Sophos

Visualize Sophos endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.

Installation guide
Sophos data model
Sophos types

Installation

To use this integration, JupiterOne requires Client Credentials to a Sophos Tenant account. Obtaining those credentials is described in Sophos' official docs under the 'Create Service Principal' section. At the very end, you'll have a Client ID and a Client Secret that you can use to integrate with JupiterOne.

Configuration in JupiterOne

To install the Sophos integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Sophos. Click New Instance to begin configuring your integration, providing the following:

Account Name used to identify the Sophos tenant account in JupiterOne.
Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Data Model

Entities

The following entities are created:

Resources	Entity `_type`	Entity `_class`
Alert	`sophos_alert`	Alert
Device	`sophos_device`	Device
Endpoint	`sophos_endpoint`	HostAgent
Endpoint Group	`sophos_endpoint_group`	Group
Policy	`sophos_policy`	ControlPolicy
Role	`sophos_role`	AccessRole
Sophos Account	`sophos_account`	Account
Sophos Common	`sophos_common`	Service
Sophos Endpoint Protection	`sophos_endpoint_protection`	Service
Sophos User	`sophos_user`	User
User Group	`sophos_user_group`	UserGroup

Relationships

The following relationships are created:

Source Entity `_type`	Relationship `_class`	Target Entity `_type`
`sophos_account`	HAS	`sophos_common`
`sophos_account`	HAS	`sophos_endpoint_protection`
`sophos_alert`	ASSIGNED	`sophos_endpoint`
`sophos_alert`	ASSIGNED	`sophos_endpoint_group`
`sophos_alert`	ASSIGNED	`sophos_user`
`sophos_alert`	ASSIGNED	`sophos_user_group`
`sophos_common`	HAS	`sophos_role`
`sophos_common`	HAS	`sophos_user_group`
`sophos_endpoint`	IDENTIFIED	`sophos_alert`
`sophos_endpoint`	PROTECTS	`sophos_device`
`sophos_endpoint_group`	HAS	`sophos_endpoint`
`sophos_endpoint_protection`	HAS	`sophos_endpoint`
`sophos_user`	HAS	`sophos_endpoint`
`sophos_user_group`	HAS	`sophos_user`

Sophos Account

sophos_account inherits from Account

Property	Type	Description	Specifications
`id` *	`string`
`idType` *	`string`		const: tenant

Sophos Common

sophos_common inherits from Service

Property	Type	Description	Specifications
`accountId` *	`string`
`principal` *	`string`

Sophos Endpoint Protection

sophos_endpoint_protection inherits from Service

Property	Type	Description	Specifications
`accountId` *	`string`
`principal` *	`string`

Sophos Endpoint

sophos_endpoint inherits from HostAgent

Property	Type	Description	Specifications
`id` *	`string`
`type` *	`string`		Any of: `computer` `server` `securityVm`
`name` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`displayName` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`hostname` *	`string`
`ipv4Addresses`	`array` of `string`s		Format: `ipv4`
`ipv6Addresses`	`array` of `string`s		Format: `ipv6`
`macAddresses`	`array` of `string`s
`online`	`boolean`
`tamperProtectionEnabled`	`boolean`
`lastSeenOn` *	`number`

Sophos Device

sophos_device inherits from Device

Property	Type	Description	Specifications
`name` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`category` *	`string`	If the device is a computer, category is "endpoint"
`make` *	`null`
`model` *	`null`
`serial` *	`null`
`deviceId` *	`string`
`displayName` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`lastSeenOn`	`number`
`osName` *	`string`
`osVersion` *	`string`
`platform` *	`string`
`osDetails` *	`string`
`hostname` *	`string`
`type` *	`string`
`ipv4Addresses`	`array` of `string`s		Format: `ipv4`
`ipv6Addresses`	`array` of `string`s		Format: `ipv6`
`macAddresses`	`array` of `string`s
`online`	`boolean`
`tamperProtectionEnabled`	`boolean`

Sophos Endpoint Group

sophos_endpoint_group inherits from Group

Property	Type	Specifications
`id` *	`string`
`name` *	`string`
`description`	`string`
`type` *	`string`	Any of: `computer` `server`
`createdAt`	`number`
`updatedAt`	`number`

Sophos Policy

sophos_policy inherits from ControlPolicy

Property	Type	Description	Specifications
`id` *	`string`
`name` *	`string`
`type` *	`string`		Any of: `threat-protection` `peripheral-control` `application-control` `data-loss-prevention` `web-control` `agent-updating` `windows-firewall` `device-encryption` `server-threat-protection` `server-peripheral-control` `server-application-control` `server-web-control` `server-lockdown` `server-data-loss-prevention` `server-agent-updating` `server-windows-firewall` `server-file-integrity-monitoring` `server-linux-runtime-detection`
`lockedByManagingAccount` *	`boolean`	Whether the policy is managed by a partner or organization, 'true' mean yes.
`priority` *	`number`
`enabled` *	`boolean`
`disableAt`	`number`	When the policy should be turned off.
`createdAt`	`number`
`updatedAt`	`number`

Sophos Role

sophos_role inherits from AccessRole

Property	Type	Description	Specifications
`systemRole` *	`boolean`	Indicates that this role is a system role, not a custom user-defined role. True if `type == 'predefined'`
`id` *	`string`
`name` *	`string`
`description`	`string`
`type` *	`string`		Any of: `predefined` `custom`
`principalType` *	`string`		Any of: `user` `service`
`permissionSets` *	`array` of `string`s
`createdAt`	`number`
`updatedAt`	`number`

Sophos User

sophos_user inherits from User

Property	Type	Specifications
`id` *	`string`
`name` *	`string`
`username` *	`string`
`firstName`	`string`
`lastName`	`string`
`email`	`string`	Format: `email`
`domain`	`string`
`exchangeLogin`	`string`
`createdAt`	`number`
`updatedAt`	`number`

Sophos User Group

sophos_user_group inherits from UserGroup

Property	Type	Specifications
`id` *	`string`
`name` *	`string`
`description`	`string`
`domain`	`string`
`createdAt`	`number`
`updatedAt`	`number`
`source`	`string`	Any of: `custom` `activeDirectory` `azureActiveDirectory`

Sophos Alert

sophos_alert inherits from Alert

Property	Type	Specifications
`id` *	`string`
`allowedActions` *	`array` of `string`s
`category` *	`string`	Any of: `azure` `adSync` `applicationControl` `appReputation` `blockListed` `connectivity` `cwg` `denc` `downloadReputation` `endpointFirewall` `fenc` `forensicSnapshot` `general` `isolation` `malware` `mtr` `mobiles` `policy` `protection` `pua` `runtimeDetections` `security` `smc` `systemHealth` `uav` `uncategorized` `updating` `utm` `virt` `wireless` `xgEmail` `ztnaAuthentication` `ztnaGateway` `ztnaResource`
`product`	`string`	Any of: `other` `endpoint` `server` `mobile` `encryption` `emailGateway` `webGateway` `phishThreat` `wireless` `firewall` `ztna`
`description` *	`string`
`groupKey` *	`string`
`raisedAt`	`string`	Format: `date-time`
`createdAt`	`number`
`severity`	`string`	Any of: `high` `medium` `low`
`type`	`string`

Sophos

Installation​

Configuration in JupiterOne​

Next steps​

Data Model​

Entities​

Relationships​

Sophos Account​

Sophos Common​

Sophos Endpoint Protection​

Sophos Endpoint​

Sophos Device​

Sophos Endpoint Group​

Sophos Policy​

Sophos Role​

Sophos User​

Sophos User Group​

Sophos Alert​