Alerts API enquiry

what, specifically are you looking for?

The categories align with the components/products we offer and can have multiple types of alerts in them.

We only have Threat Protection component configured for our customers. We are looking for Alert events such as Alerts for Threat Protection (e.g. Malware, PUA), Updating and Policy compliance. 

From the Category list from the article, I can see some of these, Malware, PUA, Updating. There are others in the list we think we could use but not sure what it alerts for: policy, protection, systemhealth, uav.

Also, our team has tools to set up an API call integration to extract the alerts and process them into tfsnow. We have pulled data via Postman for testing. Looking at the below alert, it has two strings which can be potentially used for its detection -  "category": "pua" and "type": "Event::Endpoint::Threat::PuaDetected". Do you have a list for all the "type" events?

"category": "pua",
"description": "PUA detected: 'PsExec' at 'C:\\Users\\veg1605\\Downloads\\PSTools.zip\\PsExec.exe\\FILE:0000'",
"groupKey": "MixFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6UHVhRGV0ZWN0ZWQsMjQsUHNFeGVj",
"managedAgent": {
"id": "xxxxx",
"type": "server"
},
"product": "server",
"raisedAt": "2022-03-26T13:25:35.654Z",
"severity": "medium",
"tenant": {
"id": "xxxxxx",
"name": "xxxxx"
},
"type": "Event::Endpoint::Threat::PuaDetected"

Hello, any update on this? We would just like to know what are the descriptions for these alert categories. e.g. uav - what is this specifically alerting for?

https://developer.sophos.com/docs/common-v1/1/routes/alerts/%7BalertId%7D/get

Alert categories.

The following values are allowed:
azure, adSync, applicationControl, appReputation, blockListed, connectivity, cwg, denc, downloadReputation, endpointFirewall, fenc, forensicSnapshot, general, iaas, iaasAzure, isolation, malware, mtr, mobiles, policy, protection, pua, runtimeDetections, security, smc, systemHealth, uav, uncategorized, updating, utm, virt, wireless, xgEmail

Hello Sophos,

Can you please assist with this enquiry? 

Hi Johnny, 

I've reached out internally to get feedback on your question. I will update this thread with any additional information I receive. 

Thank you Qoosh. I had also logged a support ticket with Sophos on this and a support engineer provided this link: Sophos Central Admin: Event types and descriptions for Sophos Central API 

This article is useful as it provides a description to the event types alerts from the API extracted from Sophos Central. This falls under the same path for what i am looking for but it gets very granular to each event type alerts within the Alert category. Do you know if there is information available that puts the Event types into which Alert Category? Just trying to determine which is best to create the automation for tfsnow (Service Now) to detect either an Alert Category or specific Event Types.