
9535be44-40f3-4704-94df-6afa1e563f9c	hello 2world	caf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4	2020-11-25T10:47:46.428Z	sha256

sophos-central-blocked-item-delete

---

Delete an existing blocked item.

Base Command

sophos-central-blocked-item-delete

Input

Argument Name	Description	Required
blocked_item_id	The blocked item ID.	Required

Context Output

Path	Type	Description
SophosCentral.DeletedBlockedItem.deletedItemId	String	The ID of the deleted item.

Command Example

!sophos-central-blocked-item-delete blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example

{

"SophosCentral": {

"DeletedBlockedItem": {

"deletedItemId": "9b44086b-95bd-43e5-b84b-82b91725f02b"

}

}

}

Human Readable Output

Success deleting blocked item: 9b44086b-95bd-43e5-b84b-82b91725f02b

sophos-central-scan-exclusion-list

---

List all scan exclusions.

Base Command

sophos-central-scan-exclusion-list

Input

Argument Name	Description	Required
exclusion_type	Scan exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral"	Optional
page_size	The maximum size of the page requested. Default is "50". Maximum is "100".	Optional
page	The page number to fetch. Default is "1"	Optional

Context Output

Path	Type	Description
SophosCentral.ScanExclusion.comment	String	A comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.description	String	The exclusion description added by the system.
SophosCentral.ScanExclusion.id	String	The unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanMode	String	The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.type	String	The scanning exclusion type.
SophosCentral.ScanExclusion.value	String	The exclusion value.

Command Example

!sophos-central-scan-exclusion-list

Context Example

{

"SophosCentral": {

"ScanExclusion": [

{

"comment": "Sophos temporary exclusion see KBA 133945",

"description": "Sophos temporary exclusion see KBA 133945",

"id": "369b0956-a7b6-44fc-b1cc-bd7b3279c663",

"scanMode": "onDemandAndOnAccess",

"type": "path",

"value": "%programfiles(x86)%\\Sophos\\Sophos Anti-Virus\\"

},

{

"comment": null,

"description": null,

"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",

"scanMode": "onDemandAndOnAccess",

"type": "path",

"value": "testpathhzh"

},

{

"comment": "changed before demo",

"description": null,

"id": "16bac29f-17a4-4c3a-9370-8c5968c5ac7d",

"scanMode": "onAccess",

"type": "process",

"value": "changedvirus.exe"

}

]

}

}

Human Readable Output

Listed Scan Exclusions:

id	value	type	description	comment	scanMode
369b0956-a7b6-44fc-b1cc-bd7b3279c663	%programfiles(x86)%\Sophos\Sophos Anti-Virus\	path	Sophos temporary exclusion see KBA 133945	Sophos temporary exclusion see KBA 133945	onDemandAndOnAccess
6868151e-4eac-4d0a-8985-5db9bff9d6f2	testpathhzh	path			onDemandAndOnAccess
16bac29f-17a4-4c3a-9370-8c5968c5ac7d	changedvirus.exe	process		changed before demo	onAccess

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-scan-exclusion-get

---

Get a single scan exclusion by ID.

Base Command

sophos-central-scan-exclusion-get

Input

Argument Name	Description	Required
exclusion_id	The exclusion ID.	Required

Context Output

Path	Type	Description
SophosCentral.ScanExclusion.comment	String	A comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.description	String	The exclusion description added by the system.
SophosCentral.ScanExclusion.id	String	The unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanMode	String	The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.type	String	The scanning exclusion type.
SophosCentral.ScanExclusion.value	String	The exclusion value.

Command Example

!sophos-central-scan-exclusion-get exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example

{

"SophosCentral": {

"ScanExclusion": {

"comment": null,

"description": null,

"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",

"scanMode": "onDemandAndOnAccess",

"type": "path",

"value": "testpathhzh"

}

}

}

Human Readable Output

Found Scan Exclusion:

id	value	type	scanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2	testpathhzh	path	onDemandAndOnAccess

sophos-central-scan-exclusion-add

---

Add a new scan exclusion.

Base Command

sophos-central-scan-exclusion-add

Input

Argument Name	Description	Required
comment	A comment indicating why the exclusion was created.	Optional
scan_mode	The scan mode. Possible values are: "onDemand", "onAccess", and "onDemandAndOnAccess". Default is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.	Optional
exclusion_type	The scanning exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral".	Required
value	The exclusion value.	Required

Context Output

Path	Type	Description
SophosCentral.ScanExclusion.comment	String	A comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.description	String	The exclusion description added by the system.
SophosCentral.ScanExclusion.id	String	The unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanMode	String	The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.type	String	The scanning exclusion type.
SophosCentral.ScanExclusion.value	String	The exclusion value.

Command Example

!sophos-central-scan-exclusion-add exclusion_type=path value=avsdfasdfaa

Context Example

{

"SophosCentral": {

"ScanExclusion": {

"comment": null,

"description": null,

"id": "be7b05bf-368b-4621-8131-0776486e1c7b",

"scanMode": "onDemandAndOnAccess",

"type": "path",

"value": "avsdfasdfaa"

}

}

}

Human Readable Output

Added Scan Exclusion:

id	value	type	scanMode
be7b05bf-368b-4621-8131-0776486e1c7b	avsdfasdfaa	path	onDemandAndOnAccess

sophos-central-scan-exclusion-update

---

Update an existing scan exclusion.

Base Command

sophos-central-scan-exclusion-update

Input

Argument Name	Description	Required
comment	A comment indicating why the exclusion was created.	Optional
scan_mode	The default value of scan mode is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.	Optional
exclusion_id	The exclusion ID.	Required
value	The exclusion value.	Optional

Context Output

Path	Type	Description
SophosCentral.ScanExclusion.comment	String	A comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.description	String	The exclusion description added by the system.
SophosCentral.ScanExclusion.id	String	The unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanMode	String	The scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.type	String	The scanning exclusion type.
SophosCentral.ScanExclusion.value	String	The exclusion value.

Command Example

!sophos-central-scan-exclusion-update exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example

{

"SophosCentral": {

"ScanExclusion": {

"comment": null,

"description": null,

"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",

"scanMode": "onDemandAndOnAccess",

"type": "path",

"value": "testpathhzh"

}

}

}

Human Readable Output

Updated Scan Exclusion:

id	value	type	scanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2	testpathhzh	path	onDemandAndOnAccess

sophos-central-scan-exclusion-delete

---

Delete an existing scan exclusion.

Base Command

sophos-central-scan-exclusion-delete

Input

Argument Name	Description	Required
exclusion_id	The exclusion ID.	Required

Context Output

Path	Type	Description
SophosCentral.DeletedScanExclusion.deletedExclusionId	String	The ID of the deleted exclusion.

Command Example

!sophos-central-scan-exclusion-delete exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example

{

"SophosCentral": {

"DeletedScanExclusion": {

"deletedExclusionId": "6868151e-4eac-4d0a-8985-5db9bff9d6f2"

}

}

}

Human Readable Output

Success deleting scan exclusion: 6868151e-4eac-4d0a-8985-5db9bff9d6f2

sophos-central-exploit-mitigation-list

---

List exploit mitigation settings for all protected applications.

Base Command

sophos-central-exploit-mitigation-list

Input

Argument Name	Description	Required
mitigation_type	Exploit mitigation type. Possible values are: "detected" and "custom".	Optional
page_size	The maximum size of the page requested. Default is "50". Maximum is "100".	Optional
page	The page number to fetch. Default is "1".	Optional
modified	Whether the Exploit Mitigation application has been customized. Possible values are: "true" and "false".	Optional

Context Output

Path	Type	Description
SophosCentral.ExploitMitigation.category	String	The Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.name	String	The name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.id	String	The ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.paths	String	Paths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.type	String	Whether the application was detected by the system or created by the user.

Command Example

!sophos-central-exploit-mitigation-list

Context Example

{

"SophosCentral": {

"ExploitMitigation": [

{

"category": "other",

"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",

"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",

"paths": [

"newnewnewnewnew"

],

"type": "custom"

},

{

"category": "browsers",

"id": "06aefe81-7f83-4768-9cec-59d86d7ee133",

"name": "Firefox",

"paths": [

"$programfiles\\Mozilla Firefox\\firefox.exe"

],

"type": "detected"

},

{

"category": "browsers",

"id": "b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cf",

"name": "Google Chrome",

"paths": [

"$programfiles\\Google\\Chrome\\Application\\chrome.exe"

],

"type": "detected"

},

{

"category": "browsers",

"id": "df7c2b63-dda4-4dc4-a12d-471cad799dbd",

"name": "Internet Explorer",

"paths": [

"$programfiles\\Internet Explorer\\iexplore.exe"

],

"type": "detected"

},

{

"category": "java",

"id": "f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3",

"name": "Java(TM) Platform SE binary",

"paths": [

"$programfiles\\java\\jre1.8.0_271\\bin\\java.exe",

"$programfiles\\java\\jre1.8.0_271\\bin\\javaw.exe"

],

"type": "detected"

},

{

"category": "java",

"id": "9ddf4b33-9f65-4422-898e-d5b5b450e8d8",

"name": "Java(TM) Web Launcher",

"paths": [

"$programfiles\\java\\jre1.8.0_271\\bin\\jp2launcher.exe"

],

"type": "detected"

},

{

"category": "java",

"id": "b44f50e0-0332-444a-bdb0-cfec43fc2def",

"name": "Java(TM) Web Start Launcher",

"paths": [

"$programfiles\\java\\jre1.8.0_271\\bin\\javaws.exe"

],

"type": "detected"

},

{

"category": "other",

"id": "a49af552-55e1-4dcd-a909-2310bcb8016f",

"name": "KeePass",

"paths": [

"$programfiles\\KeePass Password Safe 2\\KeePass.exe"

],

"type": "detected"

},

{

"category": "browsers",

"id": "4178130a-0d4e-435d-b4bb-db594810a43a",

"name": "Microsoft Edge",

"paths": [

"$programfiles\\Microsoft\\Edge\\Application\\msedge.exe",

"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdge.exe"

],

"type": "detected"

},

{

"category": "office",

"id": "ecbcd6a5-73d5-4060-b49f-b9de2e0587fc",

"name": "Microsoft Excel",

"paths": [

"$programfiles\\Microsoft Office\\Root\\Office16\\EXCEL.EXE"

],

"type": "detected"

},

{

"category": "office",

"id": "7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cf",

"name": "Microsoft Outlook",

"paths": [

"$programfiles\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"

],

"type": "detected"

},

{

"category": "office",

"id": "6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fb",

"name": "Microsoft PowerPoint",

"paths": [

"$programfiles\\Microsoft Office\\Root\\Office16\\POWERPNT.EXE"

],

"type": "detected"

},

{

"category": "office",

"id": "417fd1be-fafa-4e3b-9a9b-589f7f20b72c",

"name": "Microsoft Word",

"paths": [

"$programfiles\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"

],

"type": "detected"

},

{

"category": "browsers",

"id": "68026667-ca17-473d-b797-ccebe2d9da87",

"name": "MicrosoftEdgeCP.exe",

"paths": [

"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe"

],

"type": "detected"

},

{

"category": "java",

"id": "01e26718-ddf3-4aad-b465-d7279b755c32",

"name": "OpenJDK Platform binary",

"paths": [

"$programfiles\\JetBrains\\PyCharm Community Edition 2020.1.2\\jbr\\bin\\java.exe"

],

"type": "detected"

},

{

"category": "office",

"id": "9e378d93-4b62-4976-9a7c-5fdbbafa0b79",

"name": "Pick an app",

"paths": [

"$system32\\OpenWith.exe"

],

"type": "detected"

},

{

"category": "plugins",

"id": "a0b96b54-6895-408c-ac68-f84ca81c248a",

"name": "Plugin Container for Firefox",

"paths": [

"$programfiles\\Mozilla Firefox\\plugin-container.exe"

],

"type": "detected"

},

{

"category": "other",

"id": "3ac3fd9b-5b30-4e19-a9a4-303f553a4500",

"name": "Skype for Business",

"paths": [

"$programfiles\\Microsoft Office\\Root\\Office16\\lync.exe"

],

"type": "detected"

},

{

"category": "media",

"id": "dbedc673-218a-4814-99f0-33642a65b1fd",

"name": "Windows Media Player",

"paths": [

"$programfiles\\Windows Media Player\\wmplayer.exe"

],

"type": "detected"

},

{

"category": "office",

"id": "fd4f1dc8-4b4a-429e-ac27-bd757352f52c",

"name": "Windows Wordpad Application",

"paths": [

"$programfiles\\Windows NT\\Accessories\\WORDPAD.EXE"

],

"type": "detected"

},

{

"category": "other",

"id": "563f4022-0a28-47f8-9bb6-7774aa7794e3",

"name": "b2477368-4e58-4868-af90-554f948f4077",

"paths": [

"wooba"

],

"type": "custom"

},

{

"category": "other",

"id": "b19800cf-a98a-43dc-8efc-6de1f2a7321e",

"name": "cde78059-3164-46c6-903f-c27b9103ef37",

"paths": [

"testpathhhh"

],

"type": "custom"

},

{

"category": "other",

"id": "91fff008-3609-46f3-9fc7-44713635b775",

"name": "ce697cb7-06da-4e02-bcde-21f73b81d5ee",

"paths": [

"changed\\path"

],

"type": "custom"

}

]

}

}

Human Readable Output

Listed Exploit Mitigations:

id	name	type	category	paths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded	3bf6f110-48d8-4114-95e3-a286ac50d722	custom	other	newnewnewnewnew
06aefe81-7f83-4768-9cec-59d86d7ee133	Firefox	detected	browsers	$programfiles\Mozilla Firefox\firefox.exe
b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cf	Google Chrome	detected	browsers	$programfiles\Google\Chrome\Application\chrome.exe
df7c2b63-dda4-4dc4-a12d-471cad799dbd	Internet Explorer	detected	browsers	$programfiles\Internet Explorer\iexplore.exe
f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3	Java(TM) Platform SE binary	detected	java	$programfiles\java\jre1.8.0_271\bin\java.exe, $programfiles\java\jre1.8.0_271\bin\javaw.exe
9ddf4b33-9f65-4422-898e-d5b5b450e8d8	Java(TM) Web Launcher	detected	java	$programfiles\java\jre1.8.0_271\bin\jp2launcher.exe
b44f50e0-0332-444a-bdb0-cfec43fc2def	Java(TM) Web Start Launcher	detected	java	$programfiles\java\jre1.8.0_271\bin\javaws.exe
a49af552-55e1-4dcd-a909-2310bcb8016f	KeePass	detected	other	$programfiles\KeePass Password Safe 2\KeePass.exe
4178130a-0d4e-435d-b4bb-db594810a43a	Microsoft Edge	detected	browsers	$programfiles\Microsoft\Edge\Application\msedge.exe, $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
ecbcd6a5-73d5-4060-b49f-b9de2e0587fc	Microsoft Excel	detected	office	$programfiles\Microsoft Office\Root\Office16\EXCEL.EXE
7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cf	Microsoft Outlook	detected	office	$programfiles\Microsoft Office\root\Office16\OUTLOOK.EXE
6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fb	Microsoft PowerPoint	detected	office	$programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE
417fd1be-fafa-4e3b-9a9b-589f7f20b72c	Microsoft Word	detected	office	$programfiles\Microsoft Office\Root\Office16\WINWORD.EXE
68026667-ca17-473d-b797-ccebe2d9da87	MicrosoftEdgeCP.exe	detected	browsers	$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
01e26718-ddf3-4aad-b465-d7279b755c32	OpenJDK Platform binary	detected	java	$programfiles\JetBrains\PyCharm Community Edition 2020.1.2\jbr\bin\java.exe
9e378d93-4b62-4976-9a7c-5fdbbafa0b79	Pick an app	detected	office	$system32\OpenWith.exe
a0b96b54-6895-408c-ac68-f84ca81c248a	Plugin Container for Firefox	detected	plugins	$programfiles\Mozilla Firefox\plugin-container.exe
3ac3fd9b-5b30-4e19-a9a4-303f553a4500	Skype for Business	detected	other	$programfiles\Microsoft Office\Root\Office16\lync.exe
dbedc673-218a-4814-99f0-33642a65b1fd	Windows Media Player	detected	media	$programfiles\Windows Media Player\wmplayer.exe
fd4f1dc8-4b4a-429e-ac27-bd757352f52c	Windows Wordpad Application	detected	office	$programfiles\Windows NT\Accessories\WORDPAD.EXE
563f4022-0a28-47f8-9bb6-7774aa7794e3	b2477368-4e58-4868-af90-554f948f4077	custom	other	wooba
b19800cf-a98a-43dc-8efc-6de1f2a7321e	cde78059-3164-46c6-903f-c27b9103ef37	custom	other	testpathhhh
91fff008-3609-46f3-9fc7-44713635b775	ce697cb7-06da-4e02-bcde-21f73b81d5ee	custom	other	changed\path

Current page: 1. Results on this page: 23. Maximum number of results allowed in a page: 100.

sophos-central-exploit-mitigation-get

---

Get exploit mitigation settings for a single application.

Base Command

sophos-central-exploit-mitigation-get

Input

Argument Name	Description	Required
mitigation_id	The Exploit Mitigation application ID.	Required

Context Output

Path	Type	Description
SophosCentral.ExploitMitigation.category	String	The Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.name	String	The name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.id	String	The ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.paths	String	Paths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.type	String	Whether the application was detected by the system or created by the user.

Command Example

!sophos-central-exploit-mitigation-get mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example

{

"SophosCentral": {

"ExploitMitigation": {

"category": "other",

"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",

"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",

"paths": [

"newnewnewnewnew"

],

"type": "custom"

}

}

}

Human Readable Output

Found Exploit Mitigation:

id	name	type	category	paths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded	3bf6f110-48d8-4114-95e3-a286ac50d722	custom	other	newnewnewnewnew

sophos-central-exploit-mitigation-add

---

Exclude a set of file paths from exploit mitigation.

Base Command

sophos-central-exploit-mitigation-add

Input

Argument Name	Description	Required
path	An absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).	Required

Context Output

Path	Type	Description
SophosCentral.ExploitMitigation.category	String	The Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.name	String	The name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.id	String	The ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.paths	String	Paths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.type	String	Whether the application was detected by the system or created by the user.

Command Example

!sophos-central-exploit-mitigation-add path=testestesteset

Context Example

{

"SophosCentral": {

"ExploitMitigation": {

"category": "other",

"id": "755ec991-c04f-498f-ab8e-20ef1a187b52",

"name": "d082226b-0c17-4959-a3ed-a6957f39c9bc",

"paths": [

"testestesteset"

],

"type": "custom"

}

}

}

Human Readable Output

Added Exploit Mitigation:

id	name	type	category	paths
755ec991-c04f-498f-ab8e-20ef1a187b52	d082226b-0c17-4959-a3ed-a6957f39c9bc	custom	other	testestesteset

sophos-central-exploit-mitigation-update

---

Update exploit mitigation settings for an application.

Base Command

sophos-central-exploit-mitigation-update

Input

Argument Name	Description	Required
mitigation_id	The Exploit Mitigation application ID.	Required
path	An absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).	Required

Context Output

Path	Type	Description
SophosCentral.ExploitMitigation.category	String	The Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.name	String	The name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.id	String	The ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.paths	String	Paths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.type	String	Whether the application was detected by the system or created by the user.

Command Example

!sophos-central-exploit-mitigation-update mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded path=changed

Context Example

{

"SophosCentral": {

"ExploitMitigation": {

"category": "other",

"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",

"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",

"paths": [

"changed"

],

"type": "custom"

}

}

}

Human Readable Output

Updated Exploit Mitigation:

id	name	type	category	paths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded	3bf6f110-48d8-4114-95e3-a286ac50d722	custom	other	changed

sophos-central-exploit-mitigation-delete

---

Delete a custom (user-defined) exploit mitigation application by ID.

Base Command

sophos-central-exploit-mitigation-delete

Input

Argument Name	Description	Required
mitigation_id	The Exploit Mitigation application ID.	Required

Context Output

Path	Type	Description
SophosCentral.DeletedExploitMitigation.deletedMitigationId	String	The ID of the deleted mitigation.

Command Example

!sophos-central-exploit-mitigation-delete mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example

{

"SophosCentral": {

"DeletedExploitMitigation": {

"deletedMitigationId": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded"

}

}

}

Human Readable Output

Success deleting exploit mitigation: ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

sophos-central-detected-exploit-list

---

List all detected exploits.

Base Command

sophos-central-detected-exploit-list

Input

Argument Name	Description	Required
page_size	The maximum size of the page requested. Default is "50". Maximum is "100".	Optional
page	The page number to fetch. Default is "1".	Optional
thumbprint_not_in	Filter out detected exploits with these thumbprints.	Optional

Context Output

Path	Type	Description
SophosCentral.DetectedExploit.count	Number	The number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.description	String	The English description of the exploit detected event.
SophosCentral.DetectedExploit.id	String	The ID of this Exploit Mitigation Application.
SophosCentral.DetectedExploit.firstSeenAt	Date	When the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAt	Date	When the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostname	String	The endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointId	String	The unique endpoint ID.
SophosCentral.DetectedExploit.lastUserName	String	Person's name.
SophosCentral.DetectedExploit.lastUserId	String	The unique ID for the user.
SophosCentral.DetectedExploit.thumbprint	String	Matches [0-9a-zA-Z]{64}.

Command Example

!sophos-central-detected-exploit-list

Context Example

{

"SophosCentral": {

"DetectedExploit": null

}

}

Human Readable Output

Listed Detected Exploits:

No entries. Current page: 1. Results on this page: 0. Maximum number of results allowed in a page: 100.

sophos-central-detected-exploit-get

---

Get a single detected exploit.

Base Command

sophos-central-detected-exploit-get

Input

Argument Name	Description	Required
detected_exploit_id	The ID of a previously detected exploit.	Required

Context Output

Path	Type	Description
SophosCentral.DetectedExploit.count	Number	The number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.description	String	The English description of the exploit detected event.
SophosCentral.DetectedExploit.id	String	The ID of this Exploit Mitigation application.
SophosCentral.DetectedExploit.firstSeenAt	Date	When the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAt	Date	When the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostname	String	The endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointId	String	The unique endpoint ID.
SophosCentral.DetectedExploit.lastUserName	String	Person's name.
SophosCentral.DetectedExploit.lastUserId	String	The unique ID for the user.
SophosCentral.DetectedExploit.thumbprint	String	Matches [0-9a-zA-Z]{64}.

Command Example

Human Readable Output

sophos-central-isolate-endpoint

---

Isolate one or more endpoints.

Base Command

sophos-central-isolate-endpoint

Input

Argument Name	Description	Required
endpoint_id	ID(s) of the endpoint(s) to be isolated.	Required
comment	Comment indicating why the endpoint(s) should be isolated.	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointIsolation.items.id	String	The unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabled	Boolean	Isolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAt	String	When isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.id	String	Principal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAt	String	When isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.id	String	Principal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.comment	String	Reason endpoint should be isolated or not.

Command Example

!sophos-central-isolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example

{

"items": [

{

"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",

"isolation": {

"enabled": true,

"lastEnabledAt": "2021-08-13 09.07.03 GMT",

"lastEnabledBy": {

"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"

},

"lastDisabledAt": "2021-08-13 09.54.02 GMT",

"lastDisabledBy": {

"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"

},

"comment": "testing"

}

}

]

}

Human Readable Output

Endpoint(s) isolated successfully.

sophos-central-deisolate-endpoint

---

De-isolate one or more endpoints.

Base Command

sophos-central-deisolate-endpoint

Input

Argument Name	Description	Required
endpoint_id	ID(s) of the endpoint(s) to be de-isolated.	Required
comment	Comment indicating why the endpoint(s) should be de-isolated.	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointIsolation.items.id	String	The unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabled	Boolean	Isolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAt	String	When isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.id	String	Principal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAt	String	When isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.id	String	Principal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.comment	String	Reason endpoint should be isolated or not.

Command Example

!sophos-central-deisolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example

{

"items": [

{

"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",

"isolation": {

"enabled": false,

"lastEnabledAt": "2021-08-13 09.07.03 GMT",

"lastEnabledBy": {

"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"

},

"lastDisabledAt": "2021-08-13 09.54.02 GMT",

"lastDisabledBy": {

"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"

},

"comment": "testing"

}

}

]

}

Human Readable Output

Endpoint(s) de-isolated successfully.

sophos-central-usergroups-users-add

---

Add multiple users to the specified group.

Base Command

sophos-central-usergroups-users-add

Input

Argument Name	Description	Required
groupId	Unique UUID of Group.	Required
userIds	Comma-separated list of User UUIDs. Maximum 1000 unique User IDs are allowed (You can retrieve the userIds from the sophos-central-users-list).	Required

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	The Group ID.
SophosCentral.UserGroups.addedUsers.id	String	User ID.
SophosCentral.UserGroups.addedUsers.name	String	User's full name.

Command example

!sophos-central-usergroups-users-add groupId="733cce06-5ad0-487b-9547-03af02b5722e" userIds="09c515b2-009e-4e78-a83f-a5423e6def9a, f9029e98-311a-4c19-9908-15bafff9f39f, 86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example

{

"SophosCentral": {

"UserGroups": {

"addedUsers": [

{

"id": "f9029e98-311a-4c19-9908-15bafff9f39f",

"name": "Domain\\User"

},

{

"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",

"name": "GREEN\\testUser"

},

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

}

],

"id": "733cce06-5ad0-487b-9547-03af02b5722e"

}

}

}

Human Readable Output

User(s) added to the specified group.

sophos-central-usergroups-user-delete

---

Remove a specific User from the group.

Base Command

sophos-central-usergroups-user-delete

Input

Argument Name	Description	Required
groupId	Unique UUID of Group (You can retrieve the group ID from the sophos-central-usergroups-list).	Required
userId	Unique UUID of User (You can retrieve the user ID from the sophos-central-users-list).	Required

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	The Group ID.
SophosCentral.UserGroups.users.removedUser	String	The User ID.

Command example

!sophos-central-usergroups-user-delete groupId="733cce06-5ad0-487b-9547-03af02b5722e" userId="86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example

{

"SophosCentral": {

"UserGroups": {

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"removedUser": "86e0ae0f-77ef-423a-bbbf-d95e49edd468"

}

}

}

Human Readable Output

User removed from group.

sophos-central-usergroups-membership-get

---

List all users in a specific group.

Base Command

sophos-central-usergroups-membership-get

Input

Argument Name	Description	Required
groupId	Unique Group UUID (You can retrieve the group ID from the sophos-central-usergroups-list).	Required
search	Search for items that match the given terms.	Optional
searchFields	Search only within the specified comma-separated field values. The following values are allowed: name, firstName, lastName, email, exchangeLogin When not specified, the default behavior is to search the full names of users, only.	Optional
domain	List the items that match the given domain.	Optional
sourceType	Types of sources of directory information. The following values are allowed: custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.	Optional
page	The page number to fetch. Default is "1". Default is 1.	Optional
pageSize	Size of the page requested. Default is "50". Maximum is "100". Default is 50.	Optional

Context Output

Path	Type	Description
SophosCentral.UserGroups.users.id	String	User ID.
SophosCentral.UserGroups.users.name	String	User's name.
SophosCentral.UserGroups.users.firstName	String	User's first name or given name.
SophosCentral.UserGroups.users.lastName	String	User's last name or surname.
SophosCentral.UserGroups.users.emailAddress	String	User's email address.
SophosCentral.UserGroups.users.groups.total	number	Total number of groups.
SophosCentral.UserGroups.users.groups.itemsCount	number	Item count.
SophosCentral.UserGroups.users.groups.items.id	String	Group ID.
SophosCentral.UserGroups.users.groups.items.name	String	Group name.
SophosCentral.UserGroups.users.groups.items.displayName	String	Group display name.
SophosCentral.UserGroups.users.groups.tenant.id	String	Tenant ID.
SophosCentral.UserGroups.users.groups.source.type	String	Types of sources of directory information.

Command example

!sophos-central-usergroups-membership-get groupId="6ed5e258-b427-4fa0-a9cf-568d130796c3"

Context Example

{

"SophosCentral": {

"UserGroups": {

"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",

"users": [

{

"createdAt": "2022-03-28T05:09:51.524Z",

"email": "ruqdxvd1g7@lightning.example.com",

"firstName": "Administrator",

"groups": {

"items": [

{

"displayName": "GroupNameTestReadMe",

"id": "03d1fcb2-246e-4307-b570-82dcf9083686",

"name": "GroupNameTestReadMe"

},

{

"displayName": "Group 2-Updated",

"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",

"name": "Group 2-Updated"

},

{

"displayName": "Group1",

"id": "552f6e04-559e-4225-b6a4-870155de8979",

"name": "Group1"

}

],

"itemsCount": 3,

"total": 3

},

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"lastName": "",

"name": "Administrator",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-03-28T12:43:26.994Z"

},

{

"createdAt": "2022-06-15T06:14:14.832Z",

"groups": {

"items": [

{

"displayName": "Group 2-Updated",

"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",

"name": "Group 2-Updated"

},

{

"displayName": "TestGroupName-2",

"id": "28fd524c-e7ae-476e-87c6-0f0a2ac47592",

"name": "TestGroupName-2"

},

{

"displayName": "Group&123",

"id": "17d33950-4980-4dfc-83c9-d0b8dce0deaa",

"name": "Group&123"

}

],

"itemsCount": 3,

"total": 3

},

"id": "c1552a7b-efe9-4a45-8168-72489e44a3f3",

"name": "Lightning-8483qawudl\\Lightning",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

}

},

{

"createdAt": "2022-06-15T09:52:37.921Z",

"groups": {

"items": [

{

"displayName": "Group 2-Updated",

"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",

"name": "Group 2-Updated"

}

],

"itemsCount": 1,

"total": 1

},

"id": "69d3d421-f4cc-4a24-b093-8b2e5c6d20a4",

"name": "Lightning-gm4vu3jxek\\Lightning",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

}

},

{

"createdAt": "2022-07-07T06:18:55.746Z",

"groups": {

"items": [

{

"displayName": "Group 2-Updated",

"id": "6ed5e258-b427-4fa0-a9cf-568d130796c3",

"name": "Group 2-Updated"

}

],

"itemsCount": 1,

"total": 1

},

"id": "9f59b08a-2cfd-476a-af9e-f1c039284c09",

"name": "Lightning-nlr7f2n6zd\\Lightning",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

}

}

]

}

}

}

Human Readable Output

Total Records: 4

Page: 1/1

Listed 4 User(s) in Usergroup:

id	name	email
86e0ae0f-77ef-423a-bbbf-d95e49edd468	Administrator	ruqdxvd1g7@lightning.example.com
c1552a7b-efe9-4a45-8168-72489e44a3f3	Lightning-8483qawudl\Lightning
69d3d421-f4cc-4a24-b093-8b2e5c6d20a4	Lightning-gm4vu3jxek\Lightning
9f59b08a-2cfd-476a-af9e-f1c039284c09	Lightning-nlr7f2n6zd\Lightning

sophos-central-usergroups-get

---

Returns the details of the GroupID specified.

Base Command

sophos-central-usergroups-get

Input

Argument Name	Description	Required
groupId	Unique ID of the group whose details to be retrieved (You can retrieve the group ID from the sophos-central-usergroups-list).	Required

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	Group ID.
SophosCentral.UserGroups.name	String	Group name.
SophosCentral.UserGroups.displayName	String	Group display name.
SophosCentral.UserGroups.description	String	Group description.
SophosCentral.UserGroups.groups.total	Number	Count of total groups.
SophosCentral.UserGroups.groups.itemsCount	Number	Count of items.
SophosCentral.UserGroups.source.type	String	Types of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotal	Number	Total count of users.
SophosCentral.UserGroups.usersItemsCount	Number	Count of items.
SophosCentral.UserGroups.users.id	String	User ID.
SophosCentral.UserGroups.users.name	String	User Name.
SophosCentral.UserGroups.tenant.id	String	Tenant ID.
SophosCentral.UserGroups.createdAt	Date	When the group was created.
SophosCentral.UserGroups.updatedAt	Date	When the group was last updated.

Command example

!sophos-central-usergroups-get groupId="733cce06-5ad0-487b-9547-03af02b5722e"

Context Example

{

"SophosCentral": {

"UserGroups": {

"createdAt": "2022-10-06T06:19:13.462Z",

"description": "NewDescriptionReadMe",

"displayName": "NewGroupNameReadMe",

"groups": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-06T06:42:24.713Z",

"users": [

{

"id": "f9029e98-311a-4c19-9908-15bafff9f39f",

"name": "Domain\\User"

},

{

"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",

"name": "GREEN\\testUser"

},

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

},

{

"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",

"name": "Group 04/10/22"

}

],

"usersItemsCount": 4,

"usersTotal": 4

}

}

}

Human Readable Output

Found User Groups

id	name	description	sourceType
733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe	NewDescriptionReadMe	custom

sophos-central-usergroups-create

---

Creates a new “custom” (Centrally Managed) Group

Base Command

sophos-central-usergroups-create

Input

Argument Name	Description	Required
groupName	Provide a unique name of the group to create a usergroup in a directory.	Required
description	Description of the user group.	Optional
userIds	Comma-separated list of User UUIDs. Maximum 1000 unique User IDs are allowed (You can retrieve the userIds from the sophos-central-users-list).	Optional

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	Group ID.
SophosCentral.UserGroups.name	String	Group name.
SophosCentral.UserGroups.displayName	String	Group display name.
SophosCentral.UserGroups.description	String	Group description.
SophosCentral.UserGroups.groups.total	Number	Total count of groups.
SophosCentral.UserGroups.groups.itemsCount	Number	Count of items.
SophosCentral.UserGroups.source.type	String	Types of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotal	Number	Total count of users.
SophosCentral.UserGroups.usersItemsCount	Number	Count of items.
SophosCentral.UserGroups.users.id	String	User ID.
SophosCentral.UserGroups.users.name	String	User Name.
SophosCentral.UserGroups.tenant.id	String	Tenant ID.
SophosCentral.UserGroups.createdAt	Date	When the group was created.
SophosCentral.UserGroups.updatedAt	Date	When the group was last updated.

Command example

!sophos-central-usergroups-create groupName=GroupNameTestReadMe groupDescription=GroupDescriptionReadMe userIds="86e0ae0f-77ef-423a-bbbf-d95e49edd468"

Context Example

{

"SophosCentral": {

"UserGroups": {

"createdAt": "2022-10-06T06:42:22.023Z",

"id": "03d1fcb2-246e-4307-b570-82dcf9083686",

"name": "GroupNameTestReadMe",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-06T06:42:22.023Z",

"users": [

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

}

],

"usersItemsCount": 1,

"usersTotal": 1

}

}

}

Human Readable Output

Successfully created a user group with ID: 03d1fcb2-246e-4307-b570-82dcf9083686.

sophos-central-usergroups-update

---

Allows for the editing of the group name and description for a usergroup.

Base Command

sophos-central-usergroups-update

Input

Argument Name	Description	Required
groupId	Unique ID of the group whose details to be updated (You can retrieve the group ID from the sophos-central-usergroups-list).	Required
groupName	Group Name.	Required
description	Group Description.	Optional

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	Group ID.
SophosCentral.UserGroups.name	String	Group name.
SophosCentral.UserGroups.displayName	String	Group display name.
SophosCentral.UserGroups.description	String	Group description.
SophosCentral.UserGroups.groups.total	Number	Total count of groups.
SophosCentral.UserGroups.groups.itemsCount	Number	Count of items.
SophosCentral.UserGroups.source.type	String	Types of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotal	Number	Total count of users.
SophosCentral.UserGroups.usersItemsCount	Number	Count of items.
SophosCentral.UserGroups.users.id	String	User ID.
SophosCentral.UserGroups.users.name	String	User Name.
SophosCentral.UserGroups.tenant.id	String	Tenant ID.
SophosCentral.UserGroups.createdAt	Date	When the group was created.
SophosCentral.UserGroups.updatedAt	Date	When the group was last updated.

Command example

!sophos-central-usergroups-update groupId="733cce06-5ad0-487b-9547-03af02b5722e" groupName=NewGroupNameReadMe description=NewDescriptionReadMe

Context Example

{

"SophosCentral": {

"UserGroups": {

"createdAt": "2022-10-06T06:19:13.462Z",

"description": "NewDescriptionReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-06T06:42:24.713Z",

"users": [

{

"id": "f9029e98-311a-4c19-9908-15bafff9f39f",

"name": "Domain\\User"

},

{

"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",

"name": "GREEN\\testUser"

},

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

},

{

"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",

"name": "Group 04/10/22"

}

],

"usersItemsCount": 4,

"usersTotal": 4

}

}

}

Human Readable Output

Successfully updated the user group with ID: 733cce06-5ad0-487b-9547-03af02b5722e.

sophos-central-usergroups-delete

---

Deletes the specified group.

Base Command

sophos-central-usergroups-delete

Input

Argument Name	Description	Required
groupId	Unique id of the usergroup to be deleted. Users in the usergroup should be removed first in order to delete the usergroup (You can retrieve the group ID from the sophos-central-usergroups-list).	Required

Context Output

Path	Type	Description
SophosCentral.DeletedUserGroups.deletedUserGroupId	String	Deleted Group ID.

Command example

!sophos-central-usergroups-delete groupId="0210d539-66ab-46ac-afa2-eb8928856340"

Context Example

{

"SophosCentral": {

"UserGroups": {

"deletedUserGroupId": "0210d539-66ab-46ac-afa2-eb8928856340"

}

}

}

Human Readable Output

Successfully deleted the user group with ID: 0210d539-66ab-46ac-afa2-eb8928856340.

sophos-central-usergroups-list

---

Returns a list of all user groups that match the search criteria (optional).

Base Command

sophos-central-usergroups-list

Input

Argument Name	Description	Required
groupsIds	Comma separated list of group UUIDs.	Optional
search	Search for items that match the given terms.	Optional
searchFields	Search only within the allowed comma-separated field values. When not specified, the default behavior is to search group by names only. The following are Group fields values allowed to be searched:- name,description.	Optional
domain	List the items that match the given domain.	Optional
sourceType	Types of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed:- custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.	Optional
userId	Search groups associated with the given user ID.	Optional
page	The page number to fetch. Default is "1". Default is 1.	Optional
pageSize	Size of the page requested. Default is "50". Maximum is "100". Default is 50.	Optional

Context Output

Path	Type	Description
SophosCentral.UserGroups.id	String	Group ID.
SophosCentral.UserGroups.name	String	Group name.
SophosCentral.UserGroups.displayName	String	Group display name.
SophosCentral.UserGroups.description	String	Group description.
SophosCentral.UserGroups.groups.total	Number	Total Count of groups.
SophosCentral.UserGroups.groups.itemsCount	Number	Count of items.
SophosCentral.UserGroups.source.type	String	Types of sources of directory information. All users and groups created using this API have the source type custom. All users and groups synced from Active Directory or Azure Active Directory have the source type activeDirectory or azureActiveDirectory. The following values are allowed: custom, activeDirectory, azureActiveDirectory
SophosCentral.UserGroups.usersTotal	Number	Total count of users.
SophosCentral.UserGroups.usersItemsCount	Number	Count of items.
SophosCentral.UserGroups.users.id	String	User ID.
SophosCentral.UserGroups.users.name	String	User Name.
SophosCentral.UserGroups.tenant.id	String	Tenant ID.
SophosCentral.UserGroups.createdAt	Date	When the group was created.
SophosCentral.UserGroups.updatedAt	Date	When the group was last updated.

Command example

!sophos-central-usergroups-list groupsIds="733cce06-5ad0-487b-9547-03af02b5722e, 03d1fcb2-246e-4307-b570-82dcf9083686" search=GroupName searchFields=name,description sourceType=custom userId="86e0ae0f-77ef-423a-bbbf-d95e49edd468" page=1 pageSize=10

Context Example

{

"SophosCentral": {

"UserGroups": [

{

"createdAt": "2022-10-06T06:42:22.023Z",

"displayName": "GroupNameTestReadMe",

"groups": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "03d1fcb2-246e-4307-b570-82dcf9083686",

"name": "GroupNameTestReadMe",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-06T06:42:22.023Z",

"users": [

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

}

],

"usersItemsCount": 1,

"usersTotal": 1

},

{

"createdAt": "2022-10-06T06:19:13.462Z",

"description": "NewDescriptionReadMe",

"displayName": "NewGroupNameReadMe",

"groups": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-06T06:42:24.713Z",

"users": [

{

"id": "f9029e98-311a-4c19-9908-15bafff9f39f",

"name": "Domain\\User"

},

{

"id": "09c515b2-009e-4e78-a83f-a5423e6def9a",

"name": "GREEN\\testUser"

},

{

"id": "86e0ae0f-77ef-423a-bbbf-d95e49edd468",

"name": "Administrator"

},

{

"id": "1e6754d7-08a5-46e5-a6c1-006a96d4eb48",

"name": "Group 04/10/22"

}

],

"usersItemsCount": 4,

"usersTotal": 4

}

]

}

}

Human Readable Output

Total Records: 2

Page: 1/1

Listed 2 User Groups:

id	name	description	sourceType
03d1fcb2-246e-4307-b570-82dcf9083686	GroupNameTestReadMe		custom
733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe	NewDescriptionReadMe	custom

sophos-central-group-membership-get

---

Get endpoints in a group.

Base Command

sophos-central-group-membership-get

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.id	String	Group ID.
SophosCentral.EndpointGroups.type	String	Endpoint group types.
SophosCentral.EndpointGroups.tenant.id	String	Tenant ID.
SophosCentral.EndpointGroups.hostname	String	Hostname of the endpoint.
SophosCentral.EndpointGroups.os.isServer	Boolean	Whether the OS is a server OS.
SophosCentral.EndpointGroups.os.platform	String	OS platform type.
SophosCentral.EndpointGroups.os.name	String	OS name as reported by the endpoint.
SophosCentral.EndpointGroups.os.majorVersion	Number	OS major version.
SophosCentral.EndpointGroups.os.minorVersion	Number	OS minor version.
SophosCentral.EndpointGroups.os.build	Number	OS build.
SophosCentral.EndpointGroups.ipv4Addresses	String	List of IPv4 addresses.
SophosCentral.EndpointGroups.ipv6Addresses	String	List of IPv6 addresses.
SophosCentral.EndpointGroups.macAddresses	String	List of MAC addresses.
SophosCentral.EndpointGroups.group.name	String	Endpoint group name.
SophosCentral.EndpointGroups.group.id	String	Unique ID for endpoint group.
SophosCentral.EndpointGroups.associatedPerson.name	String	Person's name.
SophosCentral.EndpointGroups.associatedPerson.viaLogin	String	Person's login on the endpoint.
SophosCentral.EndpointGroups.associatedPerson.id	String	Unique ID for endpoint group.
SophosCentral.EndpointGroups.tamperProtectionEnabled	Boolean	Whether Tamper Protection is turned on.
SophosCentral.EndpointGroups.lastSeenAt	Date	Date and time (UTC) when the endpoint last communicated with Sophos Central.

Command example

!sophos-central-group-membership-get groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example

{

"SophosCentral": {

"EndpointGroups": [

{

"assignedProducts": [],

"associatedPerson": {

"id": "4af78a04-659d-4b68-8ab4-5e1c1bfd7672",

"name": "Lightning-efxqeo9t2w\\Lightning",

"viaLogin": "Lightning-efxqeo9t2w\\Lightning"

},

"group": {

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"name": "Name-readme2-update"

},

"hostname": "Lightning-uz1lwmqwqk",

"id": "1abcf612-d426-457b-8088-10d921112f1b",

"ipv4Addresses": [

"8.8.8.8"

],

"ipv6Addresses": [

"fe80::ad60:91b0:95fb:2c22"

],

"lastSeenAt": "2022-07-07T06:35:20.897Z",

"macAddresses": [

"00:50:56:83:08:E2"

],

"os": {

"build": 19044,

"isServer": false,

"majorVersion": 10,

"minorVersion": 0,

"name": "Windows 10 Enterprise",

"platform": "windows"

},

"tamperProtectionEnabled": false,

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer"

},

{

"assignedProducts": [],

"associatedPerson": {

"id": "120ca229-fa0d-4aa7-9dec-206b6099e974",

"name": "Lightning-pa0tcy4opl\\Lightning",

"viaLogin": "Lightning-pa0tcy4opl\\Lightning"

},

"group": {

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"name": "Name-readme2-update"

},

"hostname": "Lightning-r8s9l77e5g",

"id": "3413a306-5227-40f1-8b86-53195d927566",

"ipv4Addresses": [

"8.8.8.8"

],

"ipv6Addresses": [

"fe80::ad60:91b0:95fb:2c22"

],

"lastSeenAt": "2022-07-07T06:11:57.505Z",

"macAddresses": [

"00:50:56:83:08:E2"

],

"os": {

"build": 19044,

"isServer": false,

"majorVersion": 10,

"minorVersion": 0,

"name": "Windows 10 Enterprise",

"platform": "windows"

},

"tamperProtectionEnabled": false,

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer"

}

]

}

}

Human Readable Output

Fetched 2 Endpoint(s) Successfully

id	type	hostname
1abcf612-d426-457b-8088-10d921112f1b	computer	Lightning-uz1lwmqwqk
3413a306-5227-40f1-8b86-53195d927566	computer	Lightning-r8s9l77e5g

sophos-central-group-create

---

Create a new endpoint group.

Base Command

sophos-central-group-create

Input

Argument Name	Description	Required
name	Group name.	Required
description	Group description.	Optional
type	Group type. The following values are allowed: computer, server. Possible values are: server, computer.	Required
endpointIds	Comma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.id	String	Group ID.
SophosCentral.EndpointGroups.name	String	Group name.
SophosCentral.EndpointGroups.description	String	Group description.
SophosCentral.EndpointGroups.type	String	Endpoint group types.
SophosCentral.EndpointGroups.endpoints.total	Number	Total number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCount	Number	Total number of items in the list.
SophosCentral.EndpointGroups.tenant.id	String	Tenant ID.
SophosCentral.EndpointGroups.createdAt	Date	When the group was created.

Command example

!sophos-central-group-create name="Name-readme2" description=description type=computer endpointIds="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"createdAt": "2022-10-06T09:38:16.651Z",

"description": "description",

"endpoints": {

"items": [

{

"hostname": "Lightning-uz1lwmqwqk",

"id": "1abcf612-d426-457b-8088-10d921112f1b"

},

{

"hostname": "Lightning-r8s9l77e5g",

"id": "3413a306-5227-40f1-8b86-53195d927566"

}

],

"itemsCount": 2,

"total": 2

},

"id": "3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d",

"name": "Name-readme2",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer"

}

}

}

Human Readable Output

EndpointGroup Created Successfully

id	name	type
3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d	Name-readme2	computer

sophos-central-group-update

---

Update an endpoint group.

Base Command

sophos-central-group-update

Input

Argument Name	Description	Required
name	Group name.	Optional
description	Group description.	Optional
groupId	UUID of Endpoint group ID.	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.id	String	Group ID.
SophosCentral.EndpointGroups.name	String	Group name.
SophosCentral.EndpointGroups.description	String	Group description.
SophosCentral.EndpointGroups.type	String	Endpoint group types.
SophosCentral.EndpointGroups.endpoints.total	Number	Total number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCount	Number	Total number of items in the list.
SophosCentral.EndpointGroups.tenant.id	String	Tenant ID.
SophosCentral.EndpointGroups.createdAt	Date	When the group was created.
SophosCentral.EndpointGroups.updatedAt	Date	When the group was updated.

Command example

!sophos-central-group-update name="Name-readme2-update" groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"createdAt": "2022-10-06T09:16:51.382Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"name": "Name-readme2-update",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer",

"updatedAt": "2022-10-06T09:38:19.776Z"

}

}

}

Human Readable Output

EndpointGroup Updated Successfully

id	name	description
f1ff9020-f101-42c7-a5eb-06e9ef35e7af	Name-readme2-update	description

sophos-central-group-get

---

Get an endpoint group by ID.

Base Command

sophos-central-group-get

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.id	String	Group ID.
SophosCentral.EndpointGroups.name	String	Group name.
SophosCentral.EndpointGroups.description	String	Group description.
SophosCentral.EndpointGroups.type	String	Endpoint group types.
SophosCentral.EndpointGroups.endpoints.total	Number	Total number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCount	Number	Total number of items in the list.
SophosCentral.EndpointGroups.tenant.id	String	Tenant ID.
SophosCentral.EndpointGroups.createdAt	Date	When the group was created.
SophosCentral.EndpointGroups.updatedAt	Date	When the group was updated.

Command example

!sophos-central-group-get groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"createdAt": "2022-10-06T09:16:51.382Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"name": "Name-readme2-update",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer",

"updatedAt": "2022-10-06T09:38:19.776Z"

}

}

}

Human Readable Output

Fetched EndpointGroup Successfully

description	name
description	Name-readme2-update

sophos-central-group-endpoints-add

---

Add endpoints in a group.

Base Command

sophos-central-group-endpoints-add

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).	Required
endpointIds	Comma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.endpoints.id	String	Unique endpoint ID.
SophosCentral.EndpointGroups.endpoints.hostname	String	Endpoint hostname.
SophosCentral.EndpointGroups.id	String	Unique group ID.

Command example

!sophos-central-group-endpoints-add groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" ids="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"endpoints": [

{

"hostname": "Lightning-r8s9l77e5g",

"id": "3413a306-5227-40f1-8b86-53195d927566"

},

{

"hostname": "Lightning-uz1lwmqwqk",

"id": "1abcf612-d426-457b-8088-10d921112f1b"

}

],

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af"

}

}

}

Human Readable Output

2 Endpoint(s) Added Successfully

id	hostname
3413a306-5227-40f1-8b86-53195d927566	Lightning-r8s9l77e5g
1abcf612-d426-457b-8088-10d921112f1b	Lightning-uz1lwmqwqk

sophos-central-group-endpoint-remove

---

Remove endpoint from a group.

Base Command

sophos-central-group-endpoint-remove

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).	Required
endpointId	Comma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.removedEndpoint	Boolean	EndpointId of removed endpoint.
SophosCentral.EndpointGroups.id	String	Group Id.

Command example

!sophos-central-group-endpoint-remove groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" endpointId="3413a306-5227-40f1-8b86-53195d927566"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"removedEndpoint": "3413a306-5227-40f1-8b86-53195d927566"

}

}

}

Human Readable Output

Endpoint removed successfully

sophos-central-group-endpoints-remove

---

Remove endpoints from a group.

Base Command

sophos-central-group-endpoints-remove

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).	Required
endpointIds	Comma-separated list of endpoint IDs. (You can retrieve endpoint IDs from sophos-central-endpoint-list command).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.endpoints.id	String	Unique endpoint ID.
SophosCentral.EndpointGroups.endpoints.hostname	String	Endpoint hostname.
SophosCentral.EndpointGroups.id	String	Unique group ID.
SophosCentral.EndpointGroups.removedEndpoints	String	List of removed EndpointIds from the group.

Command example

!sophos-central-group-endpoints-remove groupId="f1ff9020-f101-42c7-a5eb-06e9ef35e7af" ids="3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"endpoints": [

{

"hostname": "Lightning-uz1lwmqwqk",

"id": "1abcf612-d426-457b-8088-10d921112f1b"

}

],

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"removedEndpoints": "3413a306-5227-40f1-8b86-53195d927566,1abcf612-d426-457b-8088-10d921112f1b"

}

}

}

Human Readable Output

1 EndPoint(s) Removed Successfully

id	hostname
1abcf612-d426-457b-8088-10d921112f1b	Lightning-uz1lwmqwqk

sophos-central-group-list

---

List endpoint groups.

Base Command

sophos-central-group-list

Input

Argument Name	Description	Required
page_size	The maximum size of the page requested. Default is "50". Maximum is "1000". Default is 50.	Optional
page	Page number to return. Default is "1". Default is 1.	Optional

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.id	String	Group ID.
SophosCentral.EndpointGroups.name	String	Group name.
SophosCentral.EndpointGroups.type	String	Endpoint group types.
SophosCentral.EndpointGroups.endpoints.total	Number	Total number of endpoints in this group.
SophosCentral.EndpointGroups.endpoints.itemsCount	Number	Total number of items in the list.
SophosCentral.EndpointGroups.tenant.id	String	Tenant ID.
SophosCentral.EndpointGroups.createdAt	Date	When the group was created.
SophosCentral.EndpointGroups.description	String	Group description.

Command example

!sophos-central-group-list page_size=10

Context Example

{

"SophosCentral": {

"EndpointGroups": [

{

"createdAt": "2022-10-06T09:06:16.825Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "b8c0428e-a422-4db6-a72f-5af4844ed418",

"name": "Name-readme",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer"

},

{

"createdAt": "2022-10-06T09:37:33.566Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "b3dec702-5d56-4cb9-8961-b0dba3194c94",

"name": "Name-readme-temp",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer"

},

{

"createdAt": "2022-10-06T09:38:16.651Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d",

"name": "Name-readme2",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer",

"updatedAt": "2022-10-06T09:38:27.895Z"

},

{

"createdAt": "2022-10-06T09:16:51.382Z",

"description": "description",

"endpoints": {

"items": [],

"itemsCount": 0,

"total": 0

},

"id": "f1ff9020-f101-42c7-a5eb-06e9ef35e7af",

"name": "Name-readme2-update",

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"type": "computer",

"updatedAt": "2022-10-06T09:38:32.519Z"

}

]

}

}

Human Readable Output

Found 4 records

Page : 1/1

Listed 4 EndpointGroups:

id	name	type	count
b8c0428e-a422-4db6-a72f-5af4844ed418	Name-readme	computer	0
b3dec702-5d56-4cb9-8961-b0dba3194c94	Name-readme-temp	computer	0
3ba49c2c-2c05-4e39-8ff4-ed0488fe0a3d	Name-readme2	computer	0
f1ff9020-f101-42c7-a5eb-06e9ef35e7af	Name-readme2-update	computer	0

sophos-central-group-delete

---

Delete an endpoint group by ID.

Base Command

sophos-central-group-delete

Input

Argument Name	Description	Required
groupId	UUID of Endpoint group ID.(You can retrieve endpoint group-id from sophos-central-group-list command).	Required

Context Output

Path	Type	Description
SophosCentral.EndpointGroups.deleted	Boolean	Endpoint group deleted.
SophosCentral.EndpointGroups.id	String	Group Id.

Command example

!sophos-central-group-delete groupId="b3dec702-5d56-4cb9-8961-b0dba3194c94"

Context Example

{

"SophosCentral": {

"EndpointGroups": {

"deleted": true,

"id": "b3dec702-5d56-4cb9-8961-b0dba3194c94"

}

}

}

Human Readable Output

EndpointGroup Deleted Successfully

sophos-central-users-list

---

List users for the given tenant.

Base Command

sophos-central-users-list

Input

Argument Name	Description	Required
pageSize	The maximum number of items to return. Default is "50". Maximum is "100". Default is 50.	Optional
page	Page number to return. Default is "1". Default is 1.	Optional
search	Search for items that match the given terms.	Optional
searchFields	Search only within the specified comma-seperated field values. The following values are allowed: name, firstName, lastName, email, exchangeLogin When not specified, the default behavior is to search the full names of users, only.	Optional
sourceType	Types of sources of directory information. The following values are allowed: custom, activeDirectory, azureActiveDirectory. Possible values are: custom, activeDirectory, azureActiveDirectory.	Optional
groupId	Search for users in a group that has this ID (You can get the group ID from sophos-central-usergroups-list command).	Optional
domain	List the items that match the given domain.	Optional

Context Output

Path	Type	Description
SophosCentral.Users.id	String	User ID.
SophosCentral.Users.name	String	User's name.
SophosCentral.Users.firstName	String	User's first name or given name.
SophosCentral.Users.lastName	String	User's last name or surname.
SophosCentral.Users.email	String	User's email address.
SophosCentral.Users.groups.total	Number	Total users
SophosCentral.Users.groups.itemsCount	Number	Total number of groups in which user is exists.
SophosCentral.Users.groups.items.id	string	Group ID.
SophosCentral.Users.groups.items.name	string	Group name.
SophosCentral.Users.groups.items.displayName	string	Group display name.
SophosCentral.Users.tenant.id	String	Tenant ID.
SophosCentral.Users.source.type	String	SourceType of the user.
SophosCentral.Users.createdAt	Date	When the user was created.

Command example

!sophos-central-users-list searchFields="firstname, lastname, email" search="playbook" pageSize=5

Context Example

{

"SophosCentral": {

"Users": [

{

"createdAt": "2022-10-10T12:30:57.876Z",

"email": "updatedemail.forplaybook@playbook.com",

"exchangeLogin": "",

"firstName": "updatedPlaybook",

"groups": {

"items": [

{

"displayName": "NewGroupNameReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe"

}

],

"itemsCount": 1,

"total": 1

},

"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",

"lastName": "updatedTest",

"name": "playbook test",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-10T12:41:24.568Z"

},

{

"createdAt": "2022-10-10T12:31:46.606Z",

"email": "email.forplaybook1@playbook.com",

"exchangeLogin": "",

"firstName": "playbook",

"groups": {

"items": [

{

"displayName": "NewGroupNameReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe"

}

],

"itemsCount": 1,

"total": 1

},

"id": "111a4a5c-4c9e-449e-88fb-19a2ce5752c6",

"lastName": "test",

"name": "playbook test",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-10T12:31:46.609Z"

},

{

"createdAt": "2022-10-10T12:48:23.980Z",

"email": "email.forplaybook2@playbook.com",

"exchangeLogin": "",

"firstName": "playbook",

"groups": {

"items": [

{

"displayName": "NewGroupNameReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe"

}

],

"itemsCount": 1,

"total": 1

},

"id": "f6032b13-f001-4bae-adf2-a0fb6f344fbd",

"lastName": "test",

"name": "playbook test",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-10T12:48:23.982Z"

}

]

}

}

Human Readable Output

Total Records: 3

Page: 1/1

Listed 3 User(s):

id	firstName	lastName	email	groupIds	groupNames
4c994c63-c252-4ac9-8840-bcccb095d5a2	updatedPlaybook	updatedTest	updatedemail.forplaybook@playbook.com	733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe
111a4a5c-4c9e-449e-88fb-19a2ce5752c6	playbook	test	email.forplaybook1@playbook.com	733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe
f6032b13-f001-4bae-adf2-a0fb6f344fbd	playbook	test	email.forplaybook2@playbook.com	733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe

sophos-central-users-get

---

List user with userId for the given tenant.

Base Command

sophos-central-users-get

Input

Argument Name	Description	Required
userId	Unique User UUID (You can get the user ID from sophos-central-users-list command).	Required

Context Output

Path	Type	Description
SophosCentral.Users.id	String	User ID.
SophosCentral.Users.name	String	User's name.
SophosCentral.Users.firstName	String	User's first name or given name.
SophosCentral.Users.lastName	String	User's last name or surname.
SophosCentral.Users.email	String	User's email address.
SophosCentral.Users.groups.total	Number	Total users.
SophosCentral.Users.groups.itemsCount	Number	Total number of groups in which user is exists.
SophosCentral.Users.groups.items.id	string	Group ID.
SophosCentral.Users.groups.items.name	string	Group name.
SophosCentral.Users.groups.items.displayName	string	Group display name.
SophosCentral.Users.tenant.id	String	Tenant ID.
SophosCentral.Users.source.type	String	SourceType of the user.
SophosCentral.Users.createdAt	Date	When the user was created.
SophosCentral.Users.updatedAt	Date	When the user was updated.

Command example

!sophos-central-users-get userId=4c994c63-c252-4ac9-8840-bcccb095d5a2

Context Example

{

"SophosCentral": {

"Users": {

"email": "updatedemail.forplaybook@playbook.com",

"exchangeLogin": "",

"firstName": "updatedPlaybook",

"groupIds": [

"733cce06-5ad0-487b-9547-03af02b5722e"

],

"groupNames": [

"NewGroupNameReadMe"

],

"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",

"lastName": "updatedTest"

}

}

}

Human Readable Output

Found User:

id	firstName	lastName	email	exchangeLogin	groupIds	groupNames
4c994c63-c252-4ac9-8840-bcccb095d5a2	updatedPlaybook	updatedTest	updatedemail.forplaybook@playbook.com		733cce06-5ad0-487b-9547-03af02b5722e	NewGroupNameReadMe

sophos-central-users-add

---

Add a new user.

Base Command

sophos-central-users-add

Input

Argument Name	Description	Required
firstName	First Name of the user. This must not include a space. Maximum length should be 250 characters.	Required
lastName	Last Name of the user. This must not include a space. Maximum length should be 250 characters.	Required
email	Email Address of the user.	Required
exchangeLogin	Exchange Login for the user.	Optional
groupIds	Comma-separated list of GroupIds to be enrolled in (You can get the list of user IDs from sophos-central-usergroups-list command).	Optional

Context Output

Path	Type	Description
SophosCentral.Users.id	String	User ID.
SophosCentral.Users.name	String	User's name.
SophosCentral.Users.firstName	String	User's first name or given name.
SophosCentral.Users.lastName	String	User's last name or surname.
SophosCentral.Users.email	String	User's email address.
SophosCentral.Users.groups.total	Number	Total users.
SophosCentral.Users.groups.itemsCount	Number	Total number of groups in which user is exists.
SophosCentral.Users.groups.items.id	string	Group ID.
SophosCentral.Users.groups.items.name	string	Group name.
SophosCentral.Users.groups.items.displayName	string	Group display name.
SophosCentral.Users.tenant.id	String	Tenant ID.
SophosCentral.Users.source.type	String	SourceType of the user.
SophosCentral.Users.createdAt	Date	When the user was created.
SophosCentral.Users.updatedAt	Date	When the user was updated.

Command example

!sophos-central-users-add firstName=playbook lastName=test email=email.forplaybook2@playbook.com groupIds=733cce06-5ad0-487b-9547-03af02b5722e

Context Example

{

"SophosCentral": {

"Users": {

"createdAt": "2022-10-10T12:48:23.980Z",

"email": "email.forplaybook2@playbook.com",

"exchangeLogin": "",

"firstName": "playbook",

"groups": {

"items": [

{

"displayName": "NewGroupNameReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe"

}

],

"itemsCount": 1,

"total": 1

},

"id": "f6032b13-f001-4bae-adf2-a0fb6f344fbd",

"lastName": "test",

"name": "playbook test",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-10T12:48:23.982Z"

}

}

}

Human Readable Output

A new User was added to the Directory.

sophos-central-users-update

---

Update a user.

Base Command

sophos-central-users-update

Input

Argument Name	Description	Required
userId	Unique User UUID (You can get the user ID from sophos-central-users-list command).	Required
name	User's fullname.	Optional
firstName	First Name of the user. This must not include a space. Maximum length should be 250 characters.	Optional
lastName	Last Name of the user. This must not include a space. Maximum length should be 250 characters.	Optional
email	Email Address of the user.	Optional
exchangeLogin	Exchange Login for the user.	Optional

Context Output

Path	Type	Description
SophosCentral.Users.id	String	User ID.
SophosCentral.Users.name	String	User's name.
SophosCentral.Users.firstName	String	User's first name or given name.
SophosCentral.Users.lastName	String	User's last name or surname.
SophosCentral.Users.email	String	User's email address.
SophosCentral.Users.groups.total	Number	Total users.
SophosCentral.Users.groups.itemsCount	Number	Total number of groups in which user is exists.
SophosCentral.Users.groups.items.id	string	Group ID.
SophosCentral.Users.groups.items.name	string	Group name.
SophosCentral.Users.groups.items.displayName	string	Group display name.
SophosCentral.Users.tenant.id	String	Tenant ID.
SophosCentral.Users.source.type	String	SourceType of the user.
SophosCentral.Users.createdAt	Date	When the user was created.
SophosCentral.Users.updatedAt	Date	When the user was updated.

Command example

!sophos-central-users-update userId=4c994c63-c252-4ac9-8840-bcccb095d5a2 firstName="updatedPlaybook" lastName="updatedTest" email="updatedemail.forplaybook@playbook.com"

Context Example

{

"SophosCentral": {

"Users": {

"createdAt": "2022-10-10T12:30:57.876Z",

"email": "updatedemail.forplaybook@playbook.com",

"exchangeLogin": "",

"firstName": "updatedPlaybook",

"groups": {

"items": [

{

"displayName": "NewGroupNameReadMe",

"id": "733cce06-5ad0-487b-9547-03af02b5722e",

"name": "NewGroupNameReadMe"

}

],

"itemsCount": 1,

"total": 1

},

"id": "4c994c63-c252-4ac9-8840-bcccb095d5a2",

"lastName": "updatedTest",

"name": "playbook test",

"source": {

"type": "custom"

},

"tenant": {

"id": "7fc4a6ac-0aa1-4c35-8d6d-9c4a0c28ec80"

},

"updatedAt": "2022-10-10T12:41:24.568Z"

}

}

}

Human Readable Output

User updated.

sophos-central-users-delete

---

Delete a user.

Base Command

sophos-central-users-delete

Input

Argument Name	Description	Required
userId	Unique User UUID (You can get user ID from sophos-central-users-list command).	Required

Context Output

Path	Type	Description
SophosCentral.DeletedUsers.deletedUserId	String	Deleted User's Id.

Command example

!sophos-central-users-delete userId=9d79e670-3846-45b7-a119-12ca1ee46933

Context Example

{

"SophosCentral": {

"DeletedUsers": {

"deletedUserId": "9d79e670-3846-45b7-a119-12ca1ee46933"

}

}

}

Human Readable Output

User deleted.

sophos-central-endpoint-policy-search

---

Get all endpoint policy.

Base Command

sophos-central-endpoint-policy-search

Input

Argument Name	Description	Required
page_size	The maximum size of the page requested. Default is "50". Maximum is "200". Default is 50.	Optional
page	Page number to return. Default is "1". Default is 1.	Optional
policy_type	Fetch the policies based on policy_type value. Possible values are: "threat-protection", "peripheral-control", "application-control", "data-loss-prevention", "device-encryption", "web-control", "agent-updating", "windows-firewall", "server-threat-protection", "server-peripheral-control", "server-application-control", "server-web-control", "server-lockdown", "server-data-loss-prevention", "server-agent-updating", "server-windows-firewall", "server-file-integrity-monitoring". Possible values are: threat-protection, peripheral-control, application-control, data-loss-prevention, device-encryption, web-control, agent-updating, windows-firewall, server-threat-protection, server-peripheral-control, server-application-control, server-web-control, server-lockdown, server-data-loss-prevention, server-agent-updating, server-windows-firewall, server-file-integrity-monitoring.	Optional

Context Output

Path	Type	Description
SophosCentral.PolicyAndEnumeration.id	String	Policy ID
SophosCentral.PolicyAndEnumeration.feature	String	Feature
SophosCentral.PolicyAndEnumeration.settings	String	Settings
SophosCentral.PolicyAndEnumeration.orderPriority	String	Order priority
SophosCentral.PolicyAndEnumeration.name	String	Name
SophosCentral.PolicyAndEnumeration.enforced	Boolean	Enforced (T
SophosCentral.PolicyAndEnumeration.typeSingle	String	Type Single
SophosCentral.PolicyAndEnumeration.typeGroup	String	Type Group
SophosCentral.PolicyAndEnumeration.lastModified	String	Last Modified

Command example

!sophos-central-endpoint-policy-search page_size=10 page=1

Context Example

{

"SophosCentral": {

"PolicyAndEnumeration": [

{

"enforced": false,

"feature": "agent-updating",

"id": "67074d6e-ce83-40c2-a7f4-8a94a1beac10",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 3)",

"orderPriority": 9,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "b3715f16-b675-4978-927d-2e0fb206b6e9",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 3)",

"orderPriority": 8,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "e4a9ec1e-a5e3-4072-825f-701b8e1e33fe",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 3)",

"orderPriority": 7,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "df3bdaa7-c156-4580-baa6-30e2bf118502",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 2)",

"orderPriority": 6,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "c4887d95-d099-4ae1-9290-1fe316a24d59",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned)",

"orderPriority": 5,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "a18aafe1-eb86-46c0-ba2f-1f64f1e5b16e",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 2)",

"orderPriority": 4,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "694f8591-217c-44a0-99f1-f7331bf1bf33",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "12",

"orderPriority": 3,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "09eff4b3-14f1-4a42-a47c-c0382066d094",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 2)",

"orderPriority": 2,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": false,

"feature": "agent-updating",

"id": "875166af-1848-463a-a853-bed673cad119",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned)",

"orderPriority": 1,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

},

{

"enforced": true,

"feature": "agent-updating",

"id": "3f863d0a-4405-4c6d-a035-4215db53b087",

"lastModified": "2022-05-07T01:16:26.767Z",

"name": "Base Policy",

"orderPriority": 0,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

}

]

}

}

Human Readable Output

Total Record(s): 24

Current page: 1/3

Listed 10 Endpoint Policies:

id	feature	settings	orderPriority	name	enforced	typeSingle	typeGroup	lastModified
67074d6e-ce83-40c2-a7f4-8a94a1beac10	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	9	Base Policy (cloned 3)	false			2022-10-11T06:13:07.146Z
b3715f16-b675-4978-927d-2e0fb206b6e9	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	8	Base Policy (cloned 3)	false			2022-10-11T06:13:07.146Z
e4a9ec1e-a5e3-4072-825f-701b8e1e33fe	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	7	Base Policy (cloned 3)	false			2022-10-11T06:13:07.146Z
df3bdaa7-c156-4580-baa6-30e2bf118502	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	6	Base Policy (cloned 2)	false			2022-10-11T06:13:07.146Z
c4887d95-d099-4ae1-9290-1fe316a24d59	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	5	Base Policy (cloned)	false			2022-10-11T06:13:07.146Z
a18aafe1-eb86-46c0-ba2f-1f64f1e5b16e	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	4	Base Policy (cloned 2)	false			2022-10-11T06:13:07.146Z
694f8591-217c-44a0-99f1-f7331bf1bf33	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	3	12	false			2022-10-11T06:13:07.146Z
09eff4b3-14f1-4a42-a47c-c0382066d094	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	2	Base Policy (cloned 2)	false			2022-10-11T06:13:07.146Z
875166af-1848-463a-a853-bed673cad119	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	1	Base Policy (cloned)	false			2022-10-11T06:13:07.146Z
3f863d0a-4405-4c6d-a035-4215db53b087	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	0	Base Policy	true			2022-05-07T01:16:26.767Z

sophos-central-endpoint-policy-get

---

Get details of Policy by id.

Base Command

sophos-central-endpoint-policy-get

Input

Argument Name	Description	Required
policy_id	The policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.	Required

Context Output

Path	Type	Description
SophosCentral.PolicyAndEnumeration.id	String	Policy ID
SophosCentral.PolicyAndEnumeration.feature	String	Feature
SophosCentral.PolicyAndEnumeration.settings	String	Settings
SophosCentral.PolicyAndEnumeration.orderPriority	String	Order priority
SophosCentral.PolicyAndEnumeration.name	String	Name
SophosCentral.PolicyAndEnumeration.enforced	Boolean	Enforced (T
SophosCentral.PolicyAndEnumeration.typeSingle	String	Type Single
SophosCentral.PolicyAndEnumeration.typeGroup	String	Type Group
SophosCentral.PolicyAndEnumeration.lastModified	String	Last Modified

Command example

!sophos-central-endpoint-policy-get policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10

Context Example

{

"SophosCentral": {

"PolicyAndEnumeration": {

"enforced": false,

"feature": "agent-updating",

"id": "67074d6e-ce83-40c2-a7f4-8a94a1beac10",

"lastModified": "2022-10-11T06:13:07.146Z",

"name": "Base Policy (cloned 3)",

"orderPriority": 9,

"settings": {

"endpoint.agent-updating.dont-use-update-caches.enabled": {

"value": false

},

"endpoint.agent-updating.fixed-version.mac": {

"value": "recommended"

},

"endpoint.agent-updating.fixed-version.windows": {

"value": "recommended"

},

"endpoint.agent-updating.scheduled-updates.day": {

"unit": "day",

"value": 3

},

"endpoint.agent-updating.scheduled-updates.enabled": {

"value": false

},

"endpoint.agent-updating.scheduled-updates.time": {

"format": "hourMinute",

"value": "14:00"

}

}

}

}

}

Human Readable Output

67074d6e-ce83-40c2-a7f4-8a94a1beac10 Policy Details:

id	feature	settings	orderPriority	name	enforced	typeSingle	typeGroup	lastModified
67074d6e-ce83-40c2-a7f4-8a94a1beac10	agent-updating	endpoint.agent-updating.dont-use-update-caches.enabled: {"value": false} endpoint.agent-updating.fixed-version.mac: {"value": "recommended"} endpoint.agent-updating.fixed-version.windows: {"value": "recommended"} endpoint.agent-updating.scheduled-updates.day: {"value": 3, "unit": "day"} endpoint.agent-updating.scheduled-updates.enabled: {"value": false} endpoint.agent-updating.scheduled-updates.time: {"value": "14:00", "format": "hourMinute"}	9	Base Policy (cloned 3)	false			2022-10-11T06:13:07.146Z

sophos-central-endpoint-policy-reorder

---

Update Policy priority for non-base policies.

Base Command

sophos-central-endpoint-policy-reorder

Input

Argument Name	Description	Required
policy_id	The policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.	Required
priority	Update Policy Order priority for non-base policies.	Required

Context Output

Path	Type	Description
SophosCentral.PolicyAndEnumeration.updatedPolicyId	String	The ID of the updated policy.

Command example

!sophos-central-endpoint-policy-reorder policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10 priority=1

Context Example

{

"SophosCentral": {

"PolicyAndEnumeration": {

"updatedPolicyId": "67074d6e-ce83-40c2-a7f4-8a94a1beac10"

}

}

}

Human Readable Output

Success updating endpoint policy: 67074d6e-ce83-40c2-a7f4-8a94a1beac10

sophos-central-endpoint-policy-search-delete

---

Delete an existing endpoint policy.

Base Command

sophos-central-endpoint-policy-search-delete

Input

Argument Name	Description	Required
policy_id	The policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.	Required

Context Output

Path	Type	Description
SophosCentral.PolicyAndEnumeration.deletedPolicyId	String	The ID of the deleted policy.

Command example

!sophos-central-endpoint-policy-search-delete policy_id=67074d6e-ce83-40c2-a7f4-8a94a1beac10

Context Example

{

"SophosCentral": {

"PolicyAndEnumeration": {

"deletedPolicyId": "67074d6e-ce83-40c2-a7f4-8a94a1beac10"

}

}

}

Human Readable Output

Success deleting endpoint policy: 67074d6e-ce83-40c2-a7f4-8a94a1beac10

sophos-central-endpoint-policy-clone

---

Clone an existing endpoint policy.

Base Command

sophos-central-endpoint-policy-clone

Input

Argument Name	Description	Required
policy_id	The policy ID. You can find the policy_id by executing the sophos-central-endpoint-policy-search command.	Required
name	Policy name of the newly cloned policy.	Optional

Context Output

Path	Type	Description
SophosCentral.PolicyAndEnumeration.clonedPolicyId	String	The ID of the cloned policy.

Command example

!sophos-central-endpoint-policy-clone policy_id=b3715f16-b675-4978-927d-2e0fb206b6e9 name=testclonenew

Context Example

{

"SophosCentral": {

"PolicyAndEnumeration": {

"clonedPolicyId": "28d9b869-ba28-420f-87da-98a8e1b1656f"

}

}

}

Human Readable Output

Success cloning endpoint policy: 28d9b869-ba28-420f-87da-98a8e1b1656f