Sophos

Visualize Sophos endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.

Installation guide

Installation

To use this integration, JupiterOne requires Client Credentials to a Sophos Tenant account. Obtaining those credentials is described in Sophos' official docs under the 'Create Service Principal' section. At the very end, you'll have a Client ID and a Client Secret that you can use to integrate with JupiterOne.

Configuration in JupiterOne

To install the Sophos integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Sophos. Click New Instance to begin configuring your integration, providing the following:

• Account Name used to identify the Sophos tenant account in JupiterOne.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Sophos data model

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Account	sophos_account	Account
Alert	sophos_alert	Alert
Device	sophos_device	Device
Endpoint	sophos_endpoint	HostAgent
Endpoint Group	sophos_endpoint_group	Group
Policy	sophos_policy	AccessPolicy
Role	sophos_role	AccessRole
Sophos Common	sophos_common	Service
Sophos Endpoint Protection	sophos_endpoint_protection	Service
User	sophos_user	User
User Group	sophos_user_group	UserGroup

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
sophos_account	HAS	sophos_common
sophos_account	HAS	sophos_endpoint_protection
sophos_alert	ASSIGNED	sophos_endpoint
sophos_alert	ASSIGNED	sophos_endpoint_group
sophos_alert	ASSIGNED	sophos_user
sophos_alert	ASSIGNED	sophos_user_group
sophos_common	HAS	sophos_role
sophos_common	HAS	sophos_user_group
sophos_endpoint	HAS	sophos_alert
sophos_endpoint	PROTECTS	sophos_device
sophos_endpoint_group	HAS	sophos_endpoint
sophos_endpoint_protection	HAS	sophos_endpoint
sophos_user	HAS	sophos_endpoint
sophos_user_group	HAS	sophos_user

Entity properties

SophosAccount properties

_class

• _class: ["Account"]

---

_type

• _type: "sophos_account"

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

id

• id: string

The TenantID

---

idType

• idType: "tenant"

Fixed value of 'tenant' for now.

---

name

• name: string

Name of this entity

---

resourceName

• resourceName: "Account"

SophosAlert properties

_class

• _class: ["Alert"]

---

_type

• _type: "sophos_alert"

---

allowedActions

• allowedActions: string[]

---

category

• category: AlertCategoryEnum

---

createdAt

• createdAt: undefined | number

---

description

• description: string

---

displayName

• displayName: string

---

groupKey

• groupKey: string

---

id

• id: string

---

managedAgent

• Optional managedAgent: Object

---

name

• name: string

---

person

• Optional person: Object

---

product

• Optional product: "mobile" | "other" | "firewall" | "server" | "ztna" | "encryption" | "wireless" | "endpoint" | "emailGateway" | "webGateway" | "phishThreat"

---

raisedAt

• raisedAt: undefined | string

---

resourceName

• resourceName: "Alert"

---

severity

• severity: undefined | string

---

type

• type: undefined | string

SophosDevice properties

_class

• _class: ["Device"]

---

_type

• _type: "sophos_device"

---

category

• category: null | string

---

deviceId

• deviceId: null | string

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

hostname

• hostname: string

---

ipv4Addresses

• ipv4Addresses: undefined | string[]

---

ipv6Addresses

• ipv6Addresses: undefined | string[]

---

lastSeenOn

• lastSeenOn: null | number

---

macAddresses

• macAddresses: undefined | string[]

---

make

• make: null | string

---

model

• model: null | string

---

name

• name: string

Name of this entity

---

online

• online: undefined | boolean

---

osDetails

• osDetails: string

---

osName

• osName: string

---

osVersion

• osVersion: string

---

platform

• Optional platform: "other" | "darwin" | "linux" | "unix" | "windows" | "android" | "ios" | "embedded"

Operating System Platform

---

resourceName

• resourceName: "Device"

---

serial

• serial: null | string

---

tamperProtectionEnabled

• tamperProtectionEnabled: undefined | boolean

---

type

• type: string

SophosEndpoint properties

_class

• _class: ["HostAgent"]

---

_type

• _type: "sophos_endpoint"

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

function

• function: ("other" | "endpoint-protection" | "container-security" | "DLP" | "HIDS" | "endpoint-compliance" | "endpoint-configuration" | "anti-malware" | "FIM" | "host-firewall" | "log-monitor" | "activity-monitor" | "vulnerability-detection")[]

The function of sensor/agent

---

hostname

• hostname: string

Hostname of the endpoint.

---

id

• id: string

Unique ID for the endpoint.

---

ipv4Addresses

• ipv4Addresses: undefined | string[]

List of IPv4 addresses.

---

ipv6Addresses

• ipv6Addresses: undefined | string[]

List of IPv6 addresses.

---

lastSeenAt

• Optional lastSeenAt: string

Date and time (UTC) when the endpoint last communicated with Sophos Central.

---

lastSeenOn

• lastSeenOn: undefined | number

The timestamp (in milliseconds since epoch) when the device either last checked in or was scanned.

---

macAddresses

• macAddresses: undefined | string[]

List of MAC addresses.

---

name

• name: string

Name of this entity

---

online

• online: undefined | boolean

Whether endpoint is currently online.

---

resourceName

• resourceName: "Endpoint"

---

tamperProtectionEnabled

• tamperProtectionEnabled: undefined | boolean

Whether Tamper Protection is turned on.

---

type

• type: "computer" | "server" | "securityVm"

Endpoint type.

SophosEndpointGroup properties

_class

• _class: ["Group"]

---

_type

• _type: string = 'sophos_endpoint_group'

---

createdAt

• Optional createdAt: number

When the group was created.

---

description

• Optional description: string

Group description.

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

id

• id: string

Group ID.

---

name

• name: string

Group name.

---

resourceName

• resourceName: string = 'Endpoint Group'

---

type

• type: "computer" | "server"

Endpoint group types.

---

updatedAt

• Optional updatedAt: number

When the group was last updated.

SophosPolicy properties

_class

• _class: ["ControlPolicy"]

---

_type

• _type: "sophos_policy"

---

createdAt

• Optional createdAt: number

Time the policy was created.

---

disableAt

• Optional disableAt: string

When the policy should be turned off.

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

enabled

• enabled: boolean

Whether the policy is turned on.

---

id

• id: string

Policy ID.

---

lockedByManagingAccount

• lockedByManagingAccount: boolean

Whether the policy is managed by a partner or organization, 'true' mean yes.

---

name

• name: string

Policy name.

---

priority

• priority: number

Policy priority.

---

resourceName

• resourceName: "Account"

---

type

• type: "threat-protection" | "peripheral-control" | "application-control" | "data-loss-prevention" | "web-control" | "agent-updating" | "windows-firewall" | "device-encryption" | "server-threat-protection" | "server-peripheral-control" | "server-application-control" | "server-web-control" | "server-lockdown" | "server-data-loss-prevention" | "server-agent-updating" | "server-windows-firewall" | "server-file-integrity-monitoring" | "server-linux-runtime-detection"

Policy type.

---

updatedAt

• Optional updatedAt: number

Time the policy was last updated.

SophosRole properties

_class

• _class: ["AccessRole"]

---

_type

• _type: "sophos_role"

---

createdAt

• createdAt: undefined | number

Date and time tenant role was created.

---

description

• description: undefined | string

Role Description.

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

id

• id: string

Role UUID.

---

name

• name: string

Role name.

---

permissionSets

• permissionSets: string[]

List of permission sets.

---

principalType

• principalType: "user" | "service"

Principal type of role.

---

resourceName

• resourceName: "Role"

---

systemRole

• systemRole: boolean

Indicates that this role is a system role, not a custom user-defined role.

True if type == 'predefined'

---

type

• type: "custom" | "predefined"

Role type.

---

updatedAt

• updatedAt: undefined | number

Date and time tenant role was last updated.

SophosServiceCommon properties

_class

• _class: ["Service"]

---

_type

• _type: "sophos_common"

---

accountId

• accountId: string

Account ID

---

category

• category: string[]

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

function

• function: string[]

---

name

• name: string

Name of this entity

---

principal

• principal: string

---

resourceName

• resourceName: "Sophos Common"

SophosServiceEndpointProtection properties

_class

• _class: ["Service"]

---

_type

• _type: "sophos_endpoint_protection"

---

accountId

• accountId: string

Account ID

---

category

• category: string[]

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

function

• function: string[]

---

name

• name: string

Name of this entity

---

principal

• principal: string

---

resourceName

• resourceName: "Sophos Endpoint Protection"

SophosUser properties

_class

• _class: ["User"]

---

_type

• _type: "sophos_user"

---

createdAt

• Optional createdAt: number

When the user was created.

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

domain

• Optional domain: string

Domain name.

---

email

• Optional email: string

User's email address.

---

exchangeLogin

• Optional exchangeLogin: string

User's Exchange login.

---

firstName

• Optional firstName: string

User's first name or given name.

---

id

• id: string

User ID.

---

lastName

• Optional lastName: string

User's last name or surname.

---

name

• name: string

User's name.

---

resourceName

• resourceName: "User"

---

updatedAt

• Optional updatedAt: number

When the user was last updated.

---

username

• username: string

SophosUserGroup properties

_class

• _class: ["UserGroup"]

---

_type

• _type: "sophos_user_group"

---

createdAt

• createdAt: undefined | number

When the group was created.

---

description

• description: undefined | string

Group description.

---

displayName

• displayName: string

Display name, e.g. a person's preferred name or an AWS account alias

---

domain

• domain: undefined | string

Domain name.

---

id

• id: string

Group ID.

---

name

• name: string

Group name.

---

resourceName

• resourceName: "User Group"

---

updatedAt

• updatedAt: undefined | number

When the group was last updated.