Thread Info
  • State Suggested Answer
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 2804 views
  • Users 0 members are here
Options
Suggested

Formulate URL web link to detection

AnnMarie Norcross

I am writing an integration with Sophos EDR and I'd like to have a clickable link from our SOAR platform to a detection in Sophos.  Is there a was to formulate this link or is it accessible via REST API?

I'm looking for something like "{sophos-console-base-URL}/manage/threat-analysis-center/detections/{id}" but that doesn't seem to work.



Added Tags
[edited by: GlennSen at 3:10 PM (GMT -7) on 7 Aug 2024]
  • 0 in reply to AnnMarie Norcross

    Correct. Before you can retrieve detection IDs, you'll need to start a detections query run first. Instructions for that can be found here - Start detections query run.

    To start a detections query run with your query conditions. Here's an example from the guide:

    {
    "severity": [4,8,9],
    "from": "2021-10-02T14:53:22.017Z",
    "to": "2021-11-01T15:53:22.017Z"
}

    At this point, the Detections API will return the runId in a response:

    {
    "id": "38a372bf-c33c-4803-9427-99a3bd49a760",
    "createdAt": "2021-11-01T16:10:04.574Z",
    "result": "notAvailable",
    "status": "pending"
}

    After these steps have been completed, you will be able to use the query you're referencing to get the detection query run results.

    Let me know if you have any other questions.

  • 0 in reply to Brett VanWagoner

    I already have the detection queries working and can create cases from each detection found in the query.  My issue is that the app needs to then get the detection information again for each cases after it is created and I do not see anyway to get that info for each detection...there is not way to get a specific detection...so we will have to put this app development on hold till there is a way to do that.

  • 0 in reply to AnnMarie Norcross

    Hi AnnMarie — Apologies for my delayed response. 

    If that's the use case—you should be able to leverage the Cases API, which supports retrieving all detections associated with a case after it's created.

    For reference, see the Cases API Guide and Cases API spec.

    I hope that helps. Let me know if you need anything else.

    Get case detections

    To get detections associated with a case, call:

    GET cases/v1/cases/{caseId}/detections

    Response: This returns a paginated list of detections associated with the case.

    {
    "items": [
        {
            "id": "f05201769d90d627a04acca728dfa9f1efa1f91314cbf0eac89c4ac26bed7547_b5955e0613e159f319d4677231d8edde8b246533",
            "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
            "sensorGeneratedAt": "2023-09-26T10:05:36Z",
            "sensor": {
                "type": "endpoint",
                "source": "Sophos Endpoint"
            },
            "mitreAttacks": [],
            "severity": 8,
            "type": "Threat"
        },
        {
            "id": "d613562436aca131a1256a5140af0e3f453033f138376f0e666e960b5b43a64d_479268edab187f67554eb81f4e6277dc2a98748a",
            "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
            "sensorGeneratedAt": "2023-09-26T10:05:36Z",
            "sensor": {
                "type": "endpoint",
                "source": "Sophos Endpoint"
            },
            "mitreAttacks": [],
            "severity": 8,
            "type": "Threat"
        }
    ],
    "pages": {
        "current": 1,
        "total": 1,
        "size": 10,
        "items": 2,
        "maxSize": 10
    }
}
Unfiltered HTML