check_sophos_central
Icinga check plugin for the status of alerts and endpoints over the API of the Sophos Central cloud service
check_sophos_central
Check the status of alerts and endpoints over the API of the Sophos Central cloud service.
The plugin currently checks the state of all alerts and endpoints within a tenant, you need to supply API Token (ID and secret) for a single tenant.
Usage
Arguments:
--client-id string API Client ID (env:SOPHOS_CLIENT_ID)
--client-secret string API Client Secret (env:SOPHOS_CLIENT_SECRET)
--show-all List all non-ok endpoints
--page-size uint32 Amount of objects to fetch during each API call (default 100)
--exclude-alert stringArray Alerts to ignore. Can be used multiple times and supports regex.
--exclude-endpoint stringArray Endpoints to ignore. Can be used multiple times and supports regex.
--api string API Base URL (default "https://api.central.sophos.com")
-t, --timeout int Abort the check after n seconds (default 30)
-d, --debug Enable debug mode
-v, --verbose Enable verbose mode
-V, --version Print version and exit
Example
$ ./check_sophos_central --client-id efce870a-6c53-4a6b-8c49-864894b9d8ee --client-secret thatwouldbeagoodjoke
CRITICAL - alerts: 2 medium - endpoints: 2 good, 3 bad, 6 suspicious
## Alerts
2020-09-04 07:31 CEST [medium] TEST (server) PUA detected: 'PsExec' at 'E:\UserShares$\Max Mustermann\Desktop\PSTools.zip\PsExec.exe\FILE:0000'
2020-09-04 07:31 CEST [medium] TEST (server) PUA detected: 'PsKill' at 'E:\UserShares$\Max Mustermann\Desktop\PSTools.zip\pskill.exe'
## Endpoints
bad: HOST1, HOST2, HOST6
suspicious: HOST11, HOST12, HOST13, HOST14, HOST15, ...
| 'alerts'=0 'alerts_high'=0 'alerts_medium'=0 'alerts_low'=0 'endpoints_total'=11 'endpoints_good'=2 'endpoints_bad'=3 'endpoints_suspicious'=6 'endpoints_unknown'=0
API Documentation
Full API documentation is available at developer.sophos.com.
License
Copyright (c) 2020 info@netways.de" rel="nofollow">NETWAYS GmbH \ Copyright (c) 2020 markus.frosch@netways.de" rel="nofollow">Markus Frosch
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see gnu.org/licenses.