Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Below are the samples used in the Central API Academy webinar series which took place on the 16th and 17th of September 2024. If you missed the webinar or if you want to see it again you can use the links below to access the respective sessions:
English: events.sophos.com/.../35d7d211-5f6d-47b7-96f0-46ee9e7183e2
German: events.sophos.com/.../a8b5a60a-fd65-4c69-9a2a-851e8fd1e0c6
By using or accessing the Software below, you agree to be bound by the terms of the Sophos End User License Agreement
The first three code samples provide the general authentication against the Central platform
#01 covers Central Admin = customers
#02 covers Central Organization = customers using Enterprise Dashboard
#03 covers Central Partner = partners using Partner Dashboard
Put the code from the samples starting #5 (except the ones where it says “[Standalone]” these already include the authentication code) into e.g. Central Admin Authentication code where it says #### INSERT CODE HERE #####
The API credentials needed to run the samples are created in Central Admin, Enterprise Dashboard or Partner Dashboard respectively.
Sophos Central API Developer Reference https://developer.sophos.com/
XDR Schema docs https://docs.sophos.com/central/References/schemas/index.html?schema=xdr_schema_docs
#01 Central Admin Authentication - Basic sample showing how to authenticate using Central Admin API credentials and allowing to securely store these credentials locally.
#02 Central Organization Authentication - Basic sample showing how to authenticate using Central Enterprise API credentials and allowing to securely store these credentials locally. It then uses the Organization API to loop through all Tenants
#03 Central Partner Authentication - Basic sample showing how to authenticate using Central Partner API credentials and allowing to securely store these credentials locally. It then uses the Partner API to loop through all Tenants.
#04 Send Email [snippet] - Basic sample for sending emails through PowerShell with Gmail as relay. Can be used to send results via the body of the email instead of screen output.
#05 Endpoint Status [snippet] - Basic sample of retrieving device health information. Uses the Endpoint API.
#06 SophosLabs Intelix [standalone] - Lookup SHA256 values, IP addresses or URLs to see their classification by SophosLabs. This can for example be used to check if a URL is already classified as malicious. Please note that you need SophosLabs Intelix credentials. For more information see “How to register” on https://api.labs.sophos.com/doc/.
#07 Import blocked items [snippet] – Basic sample which shows how to use 3rd Party Threat Intel for blocking PE-files based on their SHA256. Uses the blocked-items function from the Endpoint API.
Sample file for use with this snippet:
#08 Import website tags [snippet] – Basic sample which shows how 3rd Party Threat Intel for blocking access to URLs and IP-addresses or how to reclassify specific websites. Uses the local-sites function from the Endpoint API.
Sample file for use with this snippet:
#09 Firewall Inventory [snippet] – Basic sample of listing the status of all Sophos Firewalls managed in Sophos Central. Uses the Firewall API.
#10 Firewall Upgrade Check [snippet] - Basic sample of listing the update status of all Sophos Firewalls managed in Central Admin. Uses the Firewall API and its function firmware-upgrade-check.
#11 Firewall Upgrade Check Partner [standalone] - Basic sample of listing the update status of all customer firewalls – requires Partner Assistance to be active within the customer’s account. Works standalone and does not need the auth code in front. Uses the Firewall API and its function firmware-upgrade-check.
#12 Generate Emails from Events [standalone] – Basic sample showing how to generate emails for specific events/devices. Uses the SIEM Events API.
#13 Email Quarantine Search [snippet] - Basic sample showing how to search the email quarantine for messages with attachments. Uses the quarantine search function the Email API.
#14 Central Partner MSP Billing Report [standalone] - Basic sample of retrieving monthly usage for Sophos MSP Flex Partners. Uses the billing usage function of the Partner API.
For non-MSP based accounts, you will find a good example of the licensing API in the Sophos Community, see: Sophos Central Licensing API
#15 Account Health Check [snippet] - Basic sample of performing the Central Admin platform health check. Uses the Account Health Check API.
Partners or organizations using the Enterprise Dashboard will find a multi-tenant dashboard in the following community post: Building Multi-Tenant Dashboards with Sophos Central API’s - Part 2: Health Check
#16 XDR Detections [snippet] - Basic sample showing how to pull XDR Detection data from Sophos Central. Uses the Detections API.
Partners or organizations using the Enterprise Dashboard will find a multi-tenant dashboard in the following community post: Building Multi-Tenant Dashboards with Sophos Central API’s - Part 1: Detections
#17 XDR Cases [snippet] - Basic sample showing how to pull XDR Cases data from Sophos Central. Uses the Cases API.
Partners or organizations using the Enterprise Dashboard will find a multi-tenant dashboard in the following community post: Building Multi-Tenant Dashboards with Sophos Central API’s - Part 3: Cases
#18 XDR SHA256 Lookup [snippet] - Basic sample showing how to search the Data Lake for SHA256 values (PE and productivity documents). Uses the XDR API.
NOTE: You must replace the two instances of UN#I#ON with UNION before you use this snippet.
#19 XDR IP Lookup [snippet] - Basic sample showing how to search the Data Lake for IP addresses. Uses the XDR API.
NOTE: You must replace the two instances of UN#I#ON with UNION before you use this snippet.
#20 Admin isolate device [snippet] - Basic sample showing how to isolate devices using the API. Uses the isolation function of the Endpoint API.
#21 Remove devices from isolation [snippet] - Basic sample showing how to isolate devices using the API. Uses the isolation function of the Endpoint API.
#22 Switch & AP6 Threat Response [standalone] - Block devices based on their MAC-address on Sophos Switch and AP6 access points. Uses the mac-filtering function of the Switch and WiFi APIs.
Extra scripts that were not covered during the API Academy but are useful as well:
X01 Device Migration Start [standalone] - Basic sample of migrating installed Endpoints from one Central Admin account to another. Uses the migrations function of the Endpoint API.
X02 Device Migration Check [standalone] - Part two of the device migration. You can use this script to check the progress of a previously started migration. Uses the migrations function of the Endpoint API.
X03 Clear Sophos Firewall connection alerts [standalone] - Basic sample of acknowledging Central alerts - in this case Firewall alerts – using the API. Uses the alerts function of the Common API.
X04 Import Users from CSV file [snippet] - Basic sample of importing users into Central Admin with fixed group assignments (group imported users). Uses the directory function of the Common API.
Sample file for use with this snippet:
X05 Assign Admin Role [snippet] - Basic sample of assigning roles to admin accounts. Uses the admins, roles and directory function of the Common API.
X06 Exclusion Report [snippet] - Basic sample to run a report for global exclusions and exclusions set in policies. Uses the policies and exclusions function of the Endpoint API.
X07 Import exclusions [snippet] - Basic sample to create global exclusions from a CSV-file. Uses the exclusions function of the Endpoint API.
Sample file for use with the above snippet:
X08 Download Installers [snippet] - Basic sample of retrieving the URL to the installer from a given Central Admin account. Uses the downloads function of the Endpoint API.
X09 Update Web Control base policy [snippet] - Basic sample showing how to change the Web Control base policy to include several tags that are used in script #08. Uses the policies function of the Endpoint API.
X10 Update Threat Protection Policy [snippet] – Basic sample showing how to enable SSL/TLS decryption and QUIC blocking in all Endpoint Threat Protection policies. Uses the policies function of the Endpoint API.
X11 XDR ad hoc query template [snippet] - Basic sample of a framework to use any SQL statement against the XDR Data Lake. Pre canned Data Lake SQL Statements can be found in the Threat Analysis Center. Uses the XDR-Query API.
X11a XDR Ad hoc Query Example [snippet] – In this example is purely for showing how to use the X11 XDR ad hoc query template. We have inserted a sample query that uses one variable.
Added the migration tag
[edited by: Marcel at 7:22 AM (GMT -7) on 8 Oct 2024]