I am writing an integration with Sophos EDR and I'd like to have a clickable link from our SOAR platform to a detection in Sophos. Is there a was to formulate this link or is it accessible via REST API?
I'm looking for something like "{sophos-console-base-URL}/manage/threat-analysis-center/detections/{id}" but that doesn't seem to work.
Thank you for reaching out to Sophos Community.
For assistance with this integration, please refer to Detections API | Sophos Central APIs documentation. I hope this helps you.
I am able to use the Detections REST API to get detections from Sophos. What I am looking for a way to formulate a URL to click on that will bring me to the detection in Sophos to easily view it in Sophos from our platform. Some platforms REST endpoint to get an alert/detection/case/incident return a URL in json of the object, but I do not see Sophos endpoints return this... so I am looking for a reliable way to form the URL in the code.
Hi AnnMarie Norcross ,
There are plans to add this functionality in the future, but unfortunately the detection URL is not currently available using the Detections API.
Until then, you would need a programmatic way of generating the detection URL using the unique detection ID and time parameters. Here's an example URL and a quick breakdown of the different elements:
https://central.sophos.com/manage/threat-analysis-center/detections/7dfbb1a30f58465fc0bc1ad5730de05f5f9d92af9237c3d6c7c1423ca8c2f412_34e7e6dd9aeab181d8d455b88d01717dcc999797?timeRangeFrom=2024-06-16T18:08:47.246Z&timeRangeTo=2024-07-16T18:08:47.246Z&mode=overview&tab=overview
| ELEMENT | PURPOSE |
https://central.sophos.com/manage/threat-analysis-center/detections/ |
Base URL to TAC Detections Page |
7dfbb1a30f58465fc0bc1ad5730de05f5f9d92af9237c3d6c7c1423ca8c2f412_34e7e6dd9aeab181d8d455b88d01717dcc999797 |
Detection GUID |
? |
Separate query string |
timeRangeFrom=2024-06-16T18:08:47.246Z&timeRangeTo=2024-07-16T18:08:47.246Z |
Detection Time Range |
& |
Separate query elements |
mode=overview |
Detection Details Pane |
tab=overview |
Detection Details Tab |
Hi Brett,
I noticed that the Detection URLs had the time parameters in the browser, but programmatically I'm not sure what time parameters to put in when creating a URL link. The app I am working on searches Sophos detections with "to" and "from" in the query, but the "to" and "from" time are not known when the actually link is created at a later time.
I noticed that defining a link with a URL such as this sometimes works and brings up the detection in Sophos...but sometime it does not.
It is very helpful for users to be able to click back to Sophos to get details that may not be in our platform.
Is there a way to get a detection by specifying just the detection ID in a query ? I don't see detection ID as a query parameter.
Thanks for your help!
Hi AnnMarie Norcross ,
I can definitely appreciate how having the URL readily accessible is very important. Can you walk me through your use case? I'm not clear on how you are able to generate the URL with the detection ID and not also have the corresponding datetime of when the detection occurred. The Detection API should return this information when you perform a query run.
To clarify, when I referenced the Detection GUID in the table above, that's the same parameter you're referring to as detection ID. So, in your example the detection ID is:
726895643316a8ce476f79b56406bca97d04ffa67072a1726e5942371b0a7e91_2477d1aab0d165c398ad9111d47c6e64c241d2fa
In speaking with our engineers—the reason a URL with only the detection ID define works in some cases is that the Detections service still allows the query to proceed, albeit slightly modified. It will append the timeRangeFrom parameter on the end of the URL, defaulting to a date of 30-days ago. Of course, in situations where that particular detection occurred before that time, no detections will match the query. In your case, that would look something like this:
I also found out that the timeRangeTo parameter isn't strictly required, although it is used by the Central UI.
Is that helpful? Please let me know if you have any other questions.
Thanks.
The app I am developing polls Sophos for detections and creates a SOAR case with the detection ID. Once the case is created other SOAR playbooks get kicked off that fill in custom fields (like the URL link to the detection) and data tables with information on the detection. Usually we make a REST API call to the third party endpoint to get information on the detect/alert/cases using the object ID and at this point we don't know the timeframe. These playbooks allows for Sophos cases to be created outside of the app's polling mechanism...maybe a Sophos detection ID pushed from a SIEM (or other platform) to be populated in SOAR. I see the Sophos /alerts endpoint allows querying with the alert ID to get a specific alert...but I don't see the same capability for the detections endpoints...this is actually a bigger issue than the URL link.
Is there a way get a specific detection with the new detections endpoints?
Thanks
We'd also like to have playbooks that write the detection rawData to a note or an attachment...to do this we need a function that gets the detection by some ID...I don't see how to do this with the query options listed in the detections documentation.
Have you evaluated the Detections API that was released recently? You should be able to get everything you need by performing a detection query run.
Here's an example of a response that you would receive:
{
"items": [
{
"id": "c72cc7c791a3a91c7fb930985866b865dfb318544e6f12c14890c0604bcdc73f_251108b7941a2e61ff615ce66d1bda84f28bebf2",
"detectionCreatedAt": "2023-11-22T12:13:18.907Z",
"sensorGeneratedAt": "2023-11-22T12:12:51Z",
"sensor": {
"id": "SophosSensorID",
"category": "endpoint",
"source": "Sophos",
"version": "1.18.1"
},
"device": {
"id": "0569f2b7-756c-4d16-8804-798a6d0030cf",
"type": "server",
"entity": "EC2AMAZ-HKOG4LG"
},
"rawData": {
"meta_eid": "0569f2b7-756c-4d16-8804-798a6d0030cf",
"meta_licence": "MTR",
"meta_public_ip": "52.11.152.156",
"meta_aggressive_activity": "False",
"meta_os_platform": "windows",
"meta_os_version": "10.0.17763",
"meta_domain_controller": "False",
"customer_region": "eu-west-1",
"meta_ip_address": "10.0.1.108",
"meta_query_pack_version": "1.18.1",
"meta_boot_time": 1679513937,
"meta_endpoint_type": "server",
"meta_hostname": "EC2AMAZ-HKOG4LG",
"meta_mac_address": "06:be:26:88:2a:63",
"meta_os_type": "",
"stream_ingest_time": "1700655191544",
"meta_os_name": "Microsoft Windows Server 2019 Datacenter",
"customer_id": "5fa5f0aa-1063-4c97-a739-2fad8700d84b",
"meta_ip_mask": "255.255.255.0",
"meta_username": "",
"osquery_action": "added",
"calendar_time": 1700655171000,
"eventid": 4104,
"keywords": "0x0",
"message_total": "1",
"message_number": "1",
"script_block_id": "64bdfae0-0b79-4eb9-93e1-819a0b8c59b3",
"source": "Microsoft-Windows-PowerShell/Operational",
"script_block_text": "& {Invoke-WebRequest \"https:/raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\" -OutFile \"C:\\AtomicRedTeam\\atomics\\T1059.001\\src\\SharpHound.ps1\"}",
"path": "",
"task": 2,
"task_message": "Run a remote command",
"user_sid": "S-1-5-21-1988622043-2488078317-4207907876-500",
"time": 1700654557,
"provider_name": "Microsoft-Windows-PowerShell",
"counter": 1,
"epoch": 1700621953,
"folded": 0,
"host_identifier": "EC2093A8-DFC1-CF5E-BBA6-595A50BB6629",
"query_name": "windows_powershell_logging_suspicious_keywords",
"numerics": false,
"tag": "DataLake",
"unix_time": 1700655171000
},
"type": "Threat",
"detectionRule": "WIN-EXE-DM-SUS-POWERSHELL-SCRIPT-BLOCK-1",
"ruleDescription": "PowerShell Script Block Logging Suspicious Keywords",
"mitreAttacks": [
{
"tactic": {
"id": "TA0002",
"name": "Execution",
"techniques": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter"
},
{
"id": "T1059.001",
"name": "PowerShell"
}
]
}
}
],
"attackType": "Security Event Service Detections",
"severity": 4,
"detectionSigma": {
"id": "WIN-EXE-DM-SUS-POWERSHELL-SCRIPT-BLOCK-1.star",
"logsource": {
"dedup_fields": [
"machine_data.name"
]
}
},
"detectionAttack": "Execution",
"detectionLicenses": "[\"MTR\"]",
"geolocation": [
{
"fieldName": "raw.meta_public_ip",
"fieldValue": "52.11.152.156",
"city": "Boardman",
"state": "Oregon",
"country": "United States",
"countryCode": "US",
"postal": "97818",
"latitude": 45.8234,
"longitude": -119.7257
}
]
}
],
"pages": {
"current": 1,
"size": 3,
"total": 15,
"items": 45,
"maxSize": 2000
}
}
I hope that helps. Let me know if you have any other questions.
The only query parameters (I see in the detections doc here ) for detections on are:
detectionRule, deviceName, severity, type, category, source, mitreAttackTactics, userName, entityType, location, operatingSystem, operatingSystemName, from, to.
You can not query by specifying a detection ID.
I see 2 detections in my Sophos platform with the same time, severity, detectionRule, deviceName...the only difference is the filePath . How would I search to get each specific detection (there is no filePath search parameter)? The Sophos alerts endpoint allows the for searching by alert ID. My app needs the same capability to get a single detection (preferably with an ID).
In the documentation you just post a link to Detections API Guide:
GET detections/v1/queries/detections/{id}/results?page=1&pageSize=3
looks like what I'd want, but {id} is a runId, not a detection ID.