Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 8 subscribers
  • Views 1773 views
  • Users 0 members are here
Options
Suggested

Alerts API enquiry

Johnny Tien

Hi,

We are working on implementing API call integration to extract alerts and then process them into with tfsnow (Service Now).

The below article, for the alerts category, do you have more information available on each category?

https://developer.sophos.com/docs/common-v1/1/routes/alerts/%7BalertId%7D/get

category

string

Alert categories.

The following values are allowed:
azure, adSync, applicationControl, appReputation, blockListed, connectivity, cwg, denc, downloadReputation, endpointFirewall, fenc, forensicSnapshot, general, iaas, iaasAzure, isolation, malware, mtr, mobiles, policy, protection, pua, runtimeDetections, security, smc, systemHealth, uav, uncategorized, updating, utm, virt, wireless, xgEmail
Parents
  • 0

    what, specifically are you looking for?

    The categories align with the components/products we offer and can have multiple types of alerts in them.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    We only have Threat Protection component configured for our customers. We are looking for Alert events such as Alerts for Threat Protection (e.g. Malware, PUA), Updating and Policy compliance. 

    From the Category list from the article, I can see some of these, Malware, PUA, Updating. There are others in the list we think we could use but not sure what it alerts for: policy, protection, systemhealth, uav.

    Also, our team has tools to set up an API call integration to extract the alerts and process them into tfsnow. We have pulled data via Postman for testing. Looking at the below alert, it has two strings which can be potentially used for its detection -  "category": "pua" and "type": "Event::Endpoint::Threat::PuaDetected". Do you have a list for all the "type" events?

    "category": "pua",
    "description": "PUA detected: 'PsExec' at 'C:\\Users\\veg1605\\Downloads\\PSTools.zip\\PsExec.exe\\FILE:0000'",
    "groupKey": "MixFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6UHVhRGV0ZWN0ZWQsMjQsUHNFeGVj",
    "managedAgent": {
    "id": "xxxxx",
    "type": "server"
    },
    "product": "server",
    "raisedAt": "2022-03-26T13:25:35.654Z",
    "severity": "medium",
    "tenant": {
    "id": "xxxxxx",
    "name": "xxxxx"
    },
    "type": "Event::Endpoint::Threat::PuaDetected"

Reply
  • 0 in reply to RichardP

    We only have Threat Protection component configured for our customers. We are looking for Alert events such as Alerts for Threat Protection (e.g. Malware, PUA), Updating and Policy compliance. 

    From the Category list from the article, I can see some of these, Malware, PUA, Updating. There are others in the list we think we could use but not sure what it alerts for: policy, protection, systemhealth, uav.

    Also, our team has tools to set up an API call integration to extract the alerts and process them into tfsnow. We have pulled data via Postman for testing. Looking at the below alert, it has two strings which can be potentially used for its detection -  "category": "pua" and "type": "Event::Endpoint::Threat::PuaDetected". Do you have a list for all the "type" events?

    "category": "pua",
    "description": "PUA detected: 'PsExec' at 'C:\\Users\\veg1605\\Downloads\\PSTools.zip\\PsExec.exe\\FILE:0000'",
    "groupKey": "MixFdmVudDo6RW5kcG9pbnQ6OlRocmVhdDo6UHVhRGV0ZWN0ZWQsMjQsUHNFeGVj",
    "managedAgent": {
    "id": "xxxxx",
    "type": "server"
    },
    "product": "server",
    "raisedAt": "2022-03-26T13:25:35.654Z",
    "severity": "medium",
    "tenant": {
    "id": "xxxxxx",
    "name": "xxxxx"
    },
    "type": "Event::Endpoint::Threat::PuaDetected"

Children
No Data
Unfiltered HTML