Example use cases & Top Scenarios for Sophos Central APIs

Hi Community,

Below are some examples of what is capable today with our current API set as well as some of the things we are embarking on for integrations with top vendors of software in:

• Remote Monitoring and Management (RMM) 
• Professional Services Automation (PSA) 
• Security Information and Event Management (SIEM) 
• Security Orchestration and Response (SOAR)  

Example use cases 

• Building an alerting dashboard into a monitoring solution 
  • Quickly determine if there is a threat or service issue across your entire customer base via a visual indicator 
• Automated Deployment of endpoints across global company footprint 
• Audit an organizations security posture and remediate issues on the fly

Top Scenarios 

Programmatically manage customers to retrieve specific data around each tenant such as Name, billing types, and GDPR data region or even create a new tenant from within your own management application 

• List all Tenants 
• Get details of a single Tenant
• Create a Tenant

Quickly determine health and service status of endpoints across all customers or individual customers 

• Retrieve a list of all Endpoints per Tenant 
• Retrieve single Endpoint

Manage endpoint tamper protection to determine if it is disabled which poses a security risk, then re-enable if so 

• Retrieve Tamper Protection status for a specific Endpoint 
• Set Tamper Protection status for a specific Endpoint

Perform security related management of Endpoints by executing scans, or update checks across specific endpoints.  Even deletion of an endpoint is possible. 

• Run a scan on a specific Endpoint
• Perform an update check on a specific Endpoint 
• Delete an Endpoint

Populate data into a dashboard to quickly determine and remediate an outbreak within a customer organization by retrieving all alerts across a customer, or specific machine.  Even searching for alerts by type and severity is supported. 

• Retrieve a list of all Alerts for a specific Tenant 
• Retrieve Alerts for a specific Endpoint 
• Search for alerts by type or severity

Mitigate a threat directly from the alert actions and then acknowledge it to ensure other resources aren’t erroneously investigating. 

• Action an Alert

Note: Sophos Central API access is given at the partner level and will automatically propagate to all flex tenants.  Term tenants must be opted into Partner assistance management.

Enabling Partner Assistance >> Navigate to [Your Customer Name] at the top right of Central Admin >> Account Details >> Sophos Support >> Toggle Partner Assistance to the On position.

• 

Note: It is important to determine your partner ID by calling the WHO AM I API in order to execute subsequent calls across tenants. 

Updated links
[edited by: Elias Collins - Sophos Product Management at 3:24 PM (GMT -8) on 16 Feb 2021]