About the connector
Sophos Central is an integrated management platform that simplifies the administration of multiple Sophos products and enables more efficient business management for Sophos partners.
Sophos CEO Slams Fortinet In Response To Employee Poaching Lawsuit. Sophos CEO Kris Hagerman calls Fortinet's lawsuit 'baseless' and claims the company wants to compete in the courtroom instead of. Fortinet and Sophos We're implementing a new pair of Fortigate 400E devices and have run into a minor issue with Sophos. We run Citrix, and Sophos' Real-time Internet scanning causes issues with the FSSO TS Agent. Sophos changes source ports on traffic,.
This document provides information about the Sophos Central connector, which facilitates automated interactions, with Sophos Central server using FortiSOAR™ playbooks. Add the Sophos Central connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving a list of all incidents or alerts or specific incidents or alerts from the Sophos Central system, or scanning a specific endpoint on the Sophos Central system.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.0-866
Authored By: Fortinet
Certified: Yes
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sophos-central
Prerequisites to configuring the connector
- You must have the URL of Sophos Central server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the CyOPsTM instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Sophos Central connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Sophos Central server to which you will connect and perform automated operations. |
| Username | Username to access the Sophos Central server to which you will connect and perform automated operations. |
| Password | Password to access the Sophos Central to which you will connect and perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Events | Retrieves a list of all incidents or specific incidents from the Sophos Central system, based on the filter criteria such as the endpoint ID, event/alert type, or other input parameters that you have specified. | get_events Investigation |
| Get Alerts | Retrieves a list of all the alerts or specific alerts from the Sophos Central system, based on the filter criteria such as the limit and/or offset that you have specified. | get_alerts Investigation |
| Get Events related to Alert | Retrieves a list of the events that are related to a specific alert ID from the Sophos Central system, based on the filter criteria such as the alert ID, event/alert type, or other input parameters that you have specified. | get_alert_related_events Investigation |
| Get Reports | Retrieves reports from the Sophos Central system, based on the report type and other input parameters that you have specified. | get_reports Investigation |
| Isolate Endpoint | Isolates a specific endpoint on the Sophos Central system, based on the endpoint ID and comment that you have specified. | isolate_endpoint Investigation |
| Unisolate Endpoint | Removes the isolation of a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | unisolate_endpoint Investigation |
| Scan Endpoint | Scans a specific endpoint on the Sophos Central system, based on the endpoint ID that you have specified. | scan_endpoint Investigation |
| Get Threat Cases | Retrieves all the threat cases, or specific threat cases, from the Sophos Central system, based on the input parameters you have specified. | get_threat_cases Investigation |
| Get Details of Threat Case | Retrieves the details of a specific threat case from the Sophos Central system, based on the case ID you have specified. | get_details_of_threat_case Investigation |
| Get Artifacts of Threat Case | Retrieves the artifacts of a specific threat case from the Sophos Central system, based on the case ID, filters and other input parameters you have specified. | get_artifacts_of_threat_case Investigation |
operation: Get Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Endpoint ID | ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
| Event Type | Type of event based on which you want to retrieve events from the Sophos Central system. |
| Alert ID | Alert ID based on which you want to retrieve events from the Sophos Central system. |
| Limit | Maximum number of results per page, that this operation should return. |
| Offset | 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:{ 'events': [ { 'source_info': { 'ip': ' }, 'appCerts': ', 'threat': ', 'core_remedy_items': ', 'user_id': ', 'when': ', 'created_at': ', 'appSha256': ', 'id': ' } ], 'filtered': ', 'total': ', 'nextKey': ' }
operation: Get Alerts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Limit | Maximum number of results per page, that this operation should return. |
| Offset | 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:{ 'alerts': [ { 'threat': ', 'event_service_event_id': ', 'when': ', 'created_at': ', 'id': ', 'location': ', 'customer_id': ', 'info': ', 'source': ', 'type': ', 'data': { 'endpoint_java_id': ', 'inserted_at': ', 'make_actionable_at': ', 'endpoint_type': ', 'event_service_id': ', 'source_info': { 'ip': ' }, 'endpoint_id': ', 'endpoint_platform': ', 'user_match_id': ', 'created_at': ' }, 'description': ', 'threat_cleanable': ', 'severity': ' } ], 'filtered': ', 'total': ', 'nextKey': ' }
operation: Get Events related to Alert
Input parameters
| Parameter | Description |
|---|---|
| Alert ID | ID of the alert whose associated events you want to retrieve from the Sophos Central system. |
| Endpoint ID | (Optional) ID of the endpoint based on which you want to retrieve events from the Sophos Central system. |
| Event Type | (Optional) Type of event based on which you want to retrieve events from the Sophos Central system. |
| Limit | (Optional) Maximum number of results per page, that this operation should return. |
| Offset | (Optional) 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:{ 'origin': ', 'appCerts': ', 'threat': ', 'endpoint_type': ', 'user_id': ', 'endpoint_id': ', 'when': ', 'created_at': ', 'id': ', 'location': ', 'source_info': { 'ip': ' }, 'name': ', 'customer_id': ', 'core_remedy_items': ', 'source': ', 'type': ', 'severity': ', 'appSha256': ', 'group': ' }
operation: Get Reports
Input parameters
| Parameter | Description |
|---|---|
| Report Type | Type of report based on which you want to retrieve reports from the Sophos Central system. |
| Limit | (Optional) Maximum number of results per page, that this operation should return. |
| Offset | (Optional) 0-based index of the page that this operation should return. |
| Ascending | Select the Ascending checkbox to sort the results in the ascending order. |
Output
When you choose “Users” as the Report Type, then the output contains the following populated JSON schema:{ 'filename': ', 'filtered': ', 'reports': [ { 'last_activity': ', 'mobile_devices': [], 'deployment_instructions_sent': ', 'health_status': ', 'logins': ', 'endpoints': ', 'groups': ', 'id': ', 'email': ', 'name': ' } ], 'total': ', 'summary': ' { 'total': ', 'active': ', 'dormant': ', 'no_devices': ', 'inactive': ' } }
When you choose “Servers” as the Report Type, then the output contains the following populated JSON schema:{ 'filename': ', 'reports': [ { 'last_activity': ', 'on_access': ', 'last_scan_time': ', 'last_login': ', 'is_adsync': ', 'last_updated': ', 'last_scan': ', 'health_status': ', 'group_name': ', 'id': ', 'name': ' } ], 'filtered': ', 'summary': ' { 'total': ', 'active': ', 'unprotected': ', 'inactive': ' 'domant': ' } 'total': ' }
When you choose “Computers” as the Report Type, then the output contains the following populated JSON schema{ 'reports': [ { 'last_activity': ', 'last_user_id': ', 'on_access': ', 'last_scan_time': ' } ]}
operation: Isolate Endpoint
Input parameters
| Parameter | Description |
|---|---|
| Endpoint ID | ID of the endpoint that you want to isolate on the Sophos Central system. |
| Comment | Comment that you want to associate with the endpoint that you are isolating on the Sophos Central system. |
Output
The output contains the following populated JSON schema:{ 'failed': [], 'succeeded': [] }
operation: Unisolate Endpoint
Input parameters
| Parameter | Description |
|---|---|
| Endpoint ID | ID of the endpoint that you want to unisolate on the Sophos Central system. |
Output
The output contains the following populated JSON schema:{ 'failed': [], 'succeeded': [] }
operation: Scan Endpoint
Input parameters
| Parameter | Description |
|---|---|
| Endpoint ID | ID of the endpoint that you want to scan on the Sophos Central system. |
Output
The output contains the following populated JSON schema:{ 'message': ' }
operation: Get Threat Cases
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Case Type | Type of case whose associated threats you want to retrieve from the Sophos Central system. You can choose between System Generated or Admin Generated. |
| Endpoint Type | Type of endpoint whose associated threats you want to retrieve from the Sophos Central system. You can choose between Computer or Server. |
| Priority | Priority of case based on which you want to retrieve threats from the Sophos Central system. You can choose between Medium, High, or Low. |
| Case Status | Status of case based on which you want to retrieve threats from the Sophos Central system. You can choose between NewIn Progress, or Closed. |
| Limit | Maximum number of results, per page, that this operation should return. |
| Offset | 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:{ 'summary': { 'inprogress': ', 'closed': ', 'total': ', 'new': ' }, 'nextKey': ', 'total': ', 'filtered': ', 'cases': [ { 'malwareName': ', 'endpointName': ', 'endpointType': ', 'beaconDT': ', 'endpointSupportsL3FileAnalysis': ', 'rootCauseName': ', 'status': ', 'supportsDirectPath': ', 'numberOfBusinessFiles': ', 'hasProcessBeacon': ', 'allowedStates': [], 'isEndpointDeleted': ', 'suspectProcessCount': ', 'complexRootCause': { 'source': { 'value': ', 'type': ' }, 'interaction': ', 'provenance': { 'value': ', 'type': ' }, 'target': {} }, 'cloudCreatedAt': ', 'endpointId': ', 'rootCauseDT': ', 'priority': ', 'id': ', 'version': ', 'customerId': ', 'endpointSupportsForensicSnapshots': ', 'supportsSortOnDecoration': ' } ] }
operation: Get Details of Threat Case
Input parameters
| Parameter | Description |
|---|---|
| Case ID | ID of the case whose details you want to retrieve from the Sophos Central system. |
Output
The output contains the following populated JSON schema:{ 'malwareName': ', 'endpointName': ', 'endpointType': ', 'beaconDT': ', 'endpointSupportsL3FileAnalysis': ', 'rootCauseName': ', 'status': ', 'supportsDirectPath': ', 'numberOfBusinessFiles': ', 'hasProcessBeacon': ', 'allowedStates': [], 'isEndpointDeleted': ', 'suspectProcessCount': ', 'complexRootCause': { 'source': { 'value': ', 'type': ' }, 'interaction': ', 'provenance': { 'value': ', 'type': ' }, 'target': {} }, 'cloudCreatedAt': ', 'endpointId': ', 'rootCauseDT': ', 'priority': ', 'id': ', 'version': ', 'customerId': ', 'endpointSupportsForensicSnapshots': ', 'supportsSortOnDecoration': ' }
operation: Get Artifacts of Threat Case
Input parameters
| Parameter | Description |
|---|---|
| Case ID | ID of the case whose artifacts you want to retrieve from the Sophos Central system. |
| Filters | (Optional) Filters based on which you want to retrieve artifacts of the threat case from the Sophos Central system. You can choose from the following options: Processes, Business Files, Registry Keys, Network Connections, Other Files, or Unknown. |
| Limit | (Optional) Maximum number of results, per page, that this operation should return. |
| Offset | (Optional) 0-based index of the page that this operation should return. |
Output
The output contains the following populated JSON schema:{ 'summary': { 'processes': ', 'total': ', 'business_files': ', 'other_files': ', 'network_connections': ', 'registry_keys': ' }, 'nextKey': ', 'total': ', 'filtered': ', 'artifacts': [] }
Included playbooks
The Sample - Sophos Central - 1.0.0 playbook collection comes bundled with the Sophos Central connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos Central connector.
- Get Alerts
- Get Artifacts of Threat Case
- Get Details of Threat Case
- Get Events
- Get Events related to Alert
- Get Reports
- Get Threat Cases
- Isolate Endpoint
- Scan Endpoint
- Unisolate Endpoint
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
About the connector
Unified Threat Management (UTM) makes security simple and Sophos UTM provides a network security package with everything you need in a single modular appliance. It simplifies your IT security without the complexity of multiple point solutions. The intuitive interface helps you to quickly create policies to control security risks, and clear, detailed reports provide you with the insights you need to improve your network performance and protection.
This document provides information about the Sophos UTM connector, which facilitates automated interactions, with a Sophos UTM server using FortiSOAR™ playbooks. Add the Sophos UTM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or getting a list of blocked IP addresses, URLs, or applications.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Sophos UTM Versions: 9.5 and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Sophos UTM server to which you will connect and perform the automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
- To block or unblock IP addresses, URLs, or applications, you need to add the necessary configuration to the Sophos UTM. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section.
Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall
Log on to the Sophos UTM Firewall server with the necessary credentials.
To block or unblock an application, you must create an Application Control Rule Policy in the Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created an Application Control Rule Policy named Cybersponse-application-blocker.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as yourApplication Block Policy Nameconfiguration parameter. In our example, use Cybersponse-application-blocker in theApplication Block Policy Namefield.To block or unblock a URL, create Web Filter Profiles in Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created a Filter Profile named Cybersponse. Next, create a filter Cybersponse-Filter that contains a URL Group named Cybersponse-blocked-url-list in the Edit Filter Action > Block These Websites section. Add the Cybersponse-Filter to the Cybersponse profile.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as yourURL Block Policy Nameconfiguration parameter. In our example, use Cybersponse-blocked-url-list in theURL Block Policy Namefield.To block or unblock an IP Address, you must create two network firewall rules as shown in the following image:
Next, create one network group, in our example name it Cybersponse_block_ip and add this name to both the rules you have created.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as yourIP Block Policy Nameconfiguration parameter. In our example, use Cybersponse_block_ip in theIP Block Policy Namefield.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Sophos UTM connector and click Configure to configure the following parameters:
| Parameter | Description |
|---|---|
| Hostname | IP address or Hostname of the Sophos UTM Firewall server to which you will connect and perform automated operations. |
| Port | Port number used for connecting to the Sophos UTM Firewall server. |
| Username | Username to access the Sophos UTM Firewall server. |
| Password | Password to access the Sophos UTM Firewall server. |
| Application Block Policy Name | Name of the Application Control Rule Policy or filter that you have specified in Sophos UTM. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
| URL Block Policy Name | Name of the URL Group that you have specified in Sophos UTM for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
| IP Block Policy Name | List of the IP Hosts that you have specified in Sophos UTM for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Block URLs | Blocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | block_url Containment |
| Unblock URLs | Unblocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | unblock_url Remediation |
| Block IP Addresses | Blocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | block_ip Containment |
| Unblock IP Addresses | Unblocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | unblock_ip Remediation |
| Block Applications | Blocks or unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | block_app Containment |
| Unblock Applications | Unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. | unblock_app Remediation |
| Get List of Blocked URLs | Retrieves a list of URLs that are blocked. | list_blocked_url Investigation |
| Get List of Blocked IPs | Retrieves a list of IP addresses that are blocked. | list_blocked_ip Investigation |
| Get List of Blocked Application Names | Retrieves a list of application names that are blocked. | list_blocked_app Investigation |
| Check Policies | Checks whether or not the policies you have mentioned in the Configuration parameters section are valid. | check_policy Investigation |
operation: Block URLs
Input parameters
| Parameter | Description |
|---|---|
| URLs | URLs that you want to block. URLs must be in the list format. For example, ['www.example.com', 'www.example1.com'] |
Output
The JSON output contains a status message of whether or not the URLs are successfully blocked.
Following image displays a sample output:
operation: Unblock URLs
Input parameters
| Parameter | Description |
|---|---|
| URLs | URLs that you want to unblock. URLs must be in the list format. For example, ['www.example.com', 'www.example1.com'] |
Output
The JSON output contains a status message of whether or not the URLs are successfully unblocked.
Following image displays a sample output:
operation: Block IP Addresses
Input parameters
| Parameter | Description |
|---|---|
| IPs | IP addresses that you want to block. IP addresses must be in the list format. For example, ['X.X.X.X', 'Y.Y.Y.Y'] |
Output
The JSON output contains a status message of whether or not the IP addresses are successfully blocked.
Following image displays a sample output:
operation: Unblock IP Addresses
Input parameters
| Parameter | Description |
|---|---|
| IPs | IP addresses that you want to unblock. IP addresses must be in the list format. For example, ['X.X.X.X', 'Y.Y.Y.Y'] |
Output
The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.
Following image displays a sample output:
operation: Block Applications
Input parameters
| Parameter | Description |
|---|---|
| Application Name List | List of application names that you want to block. Application names must be in the list format. For example, ['TeamViewer FileTransfer', 'TeamViewer Conferencing'] |
Output
The JSON output contains a status message of whether or not the applications are successfully blocked.
Following image displays a sample output:
operation: Unblock Applications
Input parameters
| Parameter | Description |
|---|---|
| Application Name List | List of application names that you want to unblock. Application names must be in the list format. For example, ['TeamViewer FileTransfer', 'TeamViewer Conferencing'] |
Output
The JSON output contains a status message of whether or not the applications are successfully unblocked.
Following image displays a sample output:
operation: Get Blocked URLs
Input parameters
None
Output
The JSON output contains a list of blocked URLs.
Following image displays a sample output:
operation: Get Blocked IPs
Input parameters
None
Output
The JSON output contains a list of blocked IP addresses.
Following image displays a sample output:
operation: Get Blocked Application Names
Input parameters
None
Output
The JSON output contains a list of names of blocked applications.
Story Writing - A story writing is a work of “fiction or imagination” that is usually written in “easily understandable grammatical structure” with “natural flow of speech”. Story writing is meant to be read at a single sitting and therefore it should be as direct and brief as possible. Storywriting. Publish your short stories online. The path to publishing starts with honest and encouraging feedback. Learn from fellow authors, promote your book for sale,. Write In One Sitting. Write the first draft of your story in as short a time as possible.
Following image displays a sample output:
operation: Check Policies
Input parameters
None
Fortinet Sophos Software
Output
The JSON output contains a status message of whether or not the given policies are valid. This operation checks the policies you have mentioned in the Configuration parameters section.
Following image displays a sample output:
Included playbooks
The Sample - Sophos UTM-9 - 1.0.0 playbook collection comes bundled with the Sophos UTM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos UTM connector.
- Block Applications
- Unblock Applications
- Block URLs
- Unblock URLs
- Block IP Addresses
- Unblock IP Addresses
- Get Blocked Application Names
- Get Blocked IPs
- Get Blocked URLs
- Check Policies
Fortinet Sophos Download
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.