Detections/Investigations API

Hi there,

Has anyone managed to construct API queries to pull out Detections/Investigations from Sophos XDR at all? 

We want these to be pushed into our ticketing platform as they are generated (or fetch them every 5 mins etc.) but I can't find any part of the API that can be used for this.

Seems like a necessary feature that's not available. 

Can anyone shed any light? 


  • Hi kevin,

    Thanks for reaching out to the Sophos Community Forum. 

    It is not currently possible to query the XDR Detections generated using API Queries. It’s possible to run queries against the information in the data lake, similar to if you used the UI in Sophos Central.

    If you would like to see this functionality added in to Sophos Central, I suggest connecting with your Account Manager so they can share your thoughts with our product teams. In some cases, they can also shed light on features already on the roadmap.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids