Formulate URL web link to detection

I am writing an integration with Sophos EDR and I'd like to have a clickable link from our SOAR platform to a detection in Sophos.  Is there a was to formulate this link or is it accessible via REST API?

I'm looking for something like "{sophos-console-base-URL}/manage/threat-analysis-center/detections/{id}" but that doesn't seem to work.



Added Tags
[edited by: GlennSen at 3:10 PM (GMT -7) on 7 Aug 2024]
Parents
  • Hi  

    Thank you for reaching out to Sophos Community.

    For assistance with this integration, please refer to Detections API | Sophos Central APIs documentation. I hope this helps you.

    Abhimanyu Rawat
    Sophos Digital Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I am able to use the Detections REST API to get detections from Sophos.   What I am looking for a way to formulate a URL to click on that will bring me to the detection in Sophos to easily view it in Sophos from our platform.  Some platforms REST endpoint to get an alert/detection/case/incident return a URL in json of the object, but I do not see Sophos endpoints return this... so I am looking for a reliable way to form the URL in the code.

  • Hi  ,

    There are plans to add this functionality in the future, but unfortunately the detection URL is not currently available using the Detections API.

    Until then, you would need a programmatic way of generating the detection URL using the unique detection ID and time parameters. Here's an example URL and a quick breakdown of the different elements:

    https://central.sophos.com/manage/threat-analysis-center/detections/7dfbb1a30f58465fc0bc1ad5730de05f5f9d92af9237c3d6c7c1423ca8c2f412_34e7e6dd9aeab181d8d455b88d01717dcc999797?timeRangeFrom=2024-06-16T18:08:47.246Z&timeRangeTo=2024-07-16T18:08:47.246Z&mode=overview&tab=overview

    ELEMENT PURPOSE
    https://central.sophos.com/manage/threat-analysis-center/detections/ Base URL to TAC Detections Page
    7dfbb1a30f58465fc0bc1ad5730de05f5f9d92af9237c3d6c7c1423ca8c2f412_34e7e6dd9aeab181d8d455b88d01717dcc999797 Detection GUID
    ? Separate query string
    timeRangeFrom=2024-06-16T18:08:47.246Z&timeRangeTo=2024-07-16T18:08:47.246Z Detection Time Range
    & Separate query elements
    mode=overview Detection Details Pane
    tab=overview Detection Details Tab


    Fixed formatting.
    [edited by: Brett VanWagoner at 8:06 PM (GMT -7) on 16 Jul 2024]
  • Hi Brett,

    I noticed that the Detection URLs had the time parameters in the browser, but programmatically I'm not sure what time parameters to put in when creating a URL link.  The app I am working on searches Sophos detections with "to" and "from" in the query, but the "to" and "from" time are not known when the actually link is created at a later time.

    I noticed that defining a link with a URL such as this sometimes works and brings up the detection in Sophos...but sometime it does not.

    https://cloud.sophos.com/manage/threat-analysis-center/detections/726895643316a8ce476f79b56406bca97d04ffa67072a1726e5942371b0a7e91_2477d1aab0d165c398ad9111d47c6e64c241d2fa

    It is very helpful for users to be able to click back to Sophos to get details that may not be in our platform.

    Is there a way to get a detection by specifying just the detection ID in a query ?  I don't see detection ID as a query parameter.

    Thanks for your help!

  • Hi  ,

    I can definitely appreciate how having the URL readily accessible is very important. Can you walk me through your use case? I'm not clear on how you are able to generate the URL with the detection ID and not also have the corresponding datetime of when the detection occurred. The Detection API should return this information when you perform a query run.

    To clarify, when I referenced the Detection GUID in the table above, that's the same parameter you're referring to as detection ID. So, in your example the detection ID is:

    726895643316a8ce476f79b56406bca97d04ffa67072a1726e5942371b0a7e91_2477d1aab0d165c398ad9111d47c6e64c241d2fa

    In speaking with our engineers—the reason a URL with only the detection ID define works in some cases is that the Detections service still allows the query to proceed, albeit slightly modified. It will append the timeRangeFrom parameter on the end of the URL, defaulting to a date of 30-days ago. Of course, in situations where that particular detection occurred before that time, no detections will match the query. In your case, that would look something like this:

    https://cloud.sophos.com/manage/threat-analysis-center/detections/726895643316a8ce476f79b56406bca97d04ffa67072a1726e5942371b0a7e91_2477d1aab0d165c398ad9111d47c6e64c241d2fa?timeRangeFrom=2024-06-17T14:17:52.000Z

    I also found out that the timeRangeTo parameter isn't strictly required, although it is used by the Central UI.

    Is that helpful? Please let me know if you have any other questions.

    Thanks.

  • The app I am developing polls Sophos for detections and creates a SOAR case with the detection ID.  Once the case is created other SOAR playbooks get kicked off that fill in custom fields (like the URL link to the detection) and data tables with information on the detection.  Usually we make a REST API call to the third party endpoint to get information on the detect/alert/cases using the object ID and at this point we don't know the timeframe.  These playbooks allows for Sophos cases to be created outside of the app's polling mechanism...maybe a Sophos detection ID pushed from a SIEM (or other platform) to be populated in SOAR.  I see the Sophos /alerts endpoint allows querying with the alert ID to get a specific alert...but I don't see the same capability for the detections endpoints...this is actually a bigger issue than the URL link. 

    Is there a way get a specific detection with the new detections endpoints?

    Thanks

  • We'd also like to have playbooks that write the detection rawData to a note or an attachment...to do this we need a function that gets the detection by some ID...I don't see how to do this with the query options listed in the detections documentation.

  • Have you evaluated the Detections API that was released recently? You should be able to get everything you need by performing a detection query run. 

    Detections API Guide

    Detections API Reference

    Here's an example of a response that you would receive:

    {
      "items": [
        {
          "id": "c72cc7c791a3a91c7fb930985866b865dfb318544e6f12c14890c0604bcdc73f_251108b7941a2e61ff615ce66d1bda84f28bebf2",
          "detectionCreatedAt": "2023-11-22T12:13:18.907Z",
          "sensorGeneratedAt": "2023-11-22T12:12:51Z",
          "sensor": {
            "id": "SophosSensorID",
            "category": "endpoint",
            "source": "Sophos",
            "version": "1.18.1"
          },
          "device": {
            "id": "0569f2b7-756c-4d16-8804-798a6d0030cf",
            "type": "server",
            "entity": "EC2AMAZ-HKOG4LG"
          },
          "rawData": {
            "meta_eid": "0569f2b7-756c-4d16-8804-798a6d0030cf",
            "meta_licence": "MTR",
            "meta_public_ip": "52.11.152.156",
            "meta_aggressive_activity": "False",
            "meta_os_platform": "windows",
            "meta_os_version": "10.0.17763",
            "meta_domain_controller": "False",
            "customer_region": "eu-west-1",
            "meta_ip_address": "10.0.1.108",
            "meta_query_pack_version": "1.18.1",
            "meta_boot_time": 1679513937,
            "meta_endpoint_type": "server",
            "meta_hostname": "EC2AMAZ-HKOG4LG",
            "meta_mac_address": "06:be:26:88:2a:63",
            "meta_os_type": "",
            "stream_ingest_time": "1700655191544",
            "meta_os_name": "Microsoft Windows Server 2019 Datacenter",
            "customer_id": "5fa5f0aa-1063-4c97-a739-2fad8700d84b",
            "meta_ip_mask": "255.255.255.0",
            "meta_username": "",
            "osquery_action": "added",
            "calendar_time": 1700655171000,
            "eventid": 4104,
            "keywords": "0x0",
            "message_total": "1",
            "message_number": "1",
            "script_block_id": "64bdfae0-0b79-4eb9-93e1-819a0b8c59b3",
            "source": "Microsoft-Windows-PowerShell/Operational",
            "script_block_text": "& {Invoke-WebRequest \"https:/raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\" -OutFile \"C:\\AtomicRedTeam\\atomics\\T1059.001\\src\\SharpHound.ps1\"}",
            "path": "",
            "task": 2,
            "task_message": "Run a remote command",
            "user_sid": "S-1-5-21-1988622043-2488078317-4207907876-500",
            "time": 1700654557,
            "provider_name": "Microsoft-Windows-PowerShell",
            "counter": 1,
            "epoch": 1700621953,
            "folded": 0,
            "host_identifier": "EC2093A8-DFC1-CF5E-BBA6-595A50BB6629",
            "query_name": "windows_powershell_logging_suspicious_keywords",
            "numerics": false,
            "tag": "DataLake",
            "unix_time": 1700655171000
          },
          "type": "Threat",
          "detectionRule": "WIN-EXE-DM-SUS-POWERSHELL-SCRIPT-BLOCK-1",
          "ruleDescription": "PowerShell Script Block Logging Suspicious Keywords",
          "mitreAttacks": [
            {
              "tactic": {
                "id": "TA0002",
                "name": "Execution",
                "techniques": [
                  {
                    "id": "T1059",
                    "name": "Command and Scripting Interpreter"
                  },
                  {
                    "id": "T1059.001",
                    "name": "PowerShell"
                  }
                ]
              }
            }
          ],
          "attackType": "Security Event Service Detections",
          "severity": 4,
          "detectionSigma": {
            "id": "WIN-EXE-DM-SUS-POWERSHELL-SCRIPT-BLOCK-1.star",
            "logsource": {
              "dedup_fields": [
                "machine_data.name"
              ]
            }
          },
          "detectionAttack": "Execution",
          "detectionLicenses": "[\"MTR\"]",
          "geolocation": [
            {
              "fieldName": "raw.meta_public_ip",
              "fieldValue": "52.11.152.156",
              "city": "Boardman",
              "state": "Oregon",
              "country": "United States",
              "countryCode": "US",
              "postal": "97818",
              "latitude": 45.8234,
              "longitude": -119.7257
            }
          ]
        }
      ],
      "pages": {
        "current": 1,
        "size": 3,
        "total": 15,
        "items": 45,
        "maxSize": 2000
      }
    }

    I hope that helps. Let me know if you have any other questions.

  • The only query parameters (I see in the detections doc here ) for detections on are:

    detectionRule, deviceName, severity, type, category, source, mitreAttackTactics, userName, entityType, location, operatingSystem, operatingSystemName, from, to.

    You can not query by specifying a detection ID.

    I see 2 detections in my Sophos platform with the same time, severity, detectionRule, deviceName...the only difference is the filePath .  How would I search to get each specific detection (there is no filePath search parameter)?  The Sophos alerts endpoint allows the for searching by alert ID.  My app needs the same capability to get a single detection (preferably with an ID).

Reply
  • The only query parameters (I see in the detections doc here ) for detections on are:

    detectionRule, deviceName, severity, type, category, source, mitreAttackTactics, userName, entityType, location, operatingSystem, operatingSystemName, from, to.

    You can not query by specifying a detection ID.

    I see 2 detections in my Sophos platform with the same time, severity, detectionRule, deviceName...the only difference is the filePath .  How would I search to get each specific detection (there is no filePath search parameter)?  The Sophos alerts endpoint allows the for searching by alert ID.  My app needs the same capability to get a single detection (preferably with an ID).

Children
  • In the documentation you just post a link to Detections API Guide:

    GET detections/v1/queries/detections/{id}/results?page=1&pageSize=3

    looks like what I'd want, but {id} is a runId, not a detection ID.
  • Correct. Before you can retrieve detection IDs, you'll need to start a detections query run first. Instructions for that can be found here - Start detections query run.

    To start a detections query run with your query conditions. Here's an example from the guide:

    {
        "severity": [4,8,9],
        "from": "2021-10-02T14:53:22.017Z",
        "to": "2021-11-01T15:53:22.017Z"
    }

    At this point, the Detections API will return the runId in a response:

    {
        "id": "38a372bf-c33c-4803-9427-99a3bd49a760",
        "createdAt": "2021-11-01T16:10:04.574Z",
        "result": "notAvailable",
        "status": "pending"
    }

    After these steps have been completed, you will be able to use the query you're referencing to get the detection query run results.

    Let me know if you have any other questions.

  • I already have the detection queries working and can create cases from each detection found in the query.  My issue is that the app needs to then get the detection information again for each cases after it is created and I do not see anyway to get that info for each detection...there is not way to get a specific detection...so we will have to put this app development on hold till there is a way to do that.

  • Hi AnnMarie — Apologies for my delayed response. 

    If that's the use case—you should be able to leverage the Cases API, which supports retrieving all detections associated with a case after it's created.

    For reference, see the Cases API Guide and Cases API spec.

    I hope that helps. Let me know if you need anything else.

    Get case detections

    To get detections associated with a case, call:

    GET cases/v1/cases/{caseId}/detections

    Response: This returns a paginated list of detections associated with the case.

    {
        "items": [
            {
                "id": "f05201769d90d627a04acca728dfa9f1efa1f91314cbf0eac89c4ac26bed7547_b5955e0613e159f319d4677231d8edde8b246533",
                "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
                "sensorGeneratedAt": "2023-09-26T10:05:36Z",
                "sensor": {
                    "type": "endpoint",
                    "source": "Sophos Endpoint"
                },
                "mitreAttacks": [],
                "severity": 8,
                "type": "Threat"
            },
            {
                "id": "d613562436aca131a1256a5140af0e3f453033f138376f0e666e960b5b43a64d_479268edab187f67554eb81f4e6277dc2a98748a",
                "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
                "sensorGeneratedAt": "2023-09-26T10:05:36Z",
                "sensor": {
                    "type": "endpoint",
                    "source": "Sophos Endpoint"
                },
                "mitreAttacks": [],
                "severity": 8,
                "type": "Threat"
            }
        ],
        "pages": {
            "current": 1,
            "total": 1,
            "size": 10,
            "items": 2,
            "maxSize": 10
        }
    }