This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Formulate URL web link to detection

I am writing an integration with Sophos EDR and I'd like to have a clickable link from our SOAR platform to a detection in Sophos.  Is there a was to formulate this link or is it accessible via REST API?

I'm looking for something like "{sophos-console-base-URL}/manage/threat-analysis-center/detections/{id}" but that doesn't seem to work.



This thread was automatically locked due to age.
  • Correct. Before you can retrieve detection IDs, you'll need to start a detections query run first. Instructions for that can be found here - Start detections query run.

    To start a detections query run with your query conditions. Here's an example from the guide:

    {
        "severity": [4,8,9],
        "from": "2021-10-02T14:53:22.017Z",
        "to": "2021-11-01T15:53:22.017Z"
    }

    At this point, the Detections API will return the runId in a response:

    {
        "id": "38a372bf-c33c-4803-9427-99a3bd49a760",
        "createdAt": "2021-11-01T16:10:04.574Z",
        "result": "notAvailable",
        "status": "pending"
    }

    After these steps have been completed, you will be able to use the query you're referencing to get the detection query run results.

    Let me know if you have any other questions.

  • I already have the detection queries working and can create cases from each detection found in the query.  My issue is that the app needs to then get the detection information again for each cases after it is created and I do not see anyway to get that info for each detection...there is not way to get a specific detection...so we will have to put this app development on hold till there is a way to do that.

  • Hi AnnMarie — Apologies for my delayed response. 

    If that's the use case—you should be able to leverage the Cases API, which supports retrieving all detections associated with a case after it's created.

    For reference, see the Cases API Guide and Cases API spec.

    I hope that helps. Let me know if you need anything else.

    Get case detections

    To get detections associated with a case, call:

    GET cases/v1/cases/{caseId}/detections

    Response: This returns a paginated list of detections associated with the case.

    {
        "items": [
            {
                "id": "f05201769d90d627a04acca728dfa9f1efa1f91314cbf0eac89c4ac26bed7547_b5955e0613e159f319d4677231d8edde8b246533",
                "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
                "sensorGeneratedAt": "2023-09-26T10:05:36Z",
                "sensor": {
                    "type": "endpoint",
                    "source": "Sophos Endpoint"
                },
                "mitreAttacks": [],
                "severity": 8,
                "type": "Threat"
            },
            {
                "id": "d613562436aca131a1256a5140af0e3f453033f138376f0e666e960b5b43a64d_479268edab187f67554eb81f4e6277dc2a98748a",
                "detectionRule": "WIN-PROT-VDL-MALWARE-ATK-ATOMICRED-A",
                "sensorGeneratedAt": "2023-09-26T10:05:36Z",
                "sensor": {
                    "type": "endpoint",
                    "source": "Sophos Endpoint"
                },
                "mitreAttacks": [],
                "severity": 8,
                "type": "Threat"
            }
        ],
        "pages": {
            "current": 1,
            "total": 1,
            "size": 10,
            "items": 2,
            "maxSize": 10
        }
    }