Sophos Central MCP Server

Sophos Central MCP Server

Enables AI-powered security operations through natural language, managing endpoint security, email threats, firewall policy, and more across multiple Sophos tenants with 334 tools, designed for MSP/MSSP teams.

Category
Visit Server

README

Sophos Central MCP Server

Node.js License MCP Protocol Tools GitHub Stars

For MSP/MSSP teams: Manage endpoint security, email threats, and firewall policy across all your Sophos tenants through natural language. Ask Claude to investigate an alert, isolate a host, run Live Discover queries, and correlate with XDR data — without leaving your AI workflow.

Overview

A Model Context Protocol (MCP) server for the Sophos Central API, enabling AI-powered security operations through Claude and other MCP-compatible clients. Designed for MSP/MSSP environments with Partner Super Admin credentials, it provides multi-tenant management across all customer tenants from a single server instance — covering endpoint protection, threat detection, Live Discover forensics, XDR hunting, email security, firewall management, and more.

Features

  • 334 tools across 33 API domains — comprehensive Sophos Central API coverage
  • Multi-tenant MSSP support — enumerate and target any customer tenant via Partner Super Admin credentials
  • Endpoint isolation and investigation — isolate endpoints, check tamper protection, trigger scans
  • Alert triage — list, filter, acknowledge, and action Sophos alerts across tenants
  • Live Discover SQL queries — run real-time forensic SQL queries directly on managed endpoints
  • XDR Data Lake hunting — historical threat hunting with SQL against the Sophos XDR data lake
  • Threat detections — query, group, and count behavioral detections
  • Case management — create and manage investigation cases end-to-end
  • Email security — quarantine management, mailbox listing, post-delivery message clawback
  • Firewall management — CRUD operations, group management, firmware upgrades
  • DNS protection — location policies, custom domain allow/block lists
  • SOC playbooks — built-in sophos_playbook_* tools for guided IR and threat hunting workflows
  • Three transport modes — stdio (Claude Desktop), SSE, and Streamable HTTP (Claude Code)
  • Automatic OAuth2 token management — token refresh with no manual intervention
  • Regional routing — requests automatically routed to the correct data region (US, EU, CA, AU, JP, BR)

Prerequisites

  • Node.js v18 or later (native fetch support required)
  • npm v8 or later
  • Sophos Central Partner Super Admin API credentials — see Configuration for how to create these

Installation

git clone https://github.com/your-org/sophos-central-mcp.git
cd sophos-central-mcp
npm install
npm run build

Configuration

1. Create a .env file

cp .env.example .env

Edit .env with your credentials:

# Required
SOPHOS_CLIENT_ID=your-client-id-here
SOPHOS_CLIENT_SECRET=your-client-secret-here

# Optional — transport mode: stdio | sse | streamable-http (default: stdio)
MCP_TRANSPORT=stdio

# Optional — host for HTTP transports (default: 127.0.0.1)
MCP_HOST=127.0.0.1

# Optional — port for HTTP transports (default: 3001)
MCP_PORT=3001

2. Create API Credentials in Sophos Central

  1. Log in to Sophos Central Partner Dashboard
  2. Navigate to Settings & PoliciesAPI Credentials Management
  3. Click Add Credential
  4. Set the role to Service Principal Super Admin
  5. Copy the Client ID and Client Secret — the secret is displayed only once
Variable Required Description
SOPHOS_CLIENT_ID Yes Partner Super Admin Client ID from Sophos Central
SOPHOS_CLIENT_SECRET Yes Corresponding client secret
MCP_TRANSPORT No Transport mode: stdio, sse, or streamable-http (default: stdio)
MCP_HOST No Bind host for HTTP transports (default: 127.0.0.1)
MCP_PORT No Port for HTTP transports (default: 3001)

Claude Code Integration (HTTP Mode)

HTTP mode is recommended for Claude Code — it supports concurrent sessions and does not require restarting the server between conversations.

Start the server:

MCP_TRANSPORT=streamable-http MCP_PORT=3001 node build/index.js

Or set MCP_TRANSPORT=streamable-http in your .env and run:

node build/index.js

Add to your Claude Code MCP configuration (.claude/settings.json or global settings):

{
  "mcpServers": {
    "sophos-mcp": {
      "type": "http",
      "url": "http://localhost:3001/mcp"
    }
  }
}

A /health endpoint is available at http://localhost:3001/health for liveness checks.

Claude Desktop Integration (stdio Mode)

stdio mode is the standard transport for Claude Desktop. The server process is managed by Claude Desktop directly.

Add to your Claude Desktop MCP configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "sophos-mcp": {
      "command": "node",
      "args": ["/path/to/sophos-central-mcp/build/index.js"],
      "env": {
        "SOPHOS_CLIENT_ID": "your-client-id",
        "SOPHOS_CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

Replace /path/to/sophos-central-mcp with the absolute path to your cloned repository.

SSE Mode

SSE (Server-Sent Events) mode is available for legacy MCP clients that do not support Streamable HTTP.

MCP_TRANSPORT=sse MCP_PORT=3001 node build/index.js

The SSE endpoint is available at http://localhost:3001/sse.

Tool Domains

Domain Tools Description
Alerts 5 List, get, acknowledge, and action Sophos alerts
Endpoint 26 Isolation, tamper protection, scans, migrations, bulk operations
Detections 7 Query-based behavioral detection search, grouping, and counts
Live Discover 11 Real-time forensic SQL queries on managed endpoints
XDR 10 Historical SQL hunting against the Sophos XDR Data Lake
Cases 9 Investigation case create, read, update, close, and evidence management
Partner 23 Tenant enumeration, admins, roles, billing, permission sets
Organization 2 Tenant listing for organization-type accounts
Policy 7 Full CRUD for all Sophos policy types
Group 8 Endpoint group CRUD and member management
SIEM 2 Events and alerts export for SIEM integration
Firewall 20 Firewall CRUD, group management, firmware upgrades
DNS Protection 15 Locations, policies, custom domain allow/block lists
Email 31 Quarantine management, mailboxes, post-delivery message clawback
Directory 15 User and user group full CRUD
Settings 16 Tamper protection, exclusions, web control, endpoint tags
Allowed/Blocked 12 SHA256 hash, certificate, and path allow/block lists
Exploit Mitigation 8 Application-level exploit protection exclusions
IPS Exclusion 10 Network IPS and isolation exclusion management
Tenant Admin 14 Tenant admin CRUD, role assignments, custom roles
Account Health 4 Health check reports, snooze, and historical health scores
Account Management 4 Account-level settings and license management
Audit Events 2 Audit log retrieval for compliance and governance
Business Automation 3 Automation rules and business logic configuration
Licensing 2 License entitlement and usage queries
Mobile 38 Mobile device management — enrollment, policies, device actions
Cloud Security 6 Cloud workload protection posture and findings
Software 9 Installer downloads, software inventory, packages
Switch 3 Network switch management
WiFi 3 Wireless network management
User Activity 2 User activity reporting and session data
Playbooks 5 SOC incident response and threat hunting workflow guides
Auth 2 OAuth2 authentication and WhoAmI identity discovery

MSSP Multi-Tenant Support

The server is built around Sophos Partner Super Admin credentials, which have visibility across all managed customer tenants.

How it works:

  1. On startup, the server authenticates to Sophos Central using your Partner credentials and discovers your organization type (partner or organization).
  2. Use sophos_list_tenants (or sophos_list_org_tenants for organization accounts) to enumerate all managed tenants and their IDs.
  3. Pass the tenantId parameter to any tenant-scoped tool to target a specific customer environment.
  4. All API calls are automatically routed to the correct regional endpoint (US, EU, CA, AU, JP, BR) based on the tenant's data residency.

Example workflow:

1. sophos_list_tenants          → get all tenant IDs and names
2. sophos_list_alerts           → pass tenantId for a specific customer
3. sophos_isolate_endpoint      → isolate an endpoint in that tenant
4. sophos_live_discover_run_query → run forensic SQL on the isolated host

SOC Playbooks

The server ships with five built-in playbook tools that provide structured, step-by-step guidance for common SOC workflows. These are designed to be invoked at the start of an investigation to orient the response.

Tool Purpose
sophos_playbook_incident_response End-to-end IR playbook: triage → scope → contain → remediate
sophos_playbook_threat_hunt Hypothesis-driven and IOC-based threat hunting workflows
sophos_mitre_attack_guide MITRE ATT&CK technique-to-Sophos-tool mapping
sophos_soc_tool_guide Reference guide for all 334 tools organized by SOC use case
sophos_playbook_edr_investigation EDR-specific investigation playbook for endpoint detections

SOC Quick Start

Once the server is connected to Claude, you can use natural language to drive security operations. Example prompts:

Alert triage:

"List all critical and high severity open alerts for tenant <tenant-id> from the last 24 hours, grouped by type."

Endpoint investigation:

"Isolate endpoint <hostname> in tenant <tenant-id>, then run a Live Discover SQL query to list all running processes and active network connections."

XDR threat hunting:

"Run an XDR Data Lake query against tenant <tenant-id> to find any PowerShell executions with encoded commands in the last 7 days."

MSSP overview:

"Enumerate all my managed tenants, then show me any tenants with open critical alerts."

Email security:

"Show me all quarantined messages for tenant <tenant-id> in the last 48 hours and release any flagged as false positives."

Development

# Run with hot-reload (no build step required)
npm run dev

# Build TypeScript to JavaScript
npm run build

# Run the built server
npm start

# Inspect tools interactively with MCP Inspector
npx @modelcontextprotocol/inspector node build/index.js

Project Structure

src/
├── index.ts                          # Entry point — transport setup, registers all 33 modules
├── config.ts                         # Environment variable validation
├── auth/
│   └── auth-manager.ts               # OAuth2 token management with auto-refresh
├── client/
│   ├── sophos-client.ts              # HTTP client (retry, rate limiting, backoff)
│   └── tenant-router.ts             # Tenant → regional API host mapping
├── tools/                            # 33 tool files, 334 tools total
│   ├── auth-tools.ts                 # 2 tools
│   ├── partner-tools.ts              # 23 tools
│   ├── organization-tools.ts         # 2 tools
│   ├── endpoint-tools.ts             # 26 tools
│   ├── group-tools.ts                # 8 tools
│   ├── policy-tools.ts               # 7 tools
│   ├── alert-tools.ts                # 5 tools
│   ├── detections-tools.ts           # 7 tools
│   ├── siem-tools.ts                 # 2 tools
│   ├── xdr-tools.ts                  # 10 tools
│   ├── live-discover-tools.ts        # 11 tools
│   ├── firewall-tools.ts             # 20 tools
│   ├── dns-protection-tools.ts       # 15 tools
│   ├── email-tools.ts                # 31 tools
│   ├── directory-tools.ts            # 15 tools
│   ├── settings-tools.ts             # 16 tools
│   ├── allowed-blocked-tools.ts      # 12 tools
│   ├── exploit-mitigation-tools.ts   # 8 tools
│   ├── ips-exclusion-tools.ts        # 10 tools
│   ├── tenant-admin-tools.ts         # 14 tools
│   ├── account-health-tools.ts       # 4 tools
│   ├── cases-tools.ts                # 9 tools
│   ├── software-tools.ts             # 9 tools
│   ├── audit-events-tools.ts         # 2 tools
│   ├── business-automation-tools.ts  # 3 tools
│   ├── licensing-tools.ts            # 2 tools
│   ├── mobile-tools.ts               # 38 tools
│   ├── switch-tools.ts               # 3 tools
│   ├── wifi-tools.ts                 # 3 tools
│   ├── cloud-security-tools.ts       # 6 tools
│   ├── user-activity-tools.ts        # 2 tools
│   ├── account-management-tools.ts   # 4 tools
│   └── playbook-tools.ts             # 5 tools
└── types/
    └── sophos-types.ts               # TypeScript interfaces for all Sophos API types

Security Considerations

  • Credential handling — API credentials are read from environment variables at startup and are never logged or transmitted except to the Sophos authentication endpoint. Do not commit .env files to source control — .env is listed in .gitignore.
  • Partner Super Admin scope — these credentials have read/write access across all managed tenants. Treat them with the same care as privileged service account credentials. Rotate them immediately if compromised.
  • Read-only operations where possible — where your use case only requires visibility (alert triage, threat hunting, reporting), consider creating a separate credential with a more restricted role. Partner Super Admin is required only for write operations (isolation, policy changes, user management).
  • Network binding — HTTP transports default to 127.0.0.1. Do not expose the MCP server port publicly. If you need remote access, put it behind an authenticated reverse proxy or use a VPN.
  • Audit trail — all Sophos API calls made through this server are logged in Sophos Central's audit events, attributable to the API credential used.

Related MCP Servers

These three servers cover complementary layers of a security stack — network/log (AlertLogic), endpoint protection (Sophos), and EDR/threat intel (CrowdStrike). Use them together for full-stack AI-powered SOC operations.

Server Platform Highlights
falcon-mcp CrowdStrike Falcon EDR telemetry, RTR, threat intel, MSSP Flight Control, 1,296 tools
sophos-central-mcp Sophos Central Endpoint isolation, Live Discover SQL, XDR, email/firewall/DNS, 334 tools
alertlogic-mcp Alert Logic MDR Incident response, SQL log search, SOAR, vulnerability management, 473 tools

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured