Hi,
We have extracted Alerts via API from Sophos Central. I noticed most of the alerts it extracted, it does not contain the device name in the description, and it only contains the “id” of the device. For us to locate this device, we would need to do another API look up to identify the device name belonging to this device id. This makes it complicated on identifying the device name on initial alerting. Do you know if there is a way around this?
There was one alert (Example 1) “Event::Endpoint::OutOfDate”, which included the device name in the description. This is what we’re after for other alerts. Examples are shown below.
Example 1 - Contains device name in the description
{
"id": " xxxxx ",
"allowedActions": [
"acknowledge"
],
"category": "updating",
"description": "L10-CCXYMG3 is out of date.",
"groupKey": "xxxxxx",
"managedAgent": {
"id": "1106597d-05fd-407b-a81f-029537",
"type": "computer"
},
"person": {
"id": " xxxxx "
},
"product": "endpoint",
"raisedAt": "2022-07-02T05:16:43.801Z",
"severity": "medium",
"tenant": {
"id": " xxxxx ",
"name": "xxxxx"
},
"type": "Event::Endpoint::OutOfDate"
},
Example 2 - Does not contain device name in the description and only the device "id". We would need to do another API look up to identify the device name of this device "id".
{
"id": "xxxxx",
"allowedActions": [
"acknowledge"
],
"category": "policy",
"description": "Policy non-compliance: Network Threat Protection", - No device name in description
"groupKey": "xxxxxx",
"managedAgent": {
"id": "f96e9e46-d8fb-47d7-83b6-a3eb",
"type": "computer"
},
"person": {
"id": "8393e51f-2611-"
},
"product": "endpoint",
"raisedAt": "2022-07-03T21:58:48.544Z",
"severity": "medium",
"tenant": {
"id": " xxxxx",
"name": "xxxxx"
},
"type": "Event::Endpoint::NonCompliant"
},
