Automating Sophos Central Agent Policies Integration via Python

Elastic Stack Elastic Agent
1

Hi everyone,

I'm currently working on automating the deployment of Sophos Central Agent policies using Python. My goal is to create policies and add integrations programmatically. However, I'm facing challenges with the structure of the API request for adding Sophos central policies integration.

Issue: The API expects a complex structure of parameters, and despite multiple attempts with various structures, I consistently encounter errors. The primary issue seems to revolve around the inputs parameter and the formatting of the client_id within the config object.

Attempts: I've tried different configurations for the request body, especially changing the format of inputs between an object and an array, and ensuring that client_id is a string. Despite these efforts, I keep running into the following error:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "[request body]: types that failed validation:
        - [request body.0.inputs.0.config.client_id]: could not parse object value from json input
        - [request body.1.inputs]: expected value of type [object] but got [Array]"
}

Request Structure: Here's an outline of my current request structure :

        data = {
            "name": "poc_sophos",
            "policy_id": policy_id,
            "package": {
                "name": "sophos_central",
                "version": "1.13.0"
            },
            "namespace": "sophos_poc",
            "inputs": [{
                "type": "sophos_central-httpjson",
                "enabled": True,
                "config": {
                    "client_id": str(client_id),
                    "client_secret": str(client_secret),
                    "tenant_id": str(tenant_id),
                    "request_url": str(request_url),
                    "token_url": str(token_url),
                    "proxy_url": None,
                    "ssl": None
                },
                "streams": [
                    {
                        "id": "sophos_central.alert",
                        "enabled": True,
                        "data": {
                            "http_client_timeout": "3000",
                            "interval": "60",
                            "initial_interval": "60",
                            "batch_size": 100,
                            "preserve_original_event": True,
                            "preserve_duplicate_custom_fields": True,
                            "tags": ["tag1", "tag2"]
                        }
                    },
                    {
                        "id": "sophos_central.event",
                        "enabled": True,
                        "data": {
                            "http_client_timeout": "3000",
                            "interval": "60",
                            "initial_interval": "60",
                            "batch_size": 100,
                            "preserve_original_event": True,
                            "preserve_duplicate_custom_fields": True,
                            "tags": ["tag1", "tag2"]
                        }
                    }
                ]
            }]
        }

Has anyone successfully automated this process and can share insights on the correct request structure ?

Could the issue be due to API version changes or documentation inconsistencies ?

Any suggestions for troubleshooting this issue further would be greatly appreciated.

Thank you in advance for your help and suggestions!

2

Issue Resolved.

For those of you interested in how to achieve this:

  1. Create a Sophos Central integration manually.

  2. Obtain the preview API request.

    image
    image1366×671 71.9 KB

  3. Submit this request to DevTools.

  4. Extract and use the functional structure.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.