Load Sophos Firewall data in Python using dltHub

In this guide, we'll set up a complete Sophos data pipeline from API credentials to your first data load in just 10 minutes. You'll end up with a fully declarative Python pipeline based on dlt's REST API connector, like in the partial example code below:

Example code
@dlt.source
def sophos_firewall_source(access_token=dlt.secrets.value):
    config: RESTAPIConfig = {
        "client": {
            "base_url": "https://central.sophos.com/v1/",
            {'auth': {'type': 'bearer', 'token': 'access_token'}},
        },
        "resources": [
            "Web", "AD", "vpn"
            ],
    }
    [...]
    yield from rest_api_resources(config)


def get_data() -> None:
    # Connect to destination
    pipeline = dlt.pipeline(
        pipeline_name='sophos_firewall_pipeline',
        destination='duckdb',
        dataset_name='sophos_firewall_data', 
    )
    # Load the data
    load_info = pipeline.run(sophos_firewall_source())
    print(load_info) 

Why use dlt to generate Python pipelines?

• Accelerate pipeline development with AI-native context
• Debug pipelines, validate schemas and data with the integrated Pipeline Dashboard
• Build Python notebooks for end users of your data
• Low maintenance thanks to schema evolution with type inference, resilience and self-documenting REST API connectors. A shallow learning curve makes the pipeline easy to extend by any team member
• dlt is the tool of choice for Pythonic Iceberg Lakehouses, bringing mature data loading to Iceberg with or without catalogs

What you’ll do

We’ll show you how to generate a readable and easily maintainable Python script that fetches data from Sophos Firewall's API and loads it into Iceberg, DataFrames, files, or a database of your choice. Here are some of the endpoints you can load:

• Web: Access to web-related resources and configurations.
• AD: Interaction with Active Directory settings and data.
• VPN: Management of VPN connections and settings.
• Logs: Retrieval of log data from the firewall.
• MDR: Management of Managed Detection and Response services.
• NDR: Network Detection and Response functionalities.
• Email: Email-related configurations and monitoring.
• LDAP: LDAP directory services interactions.

You will then debug the Sophos pipeline using our Pipeline Dashboard tool to ensure it is copying the data correctly, before building a Notebook to explore your data and build reports.

Setup & steps to follow

💡
Before getting started, set up a virtual environment (instructions) and install the dlt workspace:
uv venv && source .venv/bin/activate
uv pip install "dlt[workspace]"

Now you're ready to get started!

1. Install the dlt AI Workbench

   Configure the workbench for your coding assistant:

   Copy
   dlt ai init --agent <your-agent> # <agent>: claude | cursor | codex

   This installs project rules, a secrets management skill, appropriate ignore files, and configures the dlt MCP server for your agent.

   Learn more about the dltHub AI Workbench and setup details for each assistant →

2. Install the rest-api-pipeline toolkit

   The AI Workbench provides different toolkits for each phase of the data engineering lifecycle. To start you need to install the rest-api-pipeline toolkit:

   Copy
   dlt ai toolkit rest-api-pipeline install

   This loads different skills and contexts about dlt the agent uses to build the pipeline iteratively, efficiently, and safely. Importantly, it does not need to ask you for credentials directly. In dlt, API credentials are provided via a secrets.toml file (learn more about secrets management →), and the agent should use the MCP tools to see their shape and detect misconfigurations. It never needs to access the file directly.

   Learn more about the rest-api-pipeline toolkit →

3. Start LLM-assisted coding

   Here's a prompt to get you started:

   Prompt
   Copy
   Use /find-source to load data from the Sophos Firewall API into DuckDB.

   The AI Workbench rest-api-pipeline toolkit takes over from here — it reads relevant API documentation, presents you with options for which endpoints to load, and then follows a structured workflow to scaffold, debug, and validate the pipeline step by step.

4. View the result

   After the rest-api-pipeline workflow has finished, you will end up with a working REST API source with validated endpoints and a pipeline that writes data into a local dataset you have inspected and verified.

   Copy
   > python sophos_firewall_pipeline.py
   Pipeline sophos_firewall load step completed in 0.26 seconds
   1 load package(s) were loaded to destination duckdb and into dataset sophos_firewall_data
   The duckdb destination used duckdb:/sophos_firewall.duckdb location to store data
   Load package 1749667187.541553 is LOADED and contains no failed jobs

   By launching the Pipeline Dashboard, you can see various information about the pipeline and the loaded data

   • Pipeline overview: State, load metrics
   • Data's schema: tables, columns, types, hints
   • You can query the data itself

   Copy
   dlt pipeline sophos_firewall_pipeline show

Running into errors?

Users should ensure that multi-factor authentication (MFA) is disabled for API access. Additionally, the API token is no longer recommended for new customers, and care should be taken with token expiration management. Some endpoints may have rate limits or require specific permissions, and users must be aware of potential null values in deeply nested fields in some API responses.

Next steps

You can go to the next phases of your data engineering journey by handing over to other toolkits of the dltHub AI Workbench:

• data-exploration — Build custom notebooks, charts, and dashboards for deeper analysis with marimo notebooks.
• dlthub-runtime — Deploy, schedule, and monitor your pipeline in production

Copy
dlt ai toolkit data-exploration install
dlt ai toolkit dlthub-runtime install

Or explore the following resources for more information:

• How to deploy a pipeline
• How to explore your data in marimo Notebooks
• How to query your data in Python with dataset