weave
module · Endpoints & MDM

Sophos

Sophos Central — endpoints, alerts, isolation, scans. Auths via OAuth client credentials + whoami tenant/data-region discovery; set SOPHOS_TOKEN + SOPHOS_TENANT_ID + SOPHOS_DATA_REGION to skip the mint.

Namespace: weave sophos Env: SOPHOS_CLIENT_ID
6
Commands
1
State kinds
Endpoints & MDM
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
SOPHOS_CLIENT_IDRequired for authentication.required
SOPHOS_CLIENT_SECRETRequired for authentication.required

Sanity-check the wiring:

weave secrets check
weave sophos --help
weave doctor   # reports SOPHOS_CLIENT_ID status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
alert······
endpoint··

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (1)

find endpoint

read

Find an endpoint by its Sophos endpoint ID (UUID).

weave sophos find endpoint <endpoint-id>

list (2)

list alerts

read

List alerts (Common API).

weave sophos list alerts <arg>

list endpoints

read

List endpoints.

weave sophos list endpoints <arg>

do (3)

do deisolate

write

Lift isolation from an endpoint.

weave sophos do deisolate <endpoint-id>

do isolate

write

Isolate an endpoint from the network.

weave sophos do isolate <endpoint-id>

do scan

write

Trigger a malware scan on an endpoint.

weave sophos do scan <endpoint-id>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/sophos/.

This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.

endpoints

snapshot diff apply

Sophos Central endpoints — snapshot + diff only (inventory is read-only).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: sophos
kind: endpoints
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Endpoints audit

Snapshot and diff endpoints (read-only; apply is intentionally not implemented).

weave sophos snapshot endpoints
$EDITOR .weave-state/sophos/endpoints.yaml
weave sophos diff endpoints

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
sophos_endpointsweave sophos snapshot/diff endpoints
Snapshot/diff only; the vendor API does not support generic writes for this kind.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including SOPHOS_CLIENT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave sophos diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/sophos. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.