Sophos

With the Sophos Central Endpoint Detection integration, customers have the ability to interact with aspects such as endpoints, alerts, exclusions and blocklist items inside the Sophos Central platform.

The following actions are available:

• List Alerts – Get alerts matching criteria in query parameters.
• Get Alert – Get an alert based on its alert id.
• Get Endpoint – Retrieve an endpoint based on ID.
• List Endpoints – Retrieve all the endpoints for the specified tenant.
• List Allowed Items – Retrieve all allowed items.
• Update Allowed Item – Update an allowed item.
• List Blocked Items – Retrieve all blocked items.
• Delete Blocked Item – Deletes the specified blocked item.
• Get Scan Exclusion – Retrieve a single isolation exclusion by ID.
• List Scan Exclusion – Return all scan exclusions and their details by type.
• List Isolation Exclusions – Return a list of isolation exclusions.
• Update Isolation Status – Updates an Isolation exclusion details by ID.

These apps can be found in the Dataminr App Catalog under the names: Sophos Central Endpoint Detection(Playbook), Sophos Central Endpoint Detection(TriggerService), and Sophos Central Alerting(TriggerService).

The Investigation Insights – Sophos integration allows Investigation Insights to search Sophos to return found domains, urls, IPs, and SHA256 hashes. The integration also allows you to Isolated found endpoints, and add SHA256 hashes to your Block and Allow Lists. Enabling analysts to have quick insights into their Sophos platform and enable them to quickly isolate endpoints or add files to allow or block lists.