Sophos Central MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Sophos Central MCP ServerIsolate host 'Server01' for suspected compromise"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sophos Central MCP Server
For MSP/MSSP teams: Manage endpoint security, email threats, and firewall policy across all your Sophos tenants through natural language. Ask Claude to investigate an alert, isolate a host, run Live Discover queries, and correlate with XDR data — without leaving your AI workflow.
Overview
A Model Context Protocol (MCP) server for the Sophos Central API, enabling AI-powered security operations through Claude and other MCP-compatible clients. Designed for MSP/MSSP environments with Partner Super Admin credentials, it provides multi-tenant management across all customer tenants from a single server instance — covering endpoint protection, threat detection, Live Discover forensics, XDR hunting, email security, firewall management, and more.
Related MCP server: SOAR MCP Server
Features
334 tools across 33 API domains — comprehensive Sophos Central API coverage
Multi-tenant MSSP support — enumerate and target any customer tenant via Partner Super Admin credentials
Endpoint isolation and investigation — isolate endpoints, check tamper protection, trigger scans
Alert triage — list, filter, acknowledge, and action Sophos alerts across tenants
Live Discover SQL queries — run real-time forensic SQL queries directly on managed endpoints
XDR Data Lake hunting — historical threat hunting with SQL against the Sophos XDR data lake
Threat detections — query, group, and count behavioral detections
Case management — create and manage investigation cases end-to-end
Email security — quarantine management, mailbox listing, post-delivery message clawback
Firewall management — CRUD operations, group management, firmware upgrades
DNS protection — location policies, custom domain allow/block lists
SOC playbooks — built-in
sophos_playbook_*tools for guided IR and threat hunting workflowsThree transport modes — stdio (Claude Desktop), SSE, and Streamable HTTP (Claude Code)
Automatic OAuth2 token management — token refresh with no manual intervention
Regional routing — requests automatically routed to the correct data region (US, EU, CA, AU, JP, BR)
Prerequisites
Node.js v18 or later (native
fetchsupport required)npm v8 or later
Sophos Central Partner Super Admin API credentials — see Configuration for how to create these
Installation
git clone https://github.com/your-org/sophos-central-mcp.git
cd sophos-central-mcp
npm install
npm run buildConfiguration
1. Create a .env file
cp .env.example .envEdit .env with your credentials:
# Required
SOPHOS_CLIENT_ID=your-client-id-here
SOPHOS_CLIENT_SECRET=your-client-secret-here
# Optional — transport mode: stdio | sse | streamable-http (default: stdio)
MCP_TRANSPORT=stdio
# Optional — host for HTTP transports (default: 127.0.0.1)
MCP_HOST=127.0.0.1
# Optional — port for HTTP transports (default: 3001)
MCP_PORT=30012. Create API Credentials in Sophos Central
Log in to Sophos Central Partner Dashboard
Navigate to Settings & Policies → API Credentials Management
Click Add Credential
Set the role to Service Principal Super Admin
Copy the Client ID and Client Secret — the secret is displayed only once
Variable | Required | Description |
| Yes | Partner Super Admin Client ID from Sophos Central |
| Yes | Corresponding client secret |
| No | Transport mode: |
| No | Bind host for HTTP transports (default: |
| No | Port for HTTP transports (default: |
Claude Code Integration (HTTP Mode)
HTTP mode is recommended for Claude Code — it supports concurrent sessions and does not require restarting the server between conversations.
Start the server:
MCP_TRANSPORT=streamable-http MCP_PORT=3001 node build/index.jsOr set MCP_TRANSPORT=streamable-http in your .env and run:
node build/index.jsAdd to your Claude Code MCP configuration (.claude/settings.json or global settings):
{
"mcpServers": {
"sophos-mcp": {
"type": "http",
"url": "http://localhost:3001/mcp"
}
}
}A /health endpoint is available at http://localhost:3001/health for liveness checks.
Claude Desktop Integration (stdio Mode)
stdio mode is the standard transport for Claude Desktop. The server process is managed by Claude Desktop directly.
Add to your Claude Desktop MCP configuration (claude_desktop_config.json):
{
"mcpServers": {
"sophos-mcp": {
"command": "node",
"args": ["/path/to/sophos-central-mcp/build/index.js"],
"env": {
"SOPHOS_CLIENT_ID": "your-client-id",
"SOPHOS_CLIENT_SECRET": "your-client-secret"
}
}
}
}Replace /path/to/sophos-central-mcp with the absolute path to your cloned repository.
SSE Mode
SSE (Server-Sent Events) mode is available for legacy MCP clients that do not support Streamable HTTP.
MCP_TRANSPORT=sse MCP_PORT=3001 node build/index.jsThe SSE endpoint is available at http://localhost:3001/sse.
Tool Domains
Domain | Tools | Description |
Alerts | 5 | List, get, acknowledge, and action Sophos alerts |
Endpoint | 26 | Isolation, tamper protection, scans, migrations, bulk operations |
Detections | 7 | Query-based behavioral detection search, grouping, and counts |
Live Discover | 11 | Real-time forensic SQL queries on managed endpoints |
XDR | 10 | Historical SQL hunting against the Sophos XDR Data Lake |
Cases | 9 | Investigation case create, read, update, close, and evidence management |
Partner | 23 | Tenant enumeration, admins, roles, billing, permission sets |
Organization | 2 | Tenant listing for organization-type accounts |
Policy | 7 | Full CRUD for all Sophos policy types |
Group | 8 | Endpoint group CRUD and member management |
SIEM | 2 | Events and alerts export for SIEM integration |
Firewall | 20 | Firewall CRUD, group management, firmware upgrades |
DNS Protection | 15 | Locations, policies, custom domain allow/block lists |
31 | Quarantine management, mailboxes, post-delivery message clawback | |
Directory | 15 | User and user group full CRUD |
Settings | 16 | Tamper protection, exclusions, web control, endpoint tags |
Allowed/Blocked | 12 | SHA256 hash, certificate, and path allow/block lists |
Exploit Mitigation | 8 | Application-level exploit protection exclusions |
IPS Exclusion | 10 | Network IPS and isolation exclusion management |
Tenant Admin | 14 | Tenant admin CRUD, role assignments, custom roles |
Account Health | 4 | Health check reports, snooze, and historical health scores |
Account Management | 4 | Account-level settings and license management |
Audit Events | 2 | Audit log retrieval for compliance and governance |
Business Automation | 3 | Automation rules and business logic configuration |
Licensing | 2 | License entitlement and usage queries |
Mobile | 38 | Mobile device management — enrollment, policies, device actions |
Cloud Security | 6 | Cloud workload protection posture and findings |
Software | 9 | Installer downloads, software inventory, packages |
Switch | 3 | Network switch management |
WiFi | 3 | Wireless network management |
User Activity | 2 | User activity reporting and session data |
Playbooks | 5 | SOC incident response and threat hunting workflow guides |
Auth | 2 | OAuth2 authentication and WhoAmI identity discovery |
MSSP Multi-Tenant Support
The server is built around Sophos Partner Super Admin credentials, which have visibility across all managed customer tenants.
How it works:
On startup, the server authenticates to Sophos Central using your Partner credentials and discovers your organization type (partner or organization).
Use
sophos_list_tenants(orsophos_list_org_tenantsfor organization accounts) to enumerate all managed tenants and their IDs.Pass the
tenantIdparameter to any tenant-scoped tool to target a specific customer environment.All API calls are automatically routed to the correct regional endpoint (US, EU, CA, AU, JP, BR) based on the tenant's data residency.
Example workflow:
1. sophos_list_tenants → get all tenant IDs and names
2. sophos_list_alerts → pass tenantId for a specific customer
3. sophos_isolate_endpoint → isolate an endpoint in that tenant
4. sophos_live_discover_run_query → run forensic SQL on the isolated hostSOC Playbooks
The server ships with five built-in playbook tools that provide structured, step-by-step guidance for common SOC workflows. These are designed to be invoked at the start of an investigation to orient the response.
Tool | Purpose |
| End-to-end IR playbook: triage → scope → contain → remediate |
| Hypothesis-driven and IOC-based threat hunting workflows |
| MITRE ATT&CK technique-to-Sophos-tool mapping |
| Reference guide for all 334 tools organized by SOC use case |
| EDR-specific investigation playbook for endpoint detections |
SOC Quick Start
Once the server is connected to Claude, you can use natural language to drive security operations. Example prompts:
Alert triage:
"List all critical and high severity open alerts for tenant
<tenant-id>from the last 24 hours, grouped by type."
Endpoint investigation:
"Isolate endpoint
<hostname>in tenant<tenant-id>, then run a Live Discover SQL query to list all running processes and active network connections."
XDR threat hunting:
"Run an XDR Data Lake query against tenant
<tenant-id>to find any PowerShell executions with encoded commands in the last 7 days."
MSSP overview:
"Enumerate all my managed tenants, then show me any tenants with open critical alerts."
Email security:
"Show me all quarantined messages for tenant
<tenant-id>in the last 48 hours and release any flagged as false positives."
Development
# Run with hot-reload (no build step required)
npm run dev
# Build TypeScript to JavaScript
npm run build
# Run the built server
npm start
# Inspect tools interactively with MCP Inspector
npx @modelcontextprotocol/inspector node build/index.jsProject Structure
src/
├── index.ts # Entry point — transport setup, registers all 33 modules
├── config.ts # Environment variable validation
├── auth/
│ └── auth-manager.ts # OAuth2 token management with auto-refresh
├── client/
│ ├── sophos-client.ts # HTTP client (retry, rate limiting, backoff)
│ └── tenant-router.ts # Tenant → regional API host mapping
├── tools/ # 33 tool files, 334 tools total
│ ├── auth-tools.ts # 2 tools
│ ├── partner-tools.ts # 23 tools
│ ├── organization-tools.ts # 2 tools
│ ├── endpoint-tools.ts # 26 tools
│ ├── group-tools.ts # 8 tools
│ ├── policy-tools.ts # 7 tools
│ ├── alert-tools.ts # 5 tools
│ ├── detections-tools.ts # 7 tools
│ ├── siem-tools.ts # 2 tools
│ ├── xdr-tools.ts # 10 tools
│ ├── live-discover-tools.ts # 11 tools
│ ├── firewall-tools.ts # 20 tools
│ ├── dns-protection-tools.ts # 15 tools
│ ├── email-tools.ts # 31 tools
│ ├── directory-tools.ts # 15 tools
│ ├── settings-tools.ts # 16 tools
│ ├── allowed-blocked-tools.ts # 12 tools
│ ├── exploit-mitigation-tools.ts # 8 tools
│ ├── ips-exclusion-tools.ts # 10 tools
│ ├── tenant-admin-tools.ts # 14 tools
│ ├── account-health-tools.ts # 4 tools
│ ├── cases-tools.ts # 9 tools
│ ├── software-tools.ts # 9 tools
│ ├── audit-events-tools.ts # 2 tools
│ ├── business-automation-tools.ts # 3 tools
│ ├── licensing-tools.ts # 2 tools
│ ├── mobile-tools.ts # 38 tools
│ ├── switch-tools.ts # 3 tools
│ ├── wifi-tools.ts # 3 tools
│ ├── cloud-security-tools.ts # 6 tools
│ ├── user-activity-tools.ts # 2 tools
│ ├── account-management-tools.ts # 4 tools
│ └── playbook-tools.ts # 5 tools
└── types/
└── sophos-types.ts # TypeScript interfaces for all Sophos API typesSecurity Considerations
Credential handling — API credentials are read from environment variables at startup and are never logged or transmitted except to the Sophos authentication endpoint. Do not commit
.envfiles to source control —.envis listed in.gitignore.Partner Super Admin scope — these credentials have read/write access across all managed tenants. Treat them with the same care as privileged service account credentials. Rotate them immediately if compromised.
Read-only operations where possible — where your use case only requires visibility (alert triage, threat hunting, reporting), consider creating a separate credential with a more restricted role. Partner Super Admin is required only for write operations (isolation, policy changes, user management).
Network binding — HTTP transports default to
127.0.0.1. Do not expose the MCP server port publicly. If you need remote access, put it behind an authenticated reverse proxy or use a VPN.Audit trail — all Sophos API calls made through this server are logged in Sophos Central's audit events, attributable to the API credential used.
Related MCP Servers
These three servers cover complementary layers of a security stack — network/log (AlertLogic), endpoint protection (Sophos), and EDR/threat intel (CrowdStrike). Use them together for full-stack AI-powered SOC operations.
Server | Platform | Highlights |
CrowdStrike Falcon | EDR telemetry, RTR, threat intel, MSSP Flight Control, 1,296 tools | |
Sophos Central | Endpoint isolation, Live Discover SQL, XDR, email/firewall/DNS, 334 tools | |
Alert Logic MDR | Incident response, SQL log search, SOAR, vulnerability management, 473 tools |
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/rijul170/sophos-central-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server