Skip to main content

Sophos Central

This Integration is part of the Sophos Central Pack.#

The unified console for managing Sophos products.

Configure Sophos Central on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Sophos Central.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
credentialsSophos client ID and secretTrue
Tenant IDTenant ID on which the commands would be executed by default. Required in case of partner/organization level credentialsFalse
isFetchFetch incidentsFalse
fetch_severityFetch SeverityFalse
fetch_categoryFetch CategoryFalse
max_fetchFetch LimitFalse
fetch_timeFirst Fetch TimeFalse
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sophos-central-alert-list#


List alerts.

Base Command#

sophos-central-alert-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the Alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-list limit=50

Context Example#

{
"SophosCentral": {
"Alert": [
{
"allowedActions": [
"clearThreat"
],
"category": "malware",
"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",
"id": "8e879165-81cb-4747-8608-1cc4e630a017",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T09:19:18.936Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CleanupFailed"
},
{
"allowedActions": [
"clearThreat"
],
"category": "runtimeDetections",
"description": "Malicious connection detected: 'C2/Generic-B' at 'C:\\Windows\\System32\\wscript.exe' (Technical Support reference: 277413403)",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q29tbWFuZEFuZENvbnRyb2xEZXRlY3RlZCwxNixDMiUyRkdlbmVyaWMtQg",
"id": "9641ba6e-3254-4726-962d-b2bc11e04131",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T10:36:31.603Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CommandAndControlDetected"
},
{
"allowedActions": [
"acknowledge"
],
"category": "updating",
"description": "Thunderbox is out of date.",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6Ok91dE9mRGF0ZSw1MTMs",
"id": "ee527ca8-cb54-4e11-b59f-2197910176f3",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T10:42:09.083Z",
"severity": "medium",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::OutOfDate"
}
]
}
}

Human Readable Output#

Listed Alerts:#

iddescriptionseverityraisedAtallowedActionsmanagedAgentIdcategorytype
8e879165-81cb-4747-8608-1cc4e630a017Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'high2020-11-25T09:19:18.936ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bmalwareEvent::Endpoint::Threat::CleanupFailed
9641ba6e-3254-4726-962d-b2bc11e04131Malicious connection detected: 'C2/Generic-B' at 'C:\Windows\System32\wscript.exe' (Technical Support reference: 277413403)high2020-11-25T10:36:31.603ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bruntimeDetectionsEvent::Endpoint::Threat::CommandAndControlDetected
ee527ca8-cb54-4e11-b59f-2197910176f3Thunderbox is out of date.medium2020-11-25T10:42:09.083Zacknowledge6e9567ea-bb50-40c5-9f12-42eb308e4c9bupdatingEvent::Endpoint::OutOfDate

Results on this page: 3.Maximum number of results allowed in a page: 100

sophos-central-alert-get#


Get a single alert by ID.

Base Command#

sophos-central-alert-get

Input#

Argument NameDescriptionRequired
alert_idThe alert ID.Required

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-get alert_id=8e879165-81cb-4747-8608-1cc4e630a017

Context Example#

{
"SophosCentral": {
"Alert": {
"allowedActions": [
"clearThreat"
],
"category": "malware",
"description": "Manual cleanup required: 'EICAR-AV-Test' at 'C:\\Users\\JonDoe\\Downloads\\eicarcom2.zip'",
"groupKey": "MSxFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6Q2xlYW51cEZhaWxlZCwxNixFSUNBUi1BVi1UZXN0",
"id": "8e879165-81cb-4747-8608-1cc4e630a017",
"managedAgentId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"managedAgentType": "computer",
"person": "5d407889-8659-46ab-86c5-4f227302df78",
"product": "endpoint",
"raisedAt": "2020-11-25T09:19:18.936Z",
"severity": "high",
"tenantId": "11f104c5-cc4a-4a9f-bb9c-632c936dfb9f",
"tenantName": "Cortex XSOAR",
"type": "Event::Endpoint::Threat::CleanupFailed"
}
}
}

Human Readable Output#

Found Alert:#

iddescriptionseverityraisedAtallowedActionsmanagedAgentIdcategorytype
8e879165-81cb-4747-8608-1cc4e630a017Manual cleanup required: 'EICAR-AV-Test' at 'C:\Users\JonDoe\Downloads\eicarcom2.zip'high2020-11-25T09:19:18.936ZclearThreat6e9567ea-bb50-40c5-9f12-42eb308e4c9bmalwareEvent::Endpoint::Threat::CleanupFailed

sophos-central-alert-action#


Take an action against alerts.

Base Command#

sophos-central-alert-action

Input#

Argument NameDescriptionRequired
alert_idComma-separated list of alert IDs.Required
actionActions to perform on the alerts. Possible values are: "acknowledge", "cleanPua", "cleanVirus", "authPua", "clearThreat", "clearHmpa", "sendMsgPua", and "sendMsgThreat".Required
messageMessage to send for the action.Optional

Context Output#

PathTypeDescription
SophosCentral.AlertAction.actionStringActions that you can perform on the alert.
SophosCentral.AlertAction.alertIdStringAlert ID.
SophosCentral.AlertAction.completedAtDateTime when the action was completed.
SophosCentral.AlertAction.idStringAlert action ID.
SophosCentral.AlertAction.requestedAtDateTime when the action was requested.
SophosCentral.AlertAction.resultStringThe result of the action.
SophosCentral.AlertAction.startedAtDateTime when the action was started.
SophosCentral.AlertAction.statusStringStatus of an alert action.

Command Example#

!sophos-central-alert-action action=clearThreat alert_id=8e879165-81cb-4747-8608-1cc4e630a017 message=testmessage

Context Example#

{
"SophosCentral": {
"AlertAction": {
"action": "clearThreat",
"alertId": "8e879165-81cb-4747-8608-1cc4e630a017",
"completedAt": null,
"id": "c75b1e4d-c62c-4b3a-8ca5-dea658a18c1b",
"requestedAt": "2020-11-25T10:47:14.639Z",
"result": "success",
"startedAt": null,
"status": "requested"
}
}
}

Human Readable Output#

Alerts Acted Against:#

idactionalertIdresultrequestedAtstatus
c75b1e4d-c62c-4b3a-8ca5-dea658a18c1bclearThreat8e879165-81cb-4747-8608-1cc4e630a017success2020-11-25T10:47:14.639Zrequested

sophos-central-alert-search#


Get alerts matching request.

Base Command#

sophos-central-alert-search

Input#

Argument NameDescriptionRequired
group_keyAlert group key.Optional
startTime on which or after the alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).Optional
endTime before which alerts were raised. Use ISO time format (YYYY-MM-DDTHH:MM:SSZ).Optional
date_rangeThe date range in which to search from the current time instead of a start/end time in the format (<number> <time unit>, e.g., 12 hours, 7 days). date_range will overwrite the start and end arguments if defined.Optional
productAlerts for a product(s). Possible values are: "other", "endpoint", "server", "mobile", "encryption", "emailGateway", "webGateway", "phishThreat", "wireless", "iaas", and "firewall".Optional
categoryAlert category(s).Optional
severityAlerts for a specific severity level(s). Possible values are: "high", "medium", and "low".Optional
idsList of IDs.Optional
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Alert.allowedActionsStringActions that you can perform on these alerts.
SophosCentral.Alert.categoryStringAlert category.
SophosCentral.Alert.descriptionStringAlert description.
SophosCentral.Alert.groupKeyStringAlert group key.
SophosCentral.Alert.idStringThe alert ID.
SophosCentral.Alert.managedAgentIdStringThe alert source ID.
SophosCentral.Alert.managedAgentNameStringThe alert source name.
SophosCentral.Alert.managedAgentTypeStringThe source that triggered the alert.
SophosCentral.Alert.personStringThe ID of the referenced person object.
SophosCentral.Alert.personNameStringThe name of the referenced person object.
SophosCentral.Alert.productStringProduct type.
SophosCentral.Alert.raisedAtDateWhen the alert was triggered.
SophosCentral.Alert.severityStringSeverity level for the alert.
SophosCentral.Alert.tenantIdStringTenant ID for the alert.
SophosCentral.Alert.tenantNameStringTenant name.
SophosCentral.Alert.typeStringAlert type.

Command Example#

!sophos-central-alert-search category=general product=endpoint

Context Example#

{
"SophosCentral": {
"Alert": null
}
}

Human Readable Output#

Found Alerts:#

No entries. Results on this page: 0.Maximum number of results allowed in a page: 100

sophos-central-endpoint-list#


List all endpoints for a tenant.

Base Command#

sophos-central-endpoint-list

Input#

Argument NameDescriptionRequired
health_statusMatch endpoints that have any of the specified health statuses. Possible values are: "bad", "good", "suspicious", and "unknown".Optional
endpoint_typeMatch endpoints that have any of the specified endpoint types. Possible values are: "computer", "server", and "securityVm".Optional
tamper_protection_enabledWhether tamper protection is enabled. Possible values are: "true" and "false".Optional
lockdown_statusMatch endpoints that have any of the specified lockdown statuses. Possible values are: "creatingWhitelist", "installing", "locked", "notInstalled", "registering", "starting", "stopping", "unavailable", "uninstalled", and "unlocked".Optional
last_seen_beforeThe datetime before which the endpoints were last seen (UTC).Optional
last_seen_afterThe datetime on or after which the endpoints were last seen (UTC).Optional
idsList of IDs.Optional
viewType of view to be returned in the response. Possible values are: "basic", "summary", and "full".Optional
limitThe maximum number of items to return. Default is "50". Maximum is "100".Optional

Context Output#

PathTypeDescription
SophosCentral.Endpoint.assignedProductCodesStringCode of a product assigned to the endpoint.
SophosCentral.Endpoint.associatedPersonIdStringThe unique ID for the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonNameStringName of the person associated with the endpoint.
SophosCentral.Endpoint.associatedPersonViaLoginStringThe login of the person associated with the endpoint.
SophosCentral.Endpoint.groupIdStringThe unique ID for the endpoint group.
SophosCentral.Endpoint.groupNameStringEndpoint group name.
SophosCentral.Endpoint.hostnameStringThe hostname of the endpoint.
SophosCentral.Endpoint.idStringThe unique ID for the endpoint.
SophosCentral.Endpoint.healthStringHealth status of the endpoint.
SophosCentral.Endpoint.ipv4AddressesStringIPv4 address of the endpoint.
SophosCentral.Endpoint.ipv6AddressesStringIPv6 address of the endpoint.
SophosCentral.Endpoint.macAddressesStringMAC address of the endpoint.
SophosCentral.Endpoint.osBuildStringOperating system build.
SophosCentral.Endpoint.osIsServerBooleanWhether the operating system is a server operating system.
SophosCentral.Endpoint.osNameStringOperating system name as reported by the endpoint.
SophosCentral.Endpoint.osPlatformStringOperating system platform type.
SophosCentral.Endpoint.tamperProtectionEnabledBooleanWhether tamper protection is enabled.
SophosCentral.Endpoint.typeStringThe endpoint type.
SophosCentral.Endpoint.onlineBooleanWhether the endpoint is online.

Command Example#

!sophos-central-endpoint-list

Context Example#

{
"SophosCentral": {
"Endpoint": [
{
"assignedProductCodes": [
"endpointProtection",
"coreAgent"
],
"associatedPersonId": null,
"associatedPersonName": null,
"associatedPersonViaLogin": "THUNDERBOX\\JonDoe",
"health": "bad",
"hostname": "Thunderbox",
"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"ipv4Addresses": [
"1.1.1.1"
],
"ipv6Addresses": [
"fe80::9905:5b42:6605:5e93"
],
"macAddresses": [
"00:00:00:B0:00:BA"
],
"online": null,
"osBuild": 18363,
"osIsServer": false,
"osName": "Windows 10 Pro",
"osPlatform": "windows",
"tamperProtectionEnabled": false,
"type": "computer"
},
{
"assignedProductCodes": [
"coreAgent",
"endpointProtection"
],
"associatedPersonId": null,
"associatedPersonName": null,
"associatedPersonViaLogin": "WIN-CEAESQ7V08E\\Administrator",
"health": "good",
"hostname": "WIN-CEAESQ7V08E",
"id": "a24b74a2-68e3-4fa5-8119-95744e0ab421",
"ipv4Addresses": [
"1.1.1.1"
],
"ipv6Addresses": [
"fe80::9905:5b42:6605:5e93"
],
"macAddresses": [
"00:00:00:B0:00:BA"
],
"online": null,
"osBuild": 17763,
"osIsServer": true,
"osName": "Windows Server 2019 Standard Evaluation",
"osPlatform": "windows",
"tamperProtectionEnabled": false,
"type": "server"
}
]
}
}

Human Readable Output#

Listed Endpoints:#

idhostnameipv4Addressesipv6AddressesmacAddressestypetamperProtectionEnabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9bThunderbox1.1.1.1fe80::9905:5b42:6605:5e9300:00:00:B0:00:BAcomputerfalse
a24b74a2-68e3-4fa5-8119-95744e0ab421WIN-CEAESQ7V08E1.1.1.1fe80::9905:5b42:6605:5e9300:00:00:B0:00:BAserverfalse

Results on this page: 2.Maximum number of results allowed in a page: 500

sophos-central-endpoint-scan#


Scan endpoints of a tenant.

Base Command#

sophos-central-endpoint-scan

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required

Context Output#

PathTypeDescription
SophosCentral.EndpointScan.idStringIdentifies a request to perform or configure the endpoint scan.
SophosCentral.EndpointScan.requestedAtDateTime when the scan was requested.
SophosCentral.EndpointScan.statusStringThe status of an endpoint scan.

Command Example#

!sophos-central-endpoint-scan endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointScan": {
"id": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"requestedAt": "2020-11-25T10:47:20.343Z",
"status": "requested"
}
}
}

Human Readable Output#

Scanning Endpoints:#

idstatusrequestedAt
6e9567ea-bb50-40c5-9f12-42eb308e4c9brequested2020-11-25T10:47:20.343Z

sophos-central-endpoint-tamper-get#


Get tamper protection information for one or more endpoints. Potentially harmful because of the password.

Base Command#

sophos-central-endpoint-tamper-get

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required
get_passwordWhether to return the tamper protection password. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointTamper.endpointIdStringID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabledStringWhether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.passwordStringCurrent tamper protection password.

Command Example#

!sophos-central-endpoint-tamper-get endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointTamper": {
"enabled": false,
"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"password": null
}
}
}

Human Readable Output#

Listed Endpoints Tamper Protection:#

endpointIdenabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9bfalse

sophos-central-endpoint-tamper-update#


Update tamper protection information for one or more endpoints. Potentially Harmful because of the password.

Base Command#

sophos-central-endpoint-tamper-update

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID(s).Required
enabledWhether tamper protection should be turned on for the endpoint. Possible values are: "true" and "false".Required
get_passwordWhether to return the tamper protection password. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointTamper.endpointIdStringID of the endpoint in regards to the tamper settings.
SophosCentral.EndpointTamper.enabledStringWhether tamper protection should be turned on for the endpoint.
SophosCentral.EndpointTamper.passwordStringCurrent tamper protection password.

Command Example#

!sophos-central-endpoint-tamper-update enabled=true endpoint_id=6e9567ea-bb50-40c5-9f12-42eb308e4c9b

Context Example#

{
"SophosCentral": {
"EndpointTamper": {
"enabled": true,
"endpointId": "6e9567ea-bb50-40c5-9f12-42eb308e4c9b",
"password": null
}
}
}

Human Readable Output#

Updated Endpoints Tamper Protection:#

endpointIdenabled
6e9567ea-bb50-40c5-9f12-42eb308e4c9btrue

sophos-central-allowed-item-list#


List all allowed items.

Base Command#

sophos-central-allowed-item-list

Input#

Argument NameDescriptionRequired
page_sizehe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pagePage number to return. Default is "1".Optional

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-list page=1 page_size=50

Context Example#

{
"SophosCentral": {
"AllowedItem": [
{
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:19:37.608Z"
},
{
"certificateSigner": "notme",
"comment": "fordemo",
"createdAt": "2020-11-10T12:10:49.384Z",
"fileName": null,
"id": "718e991d-a99f-4193-b263-4eeebcac46fe",
"path": null,
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-10T12:10:49.384Z"
},
{
"certificateSigner": null,
"comment": "Test-Noam",
"createdAt": "2020-11-08T14:00:18.574Z",
"fileName": null,
"id": "f047c584-949a-4a59-aebd-9999ce323c1d",
"path": "c:\\test2.exe",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-08T14:00:18.574Z"
},
{
"certificateSigner": null,
"comment": "Test",
"createdAt": "2020-11-08T10:44:39.279Z",
"fileName": null,
"id": "345b4588-b843-45b1-9319-e529ddd741e6",
"path": "c:\\1.txt",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-08T10:58:14.622Z"
},
{
"certificateSigner": "hello",
"comment": "chaaned",
"createdAt": "2020-11-03T10:14:25.914Z",
"fileName": null,
"id": "6a2e26fb-6eb4-42ff-8201-6f7051757595",
"path": null,
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-03T10:15:32.819Z"
},
{
"certificateSigner": null,
"comment": "chaaned",
"createdAt": "2020-11-03T09:13:04.380Z",
"fileName": null,
"id": "2f804138-9632-4500-a13f-33342868e434",
"path": "root/hello/worldrsaard",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-03T10:15:08.159Z"
},
{
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-01T13:26:03.890Z",
"fileName": null,
"id": "73e555e9-3eee-42e1-879e-65d5ba968236",
"path": "/root/helloaworld/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T13:26:03.890Z"
},
{
"certificateSigner": null,
"comment": "hello world",
"createdAt": "2020-11-01T11:50:02.567Z",
"fileName": null,
"id": "595b2e6d-36b3-45bd-b94f-99a98a0a53f7",
"path": "/root/helloaworld",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T11:50:02.567Z"
},
{
"certificateSigner": null,
"comment": "helloworld",
"createdAt": "2020-11-01T11:00:47.441Z",
"fileName": null,
"id": "3533f7be-5064-44b6-9579-e4d7fa542444",
"path": "/root/what",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-01T11:00:47.441Z"
},
{
"certificateSigner": null,
"comment": "bad comment",
"createdAt": "2020-11-01T10:48:49.312Z",
"fileName": "zxdfzd",
"id": "85465c57-e598-4c8b-9c08-093c6f5eb239",
"path": "/root/hello/word",
"sha256": "C6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5",
"type": "path",
"updatedAt": "2020-11-01T10:48:49.312Z"
},
{
"certificateSigner": "xcvxcv",
"comment": "bad comment",
"createdAt": "2020-11-01T10:47:24.473Z",
"fileName": "xzcvxz",
"id": "cffaaae7-0b3a-4ec7-84a4-fee88d297abc",
"path": "/root",
"sha256": null,
"type": "certificateSigner",
"updatedAt": "2020-11-01T10:47:24.473Z"
},
{
"certificateSigner": null,
"comment": "changedcomment",
"createdAt": "2020-10-29T13:31:40.963Z",
"fileName": null,
"id": "c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7",
"path": "/root/hello",
"sha256": null,
"type": "path",
"updatedAt": "2020-10-29T13:32:41.421Z"
},
{
"comment": "uh",
"createdAt": "2020-10-28T13:57:53.235Z",
"id": "41a56d0d-5272-4be4-92dc-1c2dd42c218a",
"type": "path",
"updatedAt": "2020-10-28T13:58:07.906Z"
}
]
}
}

Human Readable Output#

Listed Allowed Items:#

idcommentfileNamesha256pathcertificateSignercreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3chello world1/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:19:37.608Z
718e991d-a99f-4193-b263-4eeebcac46fefordemonotme2020-11-10T12:10:49.384ZcertificateSigner2020-11-10T12:10:49.384Z
f047c584-949a-4a59-aebd-9999ce323c1dTest-Noamc:\test2.exe2020-11-08T14:00:18.574Zpath2020-11-08T14:00:18.574Z
345b4588-b843-45b1-9319-e529ddd741e6Testc:\1.txt2020-11-08T10:44:39.279Zpath2020-11-08T10:58:14.622Z
6a2e26fb-6eb4-42ff-8201-6f7051757595chaanedhello2020-11-03T10:14:25.914ZcertificateSigner2020-11-03T10:15:32.819Z
2f804138-9632-4500-a13f-33342868e434chaanedroot/hello/worldrsaard2020-11-03T09:13:04.380Zpath2020-11-03T10:15:08.159Z
73e555e9-3eee-42e1-879e-65d5ba968236hello world1/root/helloaworld/12020-11-01T13:26:03.890Zpath2020-11-01T13:26:03.890Z
595b2e6d-36b3-45bd-b94f-99a98a0a53f7hello world/root/helloaworld2020-11-01T11:50:02.567Zpath2020-11-01T11:50:02.567Z
3533f7be-5064-44b6-9579-e4d7fa542444helloworld/root/what2020-11-01T11:00:47.441Zpath2020-11-01T11:00:47.441Z
85465c57-e598-4c8b-9c08-093c6f5eb239bad commentzxdfzdC6F4DB9B3191E6E693CE938BD74FAB37AEE71372C8B034F5040362D8C69E4DE5/root/hello/word2020-11-01T10:48:49.312Zpath2020-11-01T10:48:49.312Z
cffaaae7-0b3a-4ec7-84a4-fee88d297abcbad commentxzcvxz/rootxcvxcv2020-11-01T10:47:24.473ZcertificateSigner2020-11-01T10:47:24.473Z
c598b3b5-c9d9-4ff2-af9b-4d656deaa4f7changedcomment/root/hello2020-10-29T13:31:40.963Zpath2020-10-29T13:32:41.421Z
41a56d0d-5272-4be4-92dc-1c2dd42c218auh2020-10-28T13:57:53.235Zpath2020-10-28T13:58:07.906Z

Current page: 1. Results on this page: 13. Maximum number of results allowed in a page: 100.

sophos-central-allowed-item-get#


Get a single allowed item by ID.

Base Command#

sophos-central-allowed-item-get

Input#

Argument NameDescriptionRequired
allowed_item_idThe ID of the allowed item.Required

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-get allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:19:37.608Z"
}
}
}

Human Readable Output#

Found Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3chello world1/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:19:37.608Z

sophos-central-allowed-item-add#


Add a new allowed item.

Base Command#

sophos-central-allowed-item-add

Input#

Argument NameDescriptionRequired
commentComment indicating why the item should be allowed.Required
certificate_signerThe value saved for the certificateSigner.Optional
file_nameThe file name.Optional
pathThe path for the application.Optional
sha256The SHA256 value for the application.Optional
item_typeThe property by which an item is allowed. Note that the specified item type requires the matching argument filled. For example, the item type "path" requires the path argument. Possible values are: "path", "sha256", and "certificateSigner".Required
origin_endpoint_idThe endpoint where the item to be allowed was last seen.Optional

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-add comment="hello world1" item_type=path path=/root/helloaworld/12

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "hello world1",
"createdAt": "2020-11-25T10:47:32.082Z",
"fileName": null,
"id": "c68f1abc-986d-43eb-b050-d9113959207a",
"path": "/root/helloaworld/12",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:47:32.082Z"
}
}
}

Human Readable Output#

Added Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
c68f1abc-986d-43eb-b050-d9113959207ahello world1/root/helloaworld/122020-11-25T10:47:32.082Zpath2020-11-25T10:47:32.082Z

sophos-central-allowed-item-update#


Update an existing allowed item.

Base Command#

sophos-central-allowed-item-update

Input#

Argument NameDescriptionRequired
allowed_item_idThe allowed item ID.Required
commentComment indicating why the item should be allowed.Required

Context Output#

PathTypeDescription
SophosCentral.AllowedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.AllowedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.AllowedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.AllowedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.AllowedItem.idStringThe unique ID for the allowed application.
SophosCentral.AllowedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.AllowedItem.fileNameStringThe file name.
SophosCentral.AllowedItem.pathStringThe path for the application.
SophosCentral.AllowedItem.sha256StringThe SHA256 value for the application.
SophosCentral.AllowedItem.typeStringThe property by which an item is allowed.
SophosCentral.AllowedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.AllowedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.AllowedItem.originPersonIdStringID of the originating person.
SophosCentral.AllowedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-allowed-item-update allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c comment=changedcomment

Context Example#

{
"SophosCentral": {
"AllowedItem": {
"certificateSigner": null,
"comment": "changedcomment",
"createdAt": "2020-11-25T10:19:37.608Z",
"fileName": null,
"id": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c",
"path": "/root/helloaworld/1/1",
"sha256": null,
"type": "path",
"updatedAt": "2020-11-25T10:47:39.104Z"
}
}
}

Human Readable Output#

Updated Allowed Item:#

idcommentpathcreatedAttypeupdatedAt
b2148cc0-6ee8-440e-9c4b-cd5486b36c3cchangedcomment/root/helloaworld/1/12020-11-25T10:19:37.608Zpath2020-11-25T10:47:39.104Z

sophos-central-allowed-item-delete#


Delete an existing allowed item.

Base Command#

sophos-central-allowed-item-delete

Input#

Argument NameDescriptionRequired
allowed_item_idThe allowed item ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedAllowedItem.deletedItemIdStringThe ID of the deleted item.

Command Example#

!sophos-central-allowed-item-delete allowed_item_id=b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

Context Example#

{
"SophosCentral": {
"DeletedAllowedItem": {
"deletedItemId": "b2148cc0-6ee8-440e-9c4b-cd5486b36c3c"
}
}
}

Human Readable Output#

Success deleting allowed item: b2148cc0-6ee8-440e-9c4b-cd5486b36c3c

sophos-central-blocked-item-list#


Get all blocked items.

Base Command#

sophos-central-blocked-item-list

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pagePage number to return. Default is "1"Optional

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-list page=1 page_size=50

Context Example#

{
"SophosCentral": {
"BlockedItem": [
{
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:19:54.523Z",
"fileName": null,
"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",
"path": null,
"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",
"type": "sha256",
"updatedAt": null
},
{
"certificateSigner": null,
"comment": "hello world",
"createdAt": "2020-11-01T12:55:47.476Z",
"fileName": null,
"id": "fd0f08db-966b-4979-8cbb-876a2bbd29c9",
"path": null,
"sha256": "c6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",
"type": "sha256",
"updatedAt": null
},
{
"certificateSigner": null,
"comment": "It's just a test",
"createdAt": "2020-11-01T10:22:55.556Z",
"fileName": null,
"id": "f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994",
"path": null,
"sha256": "b424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af",
"type": "sha256",
"updatedAt": null
}
]
}
}

Human Readable Output#

Listed Blocked Items:#

idcommentsha256createdAttype
9b44086b-95bd-43e5-b84b-82b91725f02bhello 2worldc7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de12020-11-25T10:19:54.523Zsha256
fd0f08db-966b-4979-8cbb-876a2bbd29c9hello worldc6f4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de42020-11-01T12:55:47.476Zsha256
f15f7b34-e1c4-4fd2-bbcb-f5c64e6e9994It's just a testb424f1cb9f1c11a4251ebbf28cd032e6267673e899dce7ac6b7deccde49917af2020-11-01T10:22:55.556Zsha256

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-blocked-item-get#


Get a single blocked item by ID.

Base Command#

sophos-central-blocked-item-get

Input#

Argument NameDescriptionRequired
blocked_item_idThe blocked item ID.Required

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-get blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example#

{
"SophosCentral": {
"BlockedItem": {
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:19:54.523Z",
"fileName": null,
"id": "9b44086b-95bd-43e5-b84b-82b91725f02b",
"path": null,
"sha256": "c7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de1",
"type": "sha256",
"updatedAt": null
}
}
}

Human Readable Output#

Found Blocked Item:#

idcommentsha256createdAttype
9b44086b-95bd-43e5-b84b-82b91725f02bhello 2worldc7f4db9b3191e6e693ce938bd74fab37aee71372c8a034f50b0a62d8c69e4de12020-11-25T10:19:54.523Zsha256

sophos-central-blocked-item-add#


Add a new blocked item.

Base Command#

sophos-central-blocked-item-add

Input#

Argument NameDescriptionRequired
commentComment indicating why the item should be blocked.Required
certificate_signerThe value saved for the certificateSigner.Optional
file_nameThe file name.Optional
pathThe path for the application.Optional
sha256The SHA256 value for the application.Required
item_typeThe property by which an item is blocked. Possible value is sha256.Required

Context Output#

PathTypeDescription
SophosCentral.BlockedItem.commentStringA comment indicating why the item was allowed.
SophosCentral.BlockedItem.createdAtDateDate and time (UTC) when the allowed application was created.
SophosCentral.BlockedItem.createdByIdStringThe unique ID for the user who created the item.
SophosCentral.BlockedItem.createdByNameStringThe name for the user who created the item.
SophosCentral.BlockedItem.idStringThe unique ID for the allowed application.
SophosCentral.BlockedItem.certificateSignerStringThe value saved for the certificateSigner.
SophosCentral.BlockedItem.fileNameStringThe file name.
SophosCentral.BlockedItem.pathStringThe path for the application.
SophosCentral.BlockedItem.sha256StringThe SHA256 value for the application.
SophosCentral.BlockedItem.typeStringThe property by which an item is allowed.
SophosCentral.BlockedItem.updatedAtDateDate and time (UTC) when the allowed application was updated.
SophosCentral.BlockedItem.originEndpointIdStringID of the originating endpoint.
SophosCentral.BlockedItem.originPersonIdStringID of the originating person.
SophosCentral.BlockedItem.originPersonNameStringName of the originating person.

Command Example#

!sophos-central-blocked-item-add comment="hello 2world" item_type=sha256 sha256=CAF4DB9B3191E6E693CE938BD74FAB37AEE71372C8A034F5040362D8C69E4DE4

Context Example#

{
"SophosCentral": {
"BlockedItem": {
"certificateSigner": null,
"comment": "hello 2world",
"createdAt": "2020-11-25T10:47:46.428Z",
"fileName": null,
"id": "9535be44-40f3-4704-94df-6afa1e563f9c",
"path": null,
"sha256": "caf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de4",
"type": "sha256",
"updatedAt": null
}
}
}

Human Readable Output#

Added Blocked Item:#

idcommentsha256createdAttype
9535be44-40f3-4704-94df-6afa1e563f9chello 2worldcaf4db9b3191e6e693ce938bd74fab37aee71372c8a034f5040362d8c69e4de42020-11-25T10:47:46.428Zsha256

sophos-central-blocked-item-delete#


Delete an existing blocked item.

Base Command#

sophos-central-blocked-item-delete

Input#

Argument NameDescriptionRequired
blocked_item_idThe blocked item ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedBlockedItem.deletedItemIdStringThe ID of the deleted item.

Command Example#

!sophos-central-blocked-item-delete blocked_item_id=9b44086b-95bd-43e5-b84b-82b91725f02b

Context Example#

{
"SophosCentral": {
"DeletedBlockedItem": {
"deletedItemId": "9b44086b-95bd-43e5-b84b-82b91725f02b"
}
}
}

Human Readable Output#

Success deleting blocked item: 9b44086b-95bd-43e5-b84b-82b91725f02b

sophos-central-scan-exclusion-list#


List all scan exclusions.

Base Command#

sophos-central-scan-exclusion-list

Input#

Argument NameDescriptionRequired
exclusion_typeScan exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral"Optional
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1"Optional

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-list

Context Example#

{
"SophosCentral": {
"ScanExclusion": [
{
"comment": "Sophos temporary exclusion see KBA 133945",
"description": "Sophos temporary exclusion see KBA 133945",
"id": "369b0956-a7b6-44fc-b1cc-bd7b3279c663",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "%programfiles(x86)%\\Sophos\\Sophos Anti-Virus\\"
},
{
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
},
{
"comment": "changed before demo",
"description": null,
"id": "16bac29f-17a4-4c3a-9370-8c5968c5ac7d",
"scanMode": "onAccess",
"type": "process",
"value": "changedvirus.exe"
}
]
}
}

Human Readable Output#

Listed Scan Exclusions:#

idvaluetypedescriptioncommentscanMode
369b0956-a7b6-44fc-b1cc-bd7b3279c663%programfiles(x86)%\Sophos\Sophos Anti-Virus\ pathSophos temporary exclusion see KBA 133945Sophos temporary exclusion see KBA 133945onDemandAndOnAccess
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess
16bac29f-17a4-4c3a-9370-8c5968c5ac7dchangedvirus.exeprocesschanged before demoonAccess

Current page: 1. Results on this page: 3. Maximum number of results allowed in a page: 100.

sophos-central-scan-exclusion-get#


Get a single scan exclusion by ID.

Base Command#

sophos-central-scan-exclusion-get

Input#

Argument NameDescriptionRequired
exclusion_idThe exclusion ID.Required

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-get exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
}
}
}

Human Readable Output#

Found Scan Exclusion:#

idvaluetypescanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess

sophos-central-scan-exclusion-add#


Add a new scan exclusion.

Base Command#

sophos-central-scan-exclusion-add

Input#

Argument NameDescriptionRequired
commentA comment indicating why the exclusion was created.Optional
scan_modeThe scan mode. Possible values are: "onDemand", "onAccess", and "onDemandAndOnAccess". Default is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.Optional
exclusion_typeThe scanning exclusion type. Possible values are: "path", "posixPath", "virtualPath", "process", "web", "pua", "exploitMitigation", "amsi", "behavioral".Required
valueThe exclusion value.Required

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-add exclusion_type=path value=avsdfasdfaa

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "be7b05bf-368b-4621-8131-0776486e1c7b",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "avsdfasdfaa"
}
}
}

Human Readable Output#

Added Scan Exclusion:#

idvaluetypescanMode
be7b05bf-368b-4621-8131-0776486e1c7bavsdfasdfaapathonDemandAndOnAccess

sophos-central-scan-exclusion-update#


Update an existing scan exclusion.

Base Command#

sophos-central-scan-exclusion-update

Input#

Argument NameDescriptionRequired
commentA comment indicating why the exclusion was created.Optional
scan_modeThe default value of scan mode is "onDemandAndOnAccess" for exclusions of type path, posixPath and virtualPath, "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.Optional
exclusion_idThe exclusion ID.Required
valueThe exclusion value.Optional

Context Output#

PathTypeDescription
SophosCentral.ScanExclusion.commentStringA comment indicating why the exclusion was updated.
SophosCentral.ScanExclusion.descriptionStringThe exclusion description added by the system.
SophosCentral.ScanExclusion.idStringThe unique ID for the scanning exclusion setting.
SophosCentral.ScanExclusion.scanModeStringThe scan mode. Default is "onDemandAndOnAccess" for exclusions of type path, posixPath, and virtualPath and "onAccess" for process, web, pua, amsi. Behavioral and Detected Exploits (exploitMitigation) type exclusions do not support a scan mode.
SophosCentral.ScanExclusion.typeStringThe scanning exclusion type.
SophosCentral.ScanExclusion.valueStringThe exclusion value.

Command Example#

!sophos-central-scan-exclusion-update exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"ScanExclusion": {
"comment": null,
"description": null,
"id": "6868151e-4eac-4d0a-8985-5db9bff9d6f2",
"scanMode": "onDemandAndOnAccess",
"type": "path",
"value": "testpathhzh"
}
}
}

Human Readable Output#

Updated Scan Exclusion:#

idvaluetypescanMode
6868151e-4eac-4d0a-8985-5db9bff9d6f2testpathhzhpathonDemandAndOnAccess

sophos-central-scan-exclusion-delete#


Delete an existing scan exclusion.

Base Command#

sophos-central-scan-exclusion-delete

Input#

Argument NameDescriptionRequired
exclusion_idThe exclusion ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedScanExclusion.deletedExclusionIdStringThe ID of the deleted exclusion.

Command Example#

!sophos-central-scan-exclusion-delete exclusion_id=6868151e-4eac-4d0a-8985-5db9bff9d6f2

Context Example#

{
"SophosCentral": {
"DeletedScanExclusion": {
"deletedExclusionId": "6868151e-4eac-4d0a-8985-5db9bff9d6f2"
}
}
}

Human Readable Output#

Success deleting scan exclusion: 6868151e-4eac-4d0a-8985-5db9bff9d6f2

sophos-central-exploit-mitigation-list#


List exploit mitigation settings for all protected applications.

Base Command#

sophos-central-exploit-mitigation-list

Input#

Argument NameDescriptionRequired
mitigation_typeExploit mitigation type. Possible values are: "detected" and "custom".Optional
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1".Optional
modifiedWhether the Exploit Mitigation application has been customized. Possible values are: "true" and "false".Optional

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-list

Context Example#

{
"SophosCentral": {
"ExploitMitigation": [
{
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"newnewnewnewnew"
],
"type": "custom"
},
{
"category": "browsers",
"id": "06aefe81-7f83-4768-9cec-59d86d7ee133",
"name": "Firefox",
"paths": [
"$programfiles\\Mozilla Firefox\\firefox.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cf",
"name": "Google Chrome",
"paths": [
"$programfiles\\Google\\Chrome\\Application\\chrome.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "df7c2b63-dda4-4dc4-a12d-471cad799dbd",
"name": "Internet Explorer",
"paths": [
"$programfiles\\Internet Explorer\\iexplore.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3",
"name": "Java(TM) Platform SE binary",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\java.exe",
"$programfiles\\java\\jre1.8.0_271\\bin\\javaw.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "9ddf4b33-9f65-4422-898e-d5b5b450e8d8",
"name": "Java(TM) Web Launcher",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\jp2launcher.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "b44f50e0-0332-444a-bdb0-cfec43fc2def",
"name": "Java(TM) Web Start Launcher",
"paths": [
"$programfiles\\java\\jre1.8.0_271\\bin\\javaws.exe"
],
"type": "detected"
},
{
"category": "other",
"id": "a49af552-55e1-4dcd-a909-2310bcb8016f",
"name": "KeePass",
"paths": [
"$programfiles\\KeePass Password Safe 2\\KeePass.exe"
],
"type": "detected"
},
{
"category": "browsers",
"id": "4178130a-0d4e-435d-b4bb-db594810a43a",
"name": "Microsoft Edge",
"paths": [
"$programfiles\\Microsoft\\Edge\\Application\\msedge.exe",
"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdge.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "ecbcd6a5-73d5-4060-b49f-b9de2e0587fc",
"name": "Microsoft Excel",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\EXCEL.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cf",
"name": "Microsoft Outlook",
"paths": [
"$programfiles\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fb",
"name": "Microsoft PowerPoint",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\POWERPNT.EXE"
],
"type": "detected"
},
{
"category": "office",
"id": "417fd1be-fafa-4e3b-9a9b-589f7f20b72c",
"name": "Microsoft Word",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"
],
"type": "detected"
},
{
"category": "browsers",
"id": "68026667-ca17-473d-b797-ccebe2d9da87",
"name": "MicrosoftEdgeCP.exe",
"paths": [
"$windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe"
],
"type": "detected"
},
{
"category": "java",
"id": "01e26718-ddf3-4aad-b465-d7279b755c32",
"name": "OpenJDK Platform binary",
"paths": [
"$programfiles\\JetBrains\\PyCharm Community Edition 2020.1.2\\jbr\\bin\\java.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "9e378d93-4b62-4976-9a7c-5fdbbafa0b79",
"name": "Pick an app",
"paths": [
"$system32\\OpenWith.exe"
],
"type": "detected"
},
{
"category": "plugins",
"id": "a0b96b54-6895-408c-ac68-f84ca81c248a",
"name": "Plugin Container for Firefox",
"paths": [
"$programfiles\\Mozilla Firefox\\plugin-container.exe"
],
"type": "detected"
},
{
"category": "other",
"id": "3ac3fd9b-5b30-4e19-a9a4-303f553a4500",
"name": "Skype for Business",
"paths": [
"$programfiles\\Microsoft Office\\Root\\Office16\\lync.exe"
],
"type": "detected"
},
{
"category": "media",
"id": "dbedc673-218a-4814-99f0-33642a65b1fd",
"name": "Windows Media Player",
"paths": [
"$programfiles\\Windows Media Player\\wmplayer.exe"
],
"type": "detected"
},
{
"category": "office",
"id": "fd4f1dc8-4b4a-429e-ac27-bd757352f52c",
"name": "Windows Wordpad Application",
"paths": [
"$programfiles\\Windows NT\\Accessories\\WORDPAD.EXE"
],
"type": "detected"
},
{
"category": "other",
"id": "563f4022-0a28-47f8-9bb6-7774aa7794e3",
"name": "b2477368-4e58-4868-af90-554f948f4077",
"paths": [
"wooba"
],
"type": "custom"
},
{
"category": "other",
"id": "b19800cf-a98a-43dc-8efc-6de1f2a7321e",
"name": "cde78059-3164-46c6-903f-c27b9103ef37",
"paths": [
"testpathhhh"
],
"type": "custom"
},
{
"category": "other",
"id": "91fff008-3609-46f3-9fc7-44713635b775",
"name": "ce697cb7-06da-4e02-bcde-21f73b81d5ee",
"paths": [
"changed\\path"
],
"type": "custom"
}
]
}
}

Human Readable Output#

Listed Exploit Mitigations:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customothernewnewnewnewnew
06aefe81-7f83-4768-9cec-59d86d7ee133Firefoxdetectedbrowsers$programfiles\Mozilla Firefox\firefox.exe
b07c6cd2-ee1b-4cf4-8bd2-d3be05e461cfGoogle Chromedetectedbrowsers$programfiles\Google\Chrome\Application\chrome.exe
df7c2b63-dda4-4dc4-a12d-471cad799dbdInternet Explorerdetectedbrowsers$programfiles\Internet Explorer\iexplore.exe
f5d5ba2d-d905-4e7b-b3b7-abb0f30f38b3Java(TM) Platform SE binarydetectedjava$programfiles\java\jre1.8.0_271\bin\java.exe,
$programfiles\java\jre1.8.0_271\bin\javaw.exe
9ddf4b33-9f65-4422-898e-d5b5b450e8d8Java(TM) Web Launcherdetectedjava$programfiles\java\jre1.8.0_271\bin\jp2launcher.exe
b44f50e0-0332-444a-bdb0-cfec43fc2defJava(TM) Web Start Launcherdetectedjava$programfiles\java\jre1.8.0_271\bin\javaws.exe
a49af552-55e1-4dcd-a909-2310bcb8016fKeePassdetectedother$programfiles\KeePass Password Safe 2\KeePass.exe
4178130a-0d4e-435d-b4bb-db594810a43aMicrosoft Edgedetectedbrowsers$programfiles\Microsoft\Edge\Application\msedge.exe,
$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
ecbcd6a5-73d5-4060-b49f-b9de2e0587fcMicrosoft Exceldetectedoffice$programfiles\Microsoft Office\Root\Office16\EXCEL.EXE
7907eaf2-b4f0-40e3-9dd8-f7e452ffc7cfMicrosoft Outlookdetectedoffice$programfiles\Microsoft Office\root\Office16\OUTLOOK.EXE
6cadbe94-8e1c-4648-aa9e-b0b39e1cb1fbMicrosoft PowerPointdetectedoffice$programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE
417fd1be-fafa-4e3b-9a9b-589f7f20b72cMicrosoft Worddetectedoffice$programfiles\Microsoft Office\Root\Office16\WINWORD.EXE
68026667-ca17-473d-b797-ccebe2d9da87MicrosoftEdgeCP.exedetectedbrowsers$windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
01e26718-ddf3-4aad-b465-d7279b755c32OpenJDK Platform binarydetectedjava$programfiles\JetBrains\PyCharm Community Edition 2020.1.2\jbr\bin\java.exe
9e378d93-4b62-4976-9a7c-5fdbbafa0b79Pick an appdetectedoffice$system32\OpenWith.exe
a0b96b54-6895-408c-ac68-f84ca81c248aPlugin Container for Firefoxdetectedplugins$programfiles\Mozilla Firefox\plugin-container.exe
3ac3fd9b-5b30-4e19-a9a4-303f553a4500Skype for Businessdetectedother$programfiles\Microsoft Office\Root\Office16\lync.exe
dbedc673-218a-4814-99f0-33642a65b1fdWindows Media Playerdetectedmedia$programfiles\Windows Media Player\wmplayer.exe
fd4f1dc8-4b4a-429e-ac27-bd757352f52cWindows Wordpad Applicationdetectedoffice$programfiles\Windows NT\Accessories\WORDPAD.EXE
563f4022-0a28-47f8-9bb6-7774aa7794e3b2477368-4e58-4868-af90-554f948f4077customotherwooba
b19800cf-a98a-43dc-8efc-6de1f2a7321ecde78059-3164-46c6-903f-c27b9103ef37customothertestpathhhh
91fff008-3609-46f3-9fc7-44713635b775ce697cb7-06da-4e02-bcde-21f73b81d5eecustomotherchanged\path

Current page: 1. Results on this page: 23. Maximum number of results allowed in a page: 100.

sophos-central-exploit-mitigation-get#


Get exploit mitigation settings for a single application.

Base Command#

sophos-central-exploit-mitigation-get

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-get mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"newnewnewnewnew"
],
"type": "custom"
}
}
}

Human Readable Output#

Found Exploit Mitigation:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customothernewnewnewnewnew

sophos-central-exploit-mitigation-add#


Exclude a set of file paths from exploit mitigation.

Base Command#

sophos-central-exploit-mitigation-add

Input#

Argument NameDescriptionRequired
pathAn absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-add path=testestesteset

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "755ec991-c04f-498f-ab8e-20ef1a187b52",
"name": "d082226b-0c17-4959-a3ed-a6957f39c9bc",
"paths": [
"testestesteset"
],
"type": "custom"
}
}
}

Human Readable Output#

Added Exploit Mitigation:#

idnametypecategorypaths
755ec991-c04f-498f-ab8e-20ef1a187b52d082226b-0c17-4959-a3ed-a6957f39c9bccustomothertestestesteset

sophos-central-exploit-mitigation-update#


Update exploit mitigation settings for an application.

Base Command#

sophos-central-exploit-mitigation-update

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required
pathAn absolute path to an application file to exclude. You may use HitmanPro.Alert expansion variables (e.g., $desktop, $programfiles).Required

Context Output#

PathTypeDescription
SophosCentral.ExploitMitigation.categoryStringThe Exploit Mitigation category ID.
SophosCentral.ExploitMitigation.nameStringThe name given to this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.pathsStringPaths included in this Exploit Mitigation Application.
SophosCentral.ExploitMitigation.typeStringWhether the application was detected by the system or created by the user.

Command Example#

!sophos-central-exploit-mitigation-update mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded path=changed

Context Example#

{
"SophosCentral": {
"ExploitMitigation": {
"category": "other",
"id": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded",
"name": "3bf6f110-48d8-4114-95e3-a286ac50d722",
"paths": [
"changed"
],
"type": "custom"
}
}
}

Human Readable Output#

Updated Exploit Mitigation:#

idnametypecategorypaths
ff9d87d0-c944-4ca5-9f76-c5efd1f89ded3bf6f110-48d8-4114-95e3-a286ac50d722customotherchanged

sophos-central-exploit-mitigation-delete#


Delete a custom (user-defined) exploit mitigation application by ID.

Base Command#

sophos-central-exploit-mitigation-delete

Input#

Argument NameDescriptionRequired
mitigation_idThe Exploit Mitigation application ID.Required

Context Output#

PathTypeDescription
SophosCentral.DeletedExploitMitigation.deletedMitigationIdStringThe ID of the deleted mitigation.

Command Example#

!sophos-central-exploit-mitigation-delete mitigation_id=ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

Context Example#

{
"SophosCentral": {
"DeletedExploitMitigation": {
"deletedMitigationId": "ff9d87d0-c944-4ca5-9f76-c5efd1f89ded"
}
}
}

Human Readable Output#

Success deleting exploit mitigation: ff9d87d0-c944-4ca5-9f76-c5efd1f89ded

sophos-central-detected-exploit-list#


List all detected exploits.

Base Command#

sophos-central-detected-exploit-list

Input#

Argument NameDescriptionRequired
page_sizeThe maximum size of the page requested. Default is "50". Maximum is "100".Optional
pageThe page number to fetch. Default is "1".Optional
thumbprint_not_inFilter out detected exploits with these thumbprints.Optional

Context Output#

PathTypeDescription
SophosCentral.DetectedExploit.countNumberThe number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.descriptionStringThe English description of the exploit detected event.
SophosCentral.DetectedExploit.idStringThe ID of this Exploit Mitigation Application.
SophosCentral.DetectedExploit.firstSeenAtDateWhen the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAtDateWhen the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostnameStringThe endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointIdStringThe unique endpoint ID.
SophosCentral.DetectedExploit.lastUserNameStringPerson's name.
SophosCentral.DetectedExploit.lastUserIdStringThe unique ID for the user.
SophosCentral.DetectedExploit.thumbprintStringMatches [0-9a-zA-Z]{64}.

Command Example#

!sophos-central-detected-exploit-list

Context Example#

{
"SophosCentral": {
"DetectedExploit": null
}
}

Human Readable Output#

Listed Detected Exploits:#

No entries. Current page: 1. Results on this page: 0. Maximum number of results allowed in a page: 100.

sophos-central-detected-exploit-get#


Get a single detected exploit.

Base Command#

sophos-central-detected-exploit-get

Input#

Argument NameDescriptionRequired
detected_exploit_idThe ID of a previously detected exploit.Required

Context Output#

PathTypeDescription
SophosCentral.DetectedExploit.countNumberThe number of times the same exploit has been detected, potentially across multiple endpoints.
SophosCentral.DetectedExploit.descriptionStringThe English description of the exploit detected event.
SophosCentral.DetectedExploit.idStringThe ID of this Exploit Mitigation application.
SophosCentral.DetectedExploit.firstSeenAtDateWhen the exploit was first seen.
SophosCentral.DetectedExploit.lastSeenAtDateWhen the exploit was last seen.
SophosCentral.DetectedExploit.lastEndpointHostnameStringThe endpoint hostname.
SophosCentral.DetectedExploit.lastEndpointIdStringThe unique endpoint ID.
SophosCentral.DetectedExploit.lastUserNameStringPerson's name.
SophosCentral.DetectedExploit.lastUserIdStringThe unique ID for the user.
SophosCentral.DetectedExploit.thumbprintStringMatches [0-9a-zA-Z]{64}.

Command Example#

Human Readable Output#

sophos-central-isolate-endpoint#


Isolate one or more endpoints.

Base Command#

sophos-central-isolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_idID(s) of the endpoint(s) to be isolated.Required
commentComment indicating why the endpoint(s) should be isolated.Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointIsolation.items.idStringThe unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabledBooleanIsolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAtStringWhen isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.idStringPrincipal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAtStringWhen isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.idStringPrincipal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.commentStringReason endpoint should be isolated or not.

Command Example#

!sophos-central-isolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example#

{
"items": [
{
"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",
"isolation": {
"enabled": true,
"lastEnabledAt": "2021-08-13 09.07.03 GMT",
"lastEnabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"lastDisabledAt": "2021-08-13 09.54.02 GMT",
"lastDisabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"comment": "testing"
}
}
]
}

Human Readable Output#

Endpoint(s) isolated successfully.

sophos-central-deisolate-endpoint#


De-isolate one or more endpoints.

Base Command#

sophos-central-deisolate-endpoint

Input#

Argument NameDescriptionRequired
endpoint_idID(s) of the endpoint(s) to be de-isolated.Required
commentComment indicating why the endpoint(s) should be de-isolated.Optional

Context Output#

PathTypeDescription
SophosCentral.EndpointIsolation.items.idStringThe unique endpoint ID.
SophosCentral.EndpointIsolation.items.isolation.enabledBooleanIsolation status.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledAtStringWhen isolation was last enabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastEnabledBy.idStringPrincipal Email or clientId by whom isolation was enabled.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledAtStringWhen isolation was last disabled for the endpoint.
SophosCentral.EndpointIsolation.items.isolation.lastDisabledBy.idStringPrincipal Email or clientId by whom isolation was disabled.
SophosCentral.EndpointIsolation.items.isolation.commentStringReason endpoint should be isolated or not.

Command Example#

!sophos-central-deisolate-endpoint endpoint_id=25de27bc-b07a-4728-b7b2-a021365xxxxx

Context Example#

{
"items": [
{
"id": "25de27bc-b07a-4728-b7b2-a021365xxxxx",
"isolation": {
"enabled": false,
"lastEnabledAt": "2021-08-13 09.07.03 GMT",
"lastEnabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"lastDisabledAt": "2021-08-13 09.54.02 GMT",
"lastDisabledBy": {
"id": "e71332ab-c447-45ff-b356-b8b5f39xxxxx"
},
"comment": "testing"
}
}
]
}

Human Readable Output#

Endpoint(s) de-isolated successfully.