Device name displaying in API Alerts

Hi,

We have extracted Alerts via API from Sophos Central. I noticed most of the alerts it extracted, it does not contain the device name in the description, and it only contains the “id” of the device. For us to locate this device, we would need to do another API look up to identify the device name belonging to this device id. This makes it complicated on identifying the device name on initial alerting. Do you know if there is a way around this?

There was one alert (Example 1) “Event::Endpoint::OutOfDate”, which included the device name in the description. This is what we’re after for other alerts. Examples are shown below.

Example 1 - Contains device name in the description

{

            "id": " xxxxx ",

            "allowedActions": [

                "acknowledge"

            ],

            "category": "updating",

            "description": "L10-CCXYMG3 is out of date.",

            "groupKey": "xxxxxx",

            "managedAgent": {

                "id": "1106597d-05fd-407b-a81f-029537",

                "type": "computer"

            },

            "person": {

                "id": " xxxxx "

            },

            "product": "endpoint",

            "raisedAt": "2022-07-02T05:16:43.801Z",

            "severity": "medium",

            "tenant": {

                "id": " xxxxx ",

                "name": "xxxxx"

            },

            "type": "Event::Endpoint::OutOfDate"

        },

Example 2 - Does not contain device name in the description and only the device "id". We would need to do another API look up to identify the device name of this device "id".

{

            "id": "xxxxx",

            "allowedActions": [

                "acknowledge"

            ],

            "category": "policy",

            "description": "Policy non-compliance: Network Threat Protection",   - No device name in description

            "groupKey": "xxxxxx",

            "managedAgent": {

                "id": "f96e9e46-d8fb-47d7-83b6-a3eb",

                "type": "computer"

            },

            "person": {

                "id": "8393e51f-2611-"

            },

            "product": "endpoint",

            "raisedAt": "2022-07-03T21:58:48.544Z",

            "severity": "medium",

            "tenant": {

                "id": " xxxxx",

                "name": "xxxxx"

            },

            "type": "Event::Endpoint::NonCompliant"

        },

 

 

 

 

Parents
  • FormerMember
    0 FormerMember

    The device ID is the unique key we use to link all entries for a particular machine. 

    Since events and items are created by disparate elements not all of them would have access the device name - but they all have access to the ID. It's true, that if you want to look up the device name to link it that way you would need to do another call.

    Why are you needing the device name? If you are working in out API - the ID is sufficient in all cases. Is this to fine it in another database or system?

Reply
  • FormerMember
    0 FormerMember

    The device ID is the unique key we use to link all entries for a particular machine. 

    Since events and items are created by disparate elements not all of them would have access the device name - but they all have access to the ID. It's true, that if you want to look up the device name to link it that way you would need to do another call.

    Why are you needing the device name? If you are working in out API - the ID is sufficient in all cases. Is this to fine it in another database or system?

Children
No Data