sophos_start_detections_query
Start an asynchronous detection query to retrieve security events from a Sophos tenant. Specify time range, severity, or detection rule; then poll status to obtain results.
Instructions
Start an async detections query run. Returns a run ID. Poll sophos_get_detections_query_status until status is 'finished', then retrieve results with sophos_get_detections_query_results.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| sort | No | Sort order for results. E.g. [{field: 'severity', direction: 'desc'}] | |
| to_date | No | End of the time range in ISO 8601 format | |
| severity | No | Array of integer severity scores to filter on (1–10). E.g. [7,8,9,10] for high severity. | |
| from_date | No | Start of the time range in ISO 8601 format (e.g. '2024-01-01T00:00:00.000Z') | |
| tenant_id | Yes | Tenant UUID | |
| detection_rule | No | Filter by a specific detection rule ID (e.g. 'WIN-PROT-BEHAVIORAL-MALWARE-EXEC-12B-T1059-001') |