Sophos

Visualize Sophos endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.

Installation
Data Model
Types

Installation

To use this integration, JupiterOne requires Client Credentials to a Sophos Tenant account. Obtaining those credentials is described in Sophos' official docs under the 'Create Service Principal' section. At the very end, you'll have a Client ID and a Client Secret that you can use to integrate with JupiterOne.

Configuration in JupiterOne

To install the Sophos integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Sophos. Click New Instance to begin configuring your integration, providing the following:

Account Name used to identify the Sophos tenant account in JupiterOne.
Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Entities

The following entities are created:

Resources	Entity `_type`	Entity `_class`
Alert	`sophos_alert`	Alert
Device	`sophos_device`	Device
Endpoint	`sophos_endpoint`	HostAgent
Endpoint Group	`sophos_endpoint_group`	Group
Policy	`sophos_policy`	ControlPolicy
Role	`sophos_role`	AccessRole
Sophos Account	`sophos_account`	Account
Sophos Common	`sophos_common`	Service
Sophos Endpoint Protection	`sophos_endpoint_protection`	Service
Sophos User	`sophos_user`	User
User Group	`sophos_user_group`	UserGroup

Relationships

The following relationships are created:

Source Entity `_type`	Relationship `_class`	Target Entity `_type`
`sophos_account`	HAS	`sophos_common`
`sophos_account`	HAS	`sophos_endpoint_protection`
`sophos_alert`	ASSIGNED	`sophos_user`
`sophos_alert`	ASSIGNED	`sophos_user_group`
`sophos_alert`	ASSIGNED	`sophos_endpoint`
`sophos_alert`	ASSIGNED	`sophos_endpoint_group`
`sophos_common`	HAS	`sophos_role`
`sophos_common`	HAS	`sophos_user_group`
`sophos_endpoint`	PROTECTS	`sophos_device`
`sophos_endpoint`	IDENTIFIED	`sophos_alert`
`sophos_endpoint_group`	HAS	`sophos_endpoint`
`sophos_endpoint_protection`	HAS	`sophos_endpoint`
`sophos_user`	HAS	`sophos_endpoint`
`sophos_user_group`	HAS	`sophos_user`

Sophos Account

sophos_account inherits from Account

Property	Type	Description	Specifications
`id` *	`string`
`idType` *	`string`		const: tenant

Sophos Alert

sophos_alert inherits from Alert

Property	Type	Specifications
`allowedActions` *	`array` of `string`s
`category` *	`string`	Any of: `azure` `adSync` `applicationControl` `appReputation` `blockListed` `connectivity` `cwg` `denc` `downloadReputation` `endpointFirewall` `fenc` `forensicSnapshot` `general` `isolation` `malware` `mtr` `mobiles` `policy` `protection` `pua` `runtimeDetections` `security` `smc` `systemHealth` `uav` `uncategorized` `updating` `utm` `virt` `wireless` `xgEmail` `ztnaAuthentication` `ztnaGateway` `ztnaResource`
`createdAt`	`number`
`description` *	`string`
`groupKey` *	`string`
`id` *	`string`
`product`	`string`	Any of: `other` `endpoint` `server` `mobile` `encryption` `emailGateway` `webGateway` `phishThreat` `wireless` `firewall` `ztna`
`raisedAt`	`string`	Format: `date-time`
`severity`	`string`	Any of: `high` `medium` `low`
`type`	`string`

Sophos Common

sophos_common inherits from Service

Property	Type	Description	Specifications
`accountId` *	`string`
`principal` *	`string`

Sophos Device

sophos_device inherits from Device

Property	Type	Description	Specifications
`online`	`boolean`
`platform`	`string`
`tamperProtectionEnabled`	`boolean`
`type`	`string`

Sophos Endpoint

sophos_endpoint inherits from HostAgent

Property	Type	Description	Specifications
`displayName` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`hostname` *	`string`
`id` *	`string`
`ipv4Addresses`	`array` of `string`s		Format: `ipv4`
`ipv6Addresses`	`array` of `string`s		Format: `ipv6`
`lastSeenOn` *	`number`
`macAddresses`	`array` of `string`s
`name` *	`string`	Uses the endpoint's hostname if available. Uses associated person's name or "viaLogin" property as a fall back
`online`	`boolean`
`tamperProtectionEnabled`	`boolean`
`type` *	`string`		Any of: `computer` `server` `securityVm`

Sophos Endpoint Group

sophos_endpoint_group inherits from Group

Property	Type	Specifications
`createdAt`	`number`
`description`	`string`
`id` *	`string`
`name` *	`string`
`type` *	`string`	Any of: `computer` `server`
`updatedAt`	`number`

Sophos Endpoint Protection

sophos_endpoint_protection inherits from Service

Property	Type	Description	Specifications
`accountId` *	`string`
`principal` *	`string`

Sophos Policy

sophos_policy inherits from ControlPolicy

Property	Type	Description	Specifications
`createdAt`	`number`
`disableAt`	`number`	When the policy should be turned off.
`enabled` *	`boolean`
`id` *	`string`
`lockedByManagingAccount` *	`boolean`	Whether the policy is managed by a partner or organization, 'true' mean yes.
`name` *	`string`
`priority` *	`number`
`type` *	`string`		Any of: `threat-protection` `peripheral-control` `application-control` `data-loss-prevention` `web-control` `agent-updating` `windows-firewall` `device-encryption` `server-threat-protection` `server-peripheral-control` `server-application-control` `server-web-control` `server-lockdown` `server-data-loss-prevention` `server-agent-updating` `server-windows-firewall` `server-file-integrity-monitoring` `server-linux-runtime-detection`
`updatedAt`	`number`

Sophos Role

sophos_role inherits from AccessRole

Property	Type	Description	Specifications
`createdAt`	`number`
`description`	`string`
`id` *	`string`
`name` *	`string`
`permissionSets` *	`array` of `string`s
`principalType` *	`string`		Any of: `user` `service`
`systemRole` *	`boolean`	Indicates that this role is a system role, not a custom user-defined role. True if `type == 'predefined'`
`type` *	`string`		Any of: `predefined` `custom`
`updatedAt`	`number`

Sophos User

sophos_user inherits from User

Property	Type	Description	Specifications
`createdAt`	`number`
`domain`	`string`
`exchangeLogin`	`string`
`updatedAt`	`number`

Sophos User Group

sophos_user_group inherits from UserGroup

Property	Type	Specifications
`createdAt`	`number`
`description`	`string`
`domain`	`string`
`id` *	`string`
`name` *	`string`
`source`	`string`	Any of: `custom` `activeDirectory` `azureActiveDirectory`
`updatedAt`	`number`

Installation​

Configuration in JupiterOne​

Next steps​

Entities​

Relationships​

Sophos Account​

Sophos Alert​

Sophos Common​

Sophos Device​

Sophos Endpoint​

Sophos Endpoint Group​

Sophos Endpoint Protection​

Sophos Policy​

Sophos Role​

Sophos User​

Sophos User Group​