Skip to main content

Sophos Central API Connector

Project description

Sophos Central API Connector

Python library to utilise many of the features in Sophos Central API across multiple or single tenants

Python License: GPL v3 Generic badge


Table of contents:

Features

All features can be run against single or multiple tenants

  • Gather tenant system inventory
    • Output to stdout, json, Splunk
  • Gather alerts
    • Alert polling
    • Output to stdout, json, Splunk
  • Local Sites
    • Clean up Global exclusions
      • Compare exclusions to SophosLabs Intelix
    • Generate report
  • IOC Hunting - Utilising Live Discover or XDR DataLake
    • MISP Attribute hunting (eventId, tags)
    • RAW JSON input
    • Saved search

Quick start

Want to test as quickly as possible? Follow the below quick start steps to begin looking at your Sophos Central data!

  1. Install latest version of Python 3

  2. Create a folder e.g "sophos_test"

  3. Open a command prompt/terminal

  4. Create a Python Virtual Environment:

    python -m venv <folder_name>
    
  5. Activate the Python Virtual Environment:

    <path_to_folder>\Scripts\activate
    
  6. Install the Sophos Central API Connector (this will also install the requirements):

    pip install sophos-central-api-connector
    
  7. Once it has finished installing browse to:

    cd <path_to_folder>\Lib\site-packages\sophos_central_api_connector
    
  8. Run the following command to view help to begin:

    python sophos_central_main.py --help
    
  9. Add your Sophos Central API id and secret to the sophos_config.ini under the folder: \Lib\site-packages\sophos_central_api_connector\config

    Important!

    We would recommend that the static entry is only used for testing purposes and the token is stored and accessed securely. Please reference the authentication section


Prerequisites

In order to use the package you will require a valid API key from your Sophos Central tenant. To obtain a valid API key please reference the documentation here


Install

pip install --user sophos_central_api_connector

Authentication

There are two options for authentication, the setting used here will be used for all areas of authentication. As mentioned under the configuration section we recommend using the AWS Secrets Manager for storing these credentials. Only use the static credentials for testing purposes.

Static Credentials

To specify using the static credentials which are in the *config.ini files you can use the following: python3 sophos_central_main.py --auth static

AWS Secrets Manager

To specify using the AWS settings which are in the *config.ini files to retrieve the secrets and token you can use the following: python3 sophos_central_main.py --auth aws


Basic Examples

Help

To get information on the CLI commands when using the sophos_central_main.py run:

python sophos_central_main.py --help

Tenants List

To get a list of tenants:

python sophos_central_main.py --auth <auth_option> --get tenants

Inventory

To get inventory data:

python sophos_central_main.py --auth <auth_option> --get inventory --output <output_option>

Alerts/Event Information

To get alert data:

python sophos_central_main.py --auth <auth_option> --get alerts --days <integer: 1-90> --output <output_option>

Local Site

To get a list of local site data:

python sophos_central_main.py --auth <auth_option> --get local-sites --output <output_option>

Output Options

There are four output options available for the inventory, simply add one of the following after --output:

  • stdout: Print the information to the console.
  • json: Save the output of the request to a json file
  • splunk: This will send the data to Splunk with no changes made. This will apply the settings made in the transform files.
  • splunk_trans: Using this output will apply the information set in the splunk_config.ini for the host, source and sourcetype. This will overrun the settings in the transform files in Splunk but not the Index that the data should be sent to.

Troubleshooting

All logging is done via the python logging library. Valid logging levels are:

  • INFO
  • DEBUG
  • CRITICAL
  • WARNING
  • ERROR

For basic feedback set the logging level to INFO


Structure

Below is the structure after installing through pip:

sophos_central_api_connector
|   .gitignore
|   LICENSE
|   MANIFEST.in
|   README.md
|   requirements.txt
|   setup.py
|___docs
|       alerts.md
|       intelix.md
|       intelix_configuration.md
|       inventory.md
|       ioc_hunter.md
|       local_sites.md
|       misp_configuration.md
|       sophos_configuration.md
|       splunk_configuration.md
|___queries
|       |___live_discover_queries
|               ld_ioc_hunter.sql
|       |___xdr_queries
|               xdr_ioc_hunter.sql
|___sophos_central_api_connector
|       ioc_hunter.py
|       sophos_central_api_live_discover.py
|       sophos_central_api_auth.py
|       sophos_central_api_awssecrets.py
|       sophos_central_api_connector_utils.py
|       sophos_central_api_delete_data.py
|       sophos_central_api_get_data.py
|       sophos_central_api_intelix.py
|       sophos_central_api_output.py
|       sophos_central_api_polling.py
|       sophos_central_api_tenants.py
|       sophos_central_api_hec_splunk.py
|       sophos_central_main.py
|___config
|       intelix_config.ini
|       misp_config.ini
|       sophos_central_api_config.py
|       sophos_config.ini
|       splunk_config.ini

Below is the structure with all the files that are created through different mechanisms:

sophos_central_api_connector
|   .gitignore
|   LICENSE
|   MANIFEST.in
|   README.md
|   requirements.txt
|   setup.py
|___sophos_central_api_connector
|   |___docs
|   |       alerts.md
|   |       intelix.md
|   |       intelix_configuration.md
|   |       inventory.md
|   |       ioc_hunter.md
|   |       local_sites.md
|   |       misp_configuration.md
|   |       sophos_configuration.md
|   |       splunk_configuration.md
|___queries
|       |___live_discover_queries
|               ld_ioc_hunter.sql
|       |___xdr_queries
|               xdr_ioc_hunter.sql
|       ioc_hunter.py
|       sophos_central_api_live_discover.py
|       sophos_central_api_auth.py
|       sophos_central_api_awssecrets.py
|       sophos_central_api_connector_utils.py
|       sophos_central_api_delete_data.py
|       sophos_central_api_get_data.py
|       sophos_central_api_intelix.py
|       sophos_central_api_output.py
|       sophos_central_api_polling.py
|       sophos_central_api_tenants.py
|       sophos_central_api_hec_splunk.py
|       sophos_central_main.py
|___config
|       intelix_config.ini
|       misp_config.ini
|       sophos_central_api_config.py
|       sophos_config.ini
|       splunk_config.ini
|___logs
|       failed_events.json
|___output
|   |___get_alerts
|   |       <tenant_name>_<tenant_id>.json
|   |       ...
|   |___get_inventory
|           <tenant_name>_<tenant_id>.json
|   |___get_local_sites
|           <tenant_name>_<tenant_id>.json
|           ...
|   |___intelix
|       |___delete_local_sites
|           <date>_<time>_deletion_details.json
|           <date>_<time>_deletion_report.json
|           ...
|       <date>_<time>_intelix_results.json
|       <date>_<time>_results_combined.json
|       <tenant_id>_<date>_<time>_<risk_level>_dry_run_report.json
|       ...
|   |___query_results
|       <xdr_datalake/live-discover>_query_list.json
|       <xdr_datalake/live-discover>_search_data_<timestamp>.json
|       <xdr_datalake/live-discover>_result_data_<timestamp>.json
|       live-discover_endpoint_data_<timestamp>.json
|___polling
|       poll_config.json
|       alert_ids.json
|       temp_alert_ids.json

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sophos_central_api_connector-0.1.6.tar.gz (63.9 kB view details)

Uploaded Source

Built Distribution

sophos_central_api_connector-0.1.6-py3-none-any.whl (73.1 kB view details)

Uploaded Python 3

File details

Details for the file sophos_central_api_connector-0.1.6.tar.gz.

File metadata

  • Download URL: sophos_central_api_connector-0.1.6.tar.gz
  • Upload date:
  • Size: 63.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.9.6

File hashes

Hashes for sophos_central_api_connector-0.1.6.tar.gz
Algorithm Hash digest
SHA256 f2fe6df31e002e72a92dfd8a175d14e92e24f4aabccc1819ec8bf1eda1bcc2ca
MD5 2b62b585c0e1ef48697c35ac0e5666ee
BLAKE2b-256 c63d506c0833e77b028e05fa671b577048effc408b2c075440c69430dcf5f1f5

See more details on using hashes here.

File details

Details for the file sophos_central_api_connector-0.1.6-py3-none-any.whl.

File metadata

  • Download URL: sophos_central_api_connector-0.1.6-py3-none-any.whl
  • Upload date:
  • Size: 73.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.9.6

File hashes

Hashes for sophos_central_api_connector-0.1.6-py3-none-any.whl
Algorithm Hash digest
SHA256 4eb9720fc4aad91440d9dc013add122fbd16209810135452b53ed44d474b392f
MD5 29fae37d30dbd83cd7669729df3b4ed6
BLAKE2b-256 334d7d0ca8baf4bca005090c27fddf3ada38c6583481920b178c8804f5107785

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page