Sophos
Visualize Sophos endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.
- Installation guide
- Sophos data model
- Entity properties
Installation
To use this integration, JupiterOne requires Client Credentials to a Sophos Tenant account. Obtaining those credentials is described in Sophos' official docs under the 'Create Service Principal' section. At the very end, you'll have a Client ID and a Client Secret that you can use to integrate with JupiterOne.
Configuration in JupiterOne
To install the Sophos integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Sophos. Click New Instance to begin configuring your integration, providing the following:
Account Name used to identify the Sophos tenant account in JupiterOne.
Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLED
and manually execute the integration.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
Resources | Entity _type | Entity _class |
---|---|---|
Account | sophos_account | Account |
Alert | sophos_alert | Alert |
Device | sophos_device | Device |
Endpoint | sophos_endpoint | HostAgent |
Endpoint Group | sophos_endpoint_group | Group |
Policy | sophos_policy | AccessPolicy |
Role | sophos_role | AccessRole |
Sophos Common | sophos_common | Service |
Sophos Endpoint Protection | sophos_endpoint_protection | Service |
User | sophos_user | User |
User Group | sophos_user_group | UserGroup |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
---|---|---|
sophos_account | HAS | sophos_common |
sophos_account | HAS | sophos_endpoint_protection |
sophos_alert | ASSIGNED | sophos_endpoint |
sophos_alert | ASSIGNED | sophos_endpoint_group |
sophos_alert | ASSIGNED | sophos_user |
sophos_alert | ASSIGNED | sophos_user_group |
sophos_common | HAS | sophos_role |
sophos_common | HAS | sophos_user_group |
sophos_endpoint | HAS | sophos_alert |
sophos_endpoint | PROTECTS | sophos_device |
sophos_endpoint_group | HAS | sophos_endpoint |
sophos_endpoint_protection | HAS | sophos_endpoint |
sophos_user | HAS | sophos_endpoint |
sophos_user_group | HAS | sophos_user |
SophosAccount properties
_class
• _class: ["Account"
]
_type
• _type: "sophos_account"
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
id
• id: string
The TenantID
idType
• idType: "tenant"
Fixed value of 'tenant' for now.
name
• name: string
Name of this entity
resourceName
• resourceName: "Account"
SophosAlert properties
_class
• _class: ["Alert"
]
_type
• _type: "sophos_alert"
allowedActions
• allowedActions: string
[]
category
• category: AlertCategoryEnum
createdAt
• createdAt: undefined
| number
description
• description: string
displayName
• displayName: string
groupKey
• groupKey: string
id
• id: string
managedAgent
• Optional
managedAgent: Object
name
• name: string
person
• Optional
person: Object
product
• Optional
product: "mobile"
| "other"
| "firewall"
| "server"
| "ztna"
| "encryption"
| "wireless"
| "endpoint"
| "emailGateway"
| "webGateway"
| "phishThreat"
raisedAt
• raisedAt: undefined
| string
resourceName
• resourceName: "Alert"
severity
• severity: undefined
| string
type
• type: undefined
| string
SophosDevice properties
_class
• _class: ["Device"
]
_type
• _type: "sophos_device"
category
• category: null
| string
deviceId
• deviceId: null
| string
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
hostname
• hostname: string
ipv4Addresses
• ipv4Addresses: undefined
| string
[]
ipv6Addresses
• ipv6Addresses: undefined
| string
[]
lastSeenOn
• lastSeenOn: null
| number
macAddresses
• macAddresses: undefined
| string
[]
make
• make: null
| string
model
• model: null
| string
name
• name: string
Name of this entity
online
• online: undefined
| boolean
osDetails
• osDetails: string
osName
• osName: string
osVersion
• osVersion: string
platform
• Optional
platform: "other"
| "darwin"
| "linux"
| "unix"
| "windows"
| "android"
| "ios"
| "embedded"
Operating System Platform
resourceName
• resourceName: "Device"
serial
• serial: null
| string
tamperProtectionEnabled
• tamperProtectionEnabled: undefined
| boolean
type
• type: string
SophosEndpoint properties
_class
• _class: ["HostAgent"
]
_type
• _type: "sophos_endpoint"
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
function
• function: ("other"
| "endpoint-protection"
| "container-security"
| "DLP"
| "HIDS"
| "endpoint-compliance"
| "endpoint-configuration"
| "anti-malware"
| "FIM"
| "host-firewall"
| "log-monitor"
| "activity-monitor"
| "vulnerability-detection"
)[]
The function of sensor/agent
hostname
• hostname: string
Hostname of the endpoint.
id
• id: string
Unique ID for the endpoint.
ipv4Addresses
• ipv4Addresses: undefined
| string
[]
List of IPv4 addresses.
ipv6Addresses
• ipv6Addresses: undefined
| string
[]
List of IPv6 addresses.
lastSeenAt
• Optional
lastSeenAt: string
Date and time (UTC) when the endpoint last communicated with Sophos Central.
lastSeenOn
• lastSeenOn: undefined
| number
The timestamp (in milliseconds since epoch) when the device either last checked in or was scanned.
macAddresses
• macAddresses: undefined
| string
[]
List of MAC addresses.
name
• name: string
Name of this entity
online
• online: undefined
| boolean
Whether endpoint is currently online.
resourceName
• resourceName: "Endpoint"
tamperProtectionEnabled
• tamperProtectionEnabled: undefined
| boolean
Whether Tamper Protection is turned on.
type
• type: "computer"
| "server"
| "securityVm"
Endpoint type.
SophosEndpointGroup properties
_class
• _class: ["Group"
]
_type
• _type: string
= 'sophos_endpoint_group'
createdAt
• Optional
createdAt: number
When the group was created.
description
• Optional
description: string
Group description.
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
id
• id: string
Group ID.
name
• name: string
Group name.
resourceName
• resourceName: string
= 'Endpoint Group'
type
• type: "computer"
| "server"
Endpoint group types.
updatedAt
• Optional
updatedAt: number
When the group was last updated.
SophosPolicy properties
_class
• _class: ["ControlPolicy"
]
_type
• _type: "sophos_policy"
createdAt
• Optional
createdAt: number
Time the policy was created.
disableAt
• Optional
disableAt: string
When the policy should be turned off.
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
enabled
• enabled: boolean
Whether the policy is turned on.
id
• id: string
Policy ID.
lockedByManagingAccount
• lockedByManagingAccount: boolean
Whether the policy is managed by a partner or organization, 'true' mean yes.
name
• name: string
Policy name.
priority
• priority: number
Policy priority.
resourceName
• resourceName: "Account"
type
• type: "threat-protection"
| "peripheral-control"
| "application-control"
| "data-loss-prevention"
| "web-control"
| "agent-updating"
| "windows-firewall"
| "device-encryption"
| "server-threat-protection"
| "server-peripheral-control"
| "server-application-control"
| "server-web-control"
| "server-lockdown"
| "server-data-loss-prevention"
| "server-agent-updating"
| "server-windows-firewall"
| "server-file-integrity-monitoring"
| "server-linux-runtime-detection"
Policy type.
updatedAt
• Optional
updatedAt: number
Time the policy was last updated.
SophosRole properties
_class
• _class: ["AccessRole"
]
_type
• _type: "sophos_role"
createdAt
• createdAt: undefined
| number
Date and time tenant role was created.
description
• description: undefined
| string
Role Description.
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
id
• id: string
Role UUID.
name
• name: string
Role name.
permissionSets
• permissionSets: string
[]
List of permission sets.
principalType
• principalType: "user"
| "service"
Principal type of role.
resourceName
• resourceName: "Role"
systemRole
• systemRole: boolean
Indicates that this role is a system role, not a custom user-defined role.
True if type == 'predefined'
type
• type: "custom"
| "predefined"
Role type.
updatedAt
• updatedAt: undefined
| number
Date and time tenant role was last updated.
SophosServiceCommon properties
_class
• _class: ["Service"
]
_type
• _type: "sophos_common"
accountId
• accountId: string
Account ID
category
• category: string
[]
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
function
• function: string
[]
name
• name: string
Name of this entity
principal
• principal: string
resourceName
• resourceName: "Sophos Common"
SophosServiceEndpointProtection properties
_class
• _class: ["Service"
]
_type
• _type: "sophos_endpoint_protection"
accountId
• accountId: string
Account ID
category
• category: string
[]
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
function
• function: string
[]
name
• name: string
Name of this entity
principal
• principal: string
resourceName
• resourceName: "Sophos Endpoint Protection"
SophosUser properties
_class
• _class: ["User"
]
_type
• _type: "sophos_user"
createdAt
• Optional
createdAt: number
When the user was created.
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
domain
• Optional
domain: string
Domain name.
email
• Optional
email: string
User's email address.
exchangeLogin
• Optional
exchangeLogin: string
User's Exchange login.
firstName
• Optional
firstName: string
User's first name or given name.
id
• id: string
User ID.
lastName
• Optional
lastName: string
User's last name or surname.
name
• name: string
User's name.
resourceName
• resourceName: "User"
updatedAt
• Optional
updatedAt: number
When the user was last updated.
username
• username: string
SophosUserGroup properties
_class
• _class: ["UserGroup"
]
_type
• _type: "sophos_user_group"
createdAt
• createdAt: undefined
| number
When the group was created.
description
• description: undefined
| string
Group description.
displayName
• displayName: string
Display name, e.g. a person's preferred name or an AWS account alias
domain
• domain: undefined
| string
Domain name.
id
• id: string
Group ID.
name
• name: string
Group name.
resourceName
• resourceName: "User Group"
updatedAt
• updatedAt: undefined
| number
When the group was last updated.