When I query the endpoints API for health status "bad" no results are returned however there are many servers in Sophos Central that appear with health status "bad" or "medium". What is the relationship between the API health statuses and the health status in the UI?
In the UI the statuses I see are
Good (a green check mark)
Bad (a red check mark)
Medium (an orange caution mark)
In the API (https://developer.sophos.com/docs/endpoint-v1/1/routes/endpoints/get) I see the options to query for:
As a side note, I got no results when I queried for "bad" or "suspicious" with the API but "unknown" appeared to return what I saw in the UI as "bad" and "medium" so I created a script to delete them all (they are old devices that no longer exist). My script deleted ALL my devices from Central UI (good, bad, medium). So, apparently, "unknown" in the API = ALL OF MY SERVERS no matter their health status in the Central UI. Tyvm!
To anyone else reading this post. Be ware the health status query in the Endpoints API! It does not align with what you see in the Sophos Central UI! Test thoroughly!
Thank you for reporting this.
I will look into it.
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Did you ever find out anything about this? I've just noticed the same problem. One of our sub-estates contains 285 systems - the API returns all 285 and shows 2 as bad (which matches Sophos Central), but the API also shows 35 suspicious whereas Sophos Central displays 134 as medium status.
This is a significant issue for us as we've have 30+ sub-estates to manage and the lack of central reporting means we need to rely on the API to quickly check sites, and i've now discovered the API doesn't appear to be reliably reporting the status of the systems.
I raised the issue/question with the Product Manager.
At this stage, I don't have a further update.