Sophos Central

Overview

Sophos Central is a cloud-native security management platform that delivers centralized control over endpoint protection, server security, firewall management, and threat response. It enables organizations to monitor alerts, isolate compromised endpoints, enforce exploit mitigation policies, and manage users and groups across distributed environments from a single console.

The Sophos Central extension for ManageEngine Log360 Cloud integrates detection with enforcement, enabling security teams to trigger automated SOAR actions from correlated incidents, without switching consoles. By combining Log360 Cloud's correlation capabilities with Sophos Central's endpoint control mechanisms, organizations can rapidly contain threats and reduce response time.

Use cases

Isolate compromised endpoints instantly

When Log360 Cloud detects ransomware-like behavior such as abnormal file encryption patterns, exploit detections, or suspicious script execution, it can automatically trigger the Endpoint Isolation action through the Sophos Central extension.

The affected device is immediately isolated from the network while maintaining secure communication with Sophos Central for remediation.

With the Sophos Central extension:

Lateral movement is prevented

Command and control communication is blocked

Incident investigation can proceed safely

Pre-requisites

• Before creating a connection for a pre-defined service, ensure that the corresponding integration/extension is installed in Log360 Cloud.
• Only after installing the extension, the service will appear in the Connections page for connection setup.

Configuring Sophos integration via Connections

To enable communication between Log360 Cloud and Sophos Central, a connection must be configured.

1. Log in to the product console.
2. Navigate to the Settings tab and select Admin.
3. Under Integrations, select Connections.

   

4. From the list of available integrations, select Sophos Central.

   

5. In the window that opens, click Create Connection.

   

6. In the Create Connection - Sophos Central window, provide the following details:
   • Authentication Type: This is preselected based on the integration.
   • Connection Name: Enter a name to identify the connection.
   • Data Region: Specify the data region associated with your Sophos account.
     NOTE The Client ID and Client Secret can be generated from the Sophos Central Admin portal. For detailed steps on creating API credentials, refer to this document.
   • Client ID: Enter the Client ID generated from the Sophos Central Admin portal.
   • Client Secret: Enter the corresponding Client Secret.
   • Tenant ID: Provide the Tenant ID from the Sophos Central portal.

   

7. Under Select Scope(s), choose the required scope. You can also use the search bar to locate the required scope.

   

8. Click Authorize and Save to complete authentication and create the connection.

Supported SOAR functionalities

The Sophos Central extension provides custom functions that enable playbooks to interact with Sophos Central APIs. These functions can be used to retrieve alerts, manage endpoints, and perform automated response actions.

1. sophoscentral_listAlerts

Retrieves a list of security alerts from Sophos Central with pagination support.

2. sophoscentral_getAlert

Fetches detailed information about a specific security alert by ID.

3. sophoscentral_alertAction

Performs actions on security alerts such as acknowledge, clean, or send to Central.

4. sophoscentral_searchAlert

Searches and filters alerts by time range, product type, severity, and category.

{ 
"groupKey": "string", 
"from": "string (datetime)", 
"to": "string (datetime)", 
"product": "array", 
"ids": "array", 
"fields": "array"
}

5. sophoscentral_listEndpoint

Retrieves a list of managed endpoints with filtering options for health status and type.

6. sophoscentral_scanEndpoint

Initiates an on-demand security scan on a specific endpoint.

7. sophoscentral_getTamperProtectionInfo

Retrieves tamper protection status and configuration for an endpoint.

8. sophoscentral_updateTamperProtectionInfo

Updates tamper protection settings for an endpoint.

9. sophoscentral_listWhitelistItems

Retrieves a list of whitelisted items allowed in Sophos Central.

10. sophoscentral_getWhitelistItem

Fetches details of a specific whitelisted item by ID.

11. sophoscentral_addWhitelistItem

Adds a new item to the whitelist in Sophos Central.

12. sophoscentral_updateWhitelistItem

Updates an existing whitelisted item configuration.

13. sophoscentral_deleteWhitelistItem

Removes a whitelisted item from Sophos Central.

14. sophoscentral_getBlockedAddress

Retrieves details of a blocked IP address or domain.

15. sophoscentral_listBlockedItems

Retrieves a list of blocked items in Sophos Central.

16. sophoscentral_getBlockedItem

Fetches details of a specific blocked item by ID.

17. sophoscentral_addBlockedItem

Adds a new item to the blocked list in Sophos Central.

18. sophoscentral_deleteBlockedItem

Removes a blocked item from Sophos Central.

19. sophoscentral_listScanExclusion

Retrieves a list of scan exclusions configured in Sophos Central.

20. sophoscentral_getScanExclusion

Fetches details of a specific scan exclusion by ID.

21. sophoscentral_addScanExclusion

Adds a new scan exclusion in Sophos Central.

22. sophoscentral_updateScanExclusion

Updates an existing scan exclusion configuration.

23. sophoscentral_deleteScanExclusion

Removes a scan exclusion from Sophos Central.

24. sophoscentral_listExploitMitigation

Retrieves a list of exploit mitigation rules configured in Sophos Central.

25. sophoscentral_getExploitMitigation

Fetches details of a specific exploit mitigation rule by ID.

26. sophoscentral_addExploitMitigation

Adds a new exploit mitigation rule in Sophos Central.

27. sophoscentral_updateExploitMitigation

Updates an existing exploit mitigation rule configuration.

28. sophoscentral_deleteExploitMitigation

Removes an exploit mitigation rule from Sophos Central.

29. sophoscentral_getIsolationEndpoint

Retrieves the network isolation status of an endpoint.

30. sophoscentral_addIsolationEndpoint

Isolates an endpoint from the network for security containment.

31. sophoscentral_updateIsolationEndpoint

Updates the network isolation settings for an endpoint.

32. sophoscentral_deleteIsolationEndpoint

Removes network isolation from an endpoint, restoring connectivity.

33. sophoscentral_addUserInUserGroup

Adds a user to a specified user group in Sophos Central.

34. sophoscentral_deleteUserInUserGroup

Remove multiple users from a group.

35. sophoscentral_listUserGroup

Returns a list of all user groups that match the search criteria.

36. sophoscentral_getUserGroup

Get group by ID.

37. sophoscentral_createUserGroup

Add a new group to the directory.

38. sophoscentral_updateUserGroup

Update a user group.

39. sophoscentral_deleteUserGroup

Deletes the specified group.

40. sophoscentral_listUser

Returns a list of all users.

41. sophoscentral_getUser

Fetches details of a specific user by ID.

42. sophoscentral_addUser

Add a new user.

43. sophoscentral_updateUser

Update a user.

44. sophoscentral_deleteUser

Deletes a user.

45. sophoscentral_listEndpointGroup

List endpoint groups.

46. sophoscentral_getEndpointGroup

Get an endpoint group by ID.

47. sophoscentral_createEndpointGroup

Create a new endpoint group.

48. sophoscentral_updateEndpointGroup

Update an endpoint group.

49. sophoscentral_deleteEndpointGroup

Delete an endpoint group by ID.

50. sophoscentral_getEvents

Retrieves threat detection events for specified endpoints within a given time range from Sophos Central SIEM.

Read also

This page explained how to configure the Sophos Central integration and use supported SOAR actions for automated response and endpoint management. For more information on related integration features, refer to:

• Veeam
• Okta