BumblebeeBumblebee
Integrations

Sophos Central

Overview

Sophos Central is Sophos's multi-tenant SaaS console for endpoint protection, server protection, MDR, XDR, and related security products. The Bumblebee integration uses the Sophos Central public API to surface protection posture, threat alerts, endpoint inventory, and directory users — the data needed to power security workflows and quarterly business reviews without standing up a SIEM ingestion pipeline.

Beyond the curated QBR tools, the integration provides read access to entire Sophos API modules (Endpoint, Common, Partner, Organization, Cases, Licensing, Audit Events) through per-module read tools, threat-hunting queries against the XDR Data Lake / live endpoints / detections, and a set of individually grantable security response actions (endpoint isolation, tamper protection, scans, allow/block lists, endpoint groups, scanning exclusions, and partner tenant management).

The same credential shape works for single-tenant, Partner, and Organization Sophos accounts. Bumblebee detects the credential type automatically via the Sophos whoami/v1 endpoint — you do not pick a tenant when configuring credentials. For Partner and Organization credentials, the agent enumerates accessible tenants at conversation time using the list_tenants tool.

Prerequisites & Setup

Before setting up the Sophos integration, you need:

  • An active Sophos Central account
  • Super Admin access to create API credentials
  • A few minutes — the credential secret is shown only once, so be ready to copy it

Create API Credentials in Sophos Central

  1. Log in to Sophos Central at central.sophos.com
  2. From the left sidebar, click Global Settings
  3. Under System Settings, click API Credentials
  4. Click Add Credential in the upper-right corner
  5. Configure the credential:
    • Credential Name: e.g., "Bumblebee"
    • Role: pick the lowest role covering the tools you plan to grant in your workflows:
      • Service Principal Read-Only — all read tools (QBR tools, module read access, licensing, audit)
      • Service Principal Management — additionally the Endpoint response actions (isolation, tamper protection, scans, allow/block, groups, exclusions) and XDR Data Lake / detections queries
      • Service Principal Forensics — Live Discover queries on live endpoints
      • Service Principal Super Admin (Partner/Organization account) — endpoint migration between tenants
  6. Click Add
  7. On the confirmation dialog, copy the Client ID and Client Secret immediately — the secret is shown once and cannot be retrieved later

Configure in Bumblebee

  1. Go to the Integrations page in Bumblebee
  2. Select Sophos Central
  3. Enter your Client ID and Client Secret
  4. Save the configuration

Bumblebee auto-detects whether the credential is single-tenant or scoped to a Sophos Partner / Organization. No additional fields are required.

Available Tools

Tenants

  • list_tenants — Enumerate accessible Sophos tenants. Returns one self-tenant entry for single-tenant credentials, or many entries for Partner/Organization credentials. Always call this first when working with Partner or Organization credentials.

Account Health

  • get_account_health_check — Get the Sophos account health check: protection, policy, exclusion, and tamper-protection scores (0–100). Used to populate overall posture and configuration drift in QBRs. Optional: tenant_id (str — required for Partner/Organization credentials)

Alerts

  • list_alerts — List deduplicated alerts in a time window with optional filtering by severity, category, product, and status. Common API alerts have a 90-day retention window. Optional: tenant_id (str), severity (str — low, medium, high), category (str — e.g. malware, pua, policy, protection, general, security, mobiles, azure, iaas, mtr, wireless, adsync), product (str — e.g. endpoint, server, mobile, firewall, encryption, xdr, ztna, wireless, iaas), status (str — open, closed), from_date (str), to_date (str), max_records (int)

Endpoints

  • list_endpoints — List endpoints in the Sophos network inventory split by computer, server, and security VM. Optional: tenant_id (str), max_records (int)

Users

  • list_users — List directory users for the tenant. Optional: tenant_id (str), max_records (int — pageSize is capped at 100 by the Sophos API)

QBR Composite

  • get_qbr_summary — Composite tool that aggregates account health, alerts, endpoints, and users into one QBR-shaped JSON payload covering all the tiles in the Sophos Central "Overview of your Sophos protection" report. Returns counts only (not raw items) and includes a disclaimer noting that alert counts are deduplicated alerts, not raw events. Optional: tenant_id (str)

Module Read Access (read-only, cannot mutate)

One tool per Sophos API module. The agent supplies a path and query parameters; auth, regional routing, and tenant headers are handled automatically. These tools only perform GET requests — they cannot change anything in Sophos Central.

  • sophos_endpoint_get — Endpoint API: device inventory with rich filters, endpoint groups, allow/block lists, exclusions, web control, policies, software packages, installer links. Optional: tenant_id (str), query_params (dict), response_filter (str)
  • sophos_common_get — Common API: alerts with full filters, admins and roles (RBAC), directory users and groups. Optional: tenant_id (str), query_params (dict), response_filter (str)
  • sophos_cases_get — Cases API: MDR/XDR investigation cases, their detections, impacted entities, MITRE ATT&CK summaries. Optional: tenant_id (str), query_params (dict), response_filter (str)
  • sophos_partner_get — Partner API (Partner credentials only): customer tenants, monthly billing usage reports, partner admins, provisioning catalog
  • sophos_organization_get — Organization API (Organization credentials only): sub-estate tenants, org admins, roles
  • sophos_licensing_get — Licensing API: license inventory with usage and expiry
  • sophos_audit_get — Audit Events API: the admin audit trail (who changed what, from where), up to 90 days back

Threat Hunting Queries

Each tool wraps the full Sophos async query lifecycle (submit → poll → results) in a single call.

  • run_data_lake_query — Run ad-hoc SQL against the Sophos XDR Data Lake (historical endpoint telemetry, ~30 days). Requires an XDR license and a Management-role credential. Optional: tenant_id (str), from_date / to_date (str), run_id (str — resume a long-running query)
  • run_live_discover_query — Run osquery SQL live on online endpoints (current processes, files, registry, installed software). Requires the Forensics role. Targeting is required: all_endpoints (bool), endpoint_ids (list), or hostname_contains (str)
  • query_detections — Query XDR/MDR detections by time window and filters (severity, category, MITRE tactic, device, user). Optional: tenant_id (str), from_date / to_date (str), filters (dict)

Response Actions (write)

Each mutation is a separate tool so workflows can grant exactly the actions they need. All require at least a Management-role credential.

  • update_endpoints_isolation — Isolate or de-isolate endpoints from the network (incident containment). Required: enabled (bool), endpoint_ids (list)
  • update_tamper_protection — Enable/disable tamper protection or rotate its password on an endpoint. Required: endpoint_id (str)
  • run_endpoint_scan — Trigger a malware scan on an endpoint. Required: endpoint_id (str)
  • run_endpoint_update_check — Tell an endpoint to check for Sophos agent updates now. Required: endpoint_id (str)
  • create_allowed_item — Allow a detected item tenant-wide (false-positive handling) by path, SHA-256, or certificate signer. Required: item_type (str), comment (str)
  • create_blocked_item — Block a file by SHA-256 tenant-wide. Required: sha256 (str), comment (str)
  • create_blocked_addresses — Block IPs/domains tenant-wide (auto-expires, default 7 days). Required: addresses (list)
  • create_scanning_exclusion / delete_scanning_exclusion — Add or remove a tenant-wide scanning exclusion (path, process, web, PUA, ...). Required: value + exclusion_type / exclusion_id

Endpoint Groups (write)

  • create_endpoint_group / update_endpoint_group / delete_endpoint_group — Manage endpoint groups for policy assignment and organization. Required: name + group_type (computer or server) / group_id
  • add_endpoints_to_group / remove_endpoints_from_group — Manage group membership. Required: group_id (str), endpoint_ids (list)

Partner Management (write, Partner credentials only)

  • update_tenant — Rename a customer tenant's display name. Required: tenant_id (str), show_as (str)
  • update_tenant_product_selection — Change a customer tenant's licensed products (affects billing for usage-billed tenants; supports a preview_only dry-run). Required: tenant_id (str), products (list)

Endpoint Migration (write, Partner/Organization Super Admin)

  • create_migration_job / get_migration_job / list_migration_endpoints — Move endpoints between tenants via the two-step Sophos migration handshake, and track per-device status.

References: Sophos Developer Portal · Sophos Central API Community · Account Health Check

SMTP

Send outbound email from workflows through your authenticated SMTP relay

SuperOps

Connect Bumblebee with SuperOps RMM for unified IT management

On this page

OverviewPrerequisites & SetupCreate API Credentials in Sophos CentralConfigure in BumblebeeAvailable ToolsTenantsAccount HealthAlertsEndpointsUsersQBR CompositeModule Read Access (read-only, cannot mutate)Threat Hunting QueriesResponse Actions (write)Endpoint Groups (write)Partner Management (write, Partner credentials only)Endpoint Migration (write, Partner/Organization Super Admin)