naftiko: 1.0.0-alpha2
info:
  label: Sophos Security Operations
  description: Unified capability for security operations using the Sophos Central SIEM API. Combines alert retrieval and
    event monitoring to support SOC analysts performing threat detection, incident triage, and security event analysis workflows.
  tags:
  - Sophos
  - Security Operations
  - SIEM
  - Threat Detection
  - Incident Response
  - Cybersecurity
  created: '2026-05-02'
  modified: '2026-05-06'
binds:
- namespace: env
  keys:
    SOPHOS_API_KEY: SOPHOS_API_KEY
    SOPHOS_BEARER_TOKEN: SOPHOS_BEARER_TOKEN
capability:
  consumes:
  - type: http
    namespace: sophos-siem
    baseUri: https://api1.central.sophos.com/gateway
    description: Sophos Central SIEM API for retrieving security alerts and events
    authentication:
      type: apikey
      key: x-api-key
      value: '{{SOPHOS_API_KEY}}'
      placement: header
    resources:
    - name: alerts
      path: /siem/v1/alerts
      description: Security alerts from Sophos Central
      operations:
      - name: list-alerts
        method: GET
        description: Retrieve security alerts for the customer within the last 24 hours
        inputParameters:
        - name: cursor
          in: query
          type: string
          required: false
          description: Pagination cursor for next page of results
        - name: from_date
          in: query
          type: integer
          required: false
          description: Unix timestamp UTC specifying start date (within last 24 hours)
        - name: from_date_offset_minutes
          in: query
          type: integer
          required: false
          description: Delay data collection by X minutes
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum alerts to return (default 200, max 1000)
        - name: Authorization
          in: header
          type: string
          required: true
          description: Bearer token for authentication
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: events
      path: /siem/v1/events
      description: Security events from Sophos Central
      operations:
      - name: list-events
        method: GET
        description: Retrieve security events for the customer within the last 24 hours
        inputParameters:
        - name: cursor
          in: query
          type: string
          required: false
          description: Pagination cursor for next page of results
        - name: from_date
          in: query
          type: integer
          required: false
          description: Unix timestamp UTC specifying start date
        - name: from_date_offset_minutes
          in: query
          type: integer
          required: false
          description: Delay data collection by X minutes
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum events to return (default 200, max 1000)
        - name: exclude_types
          in: query
          type: string
          required: false
          description: Comma-separated event types to exclude
        - name: Authorization
          in: header
          type: string
          required: true
          description: Bearer token for authentication
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: sophos-security-ops-api
    description: Unified REST API for Sophos security operations including alerts and event monitoring.
    resources:
    - path: /v1/alerts
      name: alerts
      description: Security alerts from Sophos Central
      operations:
      - method: GET
        name: list-alerts
        description: List security alerts from Sophos Central within the last 24 hours
        call: sophos-siem.list-alerts
        with:
          cursor: rest.cursor
          from_date: rest.from_date
          limit: rest.limit
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/events
      name: events
      description: Security events from Sophos Central
      operations:
      - method: GET
        name: list-events
        description: List security events from Sophos Central within the last 24 hours
        call: sophos-siem.list-events
        with:
          cursor: rest.cursor
          from_date: rest.from_date
          exclude_types: rest.exclude_types
          limit: rest.limit
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: sophos-security-ops-mcp
    transport: http
    description: MCP server for AI-assisted security operations using Sophos Central SIEM.
    tools:
    - name: list-security-alerts
      description: Retrieve security alerts from Sophos Central. Use for threat detection, incident triage, and monitoring
        active security events. Supports cursor pagination and date filtering.
      hints:
        readOnly: true
        openWorld: true
      call: sophos-siem.list-alerts
      with:
        cursor: tools.cursor
        from_date: tools.from_date
        limit: tools.limit
      outputParameters:
      - type: object
        mapping: $.
    - name: list-security-events
      description: Retrieve security events from Sophos Central. Use for SIEM integration, log analysis, and security monitoring.
        Supports filtering by event type exclusions and date ranges.
      hints:
        readOnly: true
        openWorld: true
      call: sophos-siem.list-events
      with:
        cursor: tools.cursor
        from_date: tools.from_date
        exclude_types: tools.exclude_types
        limit: tools.limit
      outputParameters:
      - type: object
        mapping: $.