This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

API - Detected Exploits

Hey again!

I'm developing an integration between Sophos Central (Endpoint Protection) and another service, and one of the API endpoints I go to is the detected exploits one.

I am able to access the endpoint for listing and getting a single object, but I don't have any objects to parse. Is there a way to create detected exploits to fetch with the API?

This thread was automatically locked due to age.

Parents

0 RichardP over 3 years ago

Hi Lior Dahan1,

There currently isn't a way to create a dummy entry for parsing of the return data. I will talk to the PM about this and see what we can do. The current only way is to actually generate a detection on the machine.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 RichardP over 3 years ago

Hi Lior Dahan1,

There currently isn't a way to create a dummy entry for parsing of the return data. I will talk to the PM about this and see what we can do. The current only way is to actually generate a detection on the machine.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Lior Dahan1 over 3 years ago in reply to RichardP

Thanks for the answer!

If it is impossible to generate a dummy, can you guide me on how to generate a detection even if it's real?
Cancel
Vote Up 0 Vote Down

Cancel
0 intrusus over 3 years ago in reply to Lior Dahan1
You can use these to have a secure test and trigger an event:

http://sophostest.com/

https://www.eicar.org/?page_id=3950

https://www.knowbe4.com/ransomware-simulator

or you search for common ransomware testfiles like "Locky" or "Wannacry" at your own risk. I'm not allowed to share these files directly here as we have to follow the community guidelines. Please be aware that running malicious files could harm your system. Consider using a virtual machine to run them. Don't forget to enable Sophos products on the testing devices and be aware that you've secured your VM environment like networking isolation and disabling Copy&Paste, etc.

Thanks,
Intrusus
Sophos Certified Engineer | Sophos Certified Technician

_{private lab:
XG firewall with SFOS 18.0.3 MR-3}^{Intercept X Advanced (for Server) with EDR EAP latest}
_{If a post solves your question use the 'Verify Answer' link}
Cancel
Vote Up 0 Vote Down

Cancel
0 Lior Dahan1 over 3 years ago in reply to intrusus

I did run some of the files in the links and they do get picked up as alerts, but whenever I query the detected exploit REST endpoint it is empty.
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 3 years ago in reply to Lior Dahan1

Detected Exploits are specific to the Intercept X elements and can't be triggered easily. I have reached out to the PM to see if we can provide a solution for this - even if it is dummy seed data into the account. I will keep you advised.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel