Skip to content

Sophos EDR

Overview

Sophos EDR monitors, detects and mitigates threats on endpoints. This EDR reduces the attack surface and prevents attacks by using anti-exploit, anti-ransomware, and advanced control technologies.

This setup guide shows how to forward user assets from Sophos EDR to Sekoia.io.

  • Vendor: Sophos
  • Product: Sophos EDR
  • Supported environment: Cloud

Configure

Create Sophos EDR credentials

Warning

If you have a "Partner" or "Organization" entity, you need to do the following procedure on every tenant attached to it. Please find more information in the official documentation.

In the Sophos Central Admin console:

  1. On the left panel, go to Global Settings and select API Credentials Management.
  2. Click on Add Credential to create a credential dedicated to Sekoia.io.
  3. Give it a name, select the role Service Principal ReadOnly and click on Add.
  4. In the API credential Summary, copy the Client ID and the Client Secret. It will be used later in Sekoia.io to retrieve the assets.

Create your asset connector

To start getting your Sophos assets into Sekoia.io, you need to create an asset connector on the Assets page. To do so, follow these steps:

  1. Click the Asset connectors button to create a new connector.

    Asset connectors button highlighted

  2. Click the + New connector button.

    create_asset_step_2.png

  3. Choose Sophos EDR users, give it a name, and fill the required fields in the account field:

    • Account name: The name of the Sophos EDR account you want to connect to.
    • Client ID: The client ID of the API credential you created in the Sophos Central Admin console.
    • Client Secret: The client secret of the API credential you created in the Sophos Central Admin console.
    • API Host: The API host URL of your Sophos EDR instance (default: https://api.central.sophos.com).
    • OAuth2 authorization URL: The Sophos OAuth2 token endpoint (default: https://id.sophos.com/api/v2/oauth2/token).

    Sophos EDR connector configuration form

  4. Test the connection by clicking the Test connector button.

    Connector test result and Create asset connector button highlighted

  5. Click the Create asset connector button.

OCSF Mapping for Sophos EDR Users

OCSF Class: User Inventory Info

Class UID: 5003

OCSF Version: 1.6.0

Information Collected

The Sophos EDR Users fetch comprehensive information and transform it into the OCSF (Open Cybersecurity Schema Framework) format for standardized security monitoring and asset management.

API Response Examples

Named user with email

A Sophos directory user with full name and email address

{
  "id": "00000000-0000-0000-0000-000000000001",
  "name": "Jane Doe",
  "firstName": "Jane",
  "lastName": "Doe",
  "email": "jane.doe@example.com",
  "exchangeLogin": "",
  "groups": { "total": 0, "itemsCount": 0, "items": [] },
  "tenant": { "id": "00000000-0000-0000-0000-000000000010" },
  "source": { "type": "custom" },
  "createdAt": "2023-06-16T15:00:56.473Z",
  "updatedAt": "2023-06-16T15:00:56.870Z"
}

Windows local account

A Sophos directory user representing a Windows local account (DOMAIN\username)

{
  "id": "00000000-0000-0000-0000-000000000002",
  "name": "DESKTOP-ABC1234\\jdoe",
  "groups": { "total": 0, "itemsCount": 0, "items": [] },
  "tenant": { "id": "00000000-0000-0000-0000-000000000010" },
  "source": { "type": "custom" },
  "createdAt": "2025-12-10T12:49:12.371Z",
  "updatedAt": "2025-12-11T12:22:37.223Z"
}

User with groups

A Sophos directory user that belongs to one or more groups

{
  "id": "00000000-0000-0000-0000-000000000003",
  "name": "John Smith",
  "email": "john.smith@example.onmicrosoft.com",
  "groups": {
    "total": 1,
    "itemsCount": 1,
    "items": [
      {
        "id": "00000000-0000-0000-0000-000000000020",
        "name": "example.onmicrosoft.com",
        "displayName": "example.onmicrosoft.com"
      }
    ]
  },
  "tenant": { "id": "00000000-0000-0000-0000-000000000010" },
  "source": { "type": "custom" },
  "createdAt": "2023-11-20T09:46:38.886Z"
}

Data Mapping Table

The following table shows how source data is mapped to OCSF model fields:

Source Field OCSF Field Path Description Data Type Logic
static: 2 activity_id OCSF activity ID – always 2 for Collect integer -
static: Collect activity_name OCSF activity name string -
static: Discovery category_name OCSF category name string -
static: 5 category_uid OCSF category UID integer -
static: User Inventory Info class_name OCSF class name string -
static: 5003 class_uid OCSF class UID integer -
static: 500302 type_uid OCSF type UID integer -
static: User Inventory Info: Collect type_name OCSF type name string -
static: Informational severity Event severity string -
static: 1 severity_id OCSF severity ID integer -
static: Sophos EDR metadata.product.name Source product name string -
static: N/A metadata.product.version Product version string -
static: 1.6.0 metadata.version OCSF schema version string -
updatedAt (fallback: createdAt, then now) time OCSF event timestamp timestamp Parse ISO-8601 timestamp; convert to Unix epoch float
id user.uid Unique Sophos user identifier → OCSF user.uid string Direct mapping
name user.name Display name of the user string Direct mapping
firstName + lastName user.full_name Full name constructed from first and last name fields string Concatenate firstName and lastName with a space when either is present
email user.email_addr Primary email address of the user string Direct mapping; omitted when null or empty
static: User user.type_id / user.type OCSF user type classification integer / string All Sophos directory users are classified as UserTypeId.USER (1)
name (presence of backslash and absence of email) user.account.type_id / user.account.type Account type inferred from the name format integer / string If name contains '\' and email is absent → AccountTypeId.WINDOWS_ACCOUNT (2) Otherwise → AccountTypeId.UNKNOWN (0)
groups.items[].id + groups.items[].name user.groups[] Groups the user belongs to array Map each group item to an OCSF Group object (uid=id, name=name)
tenant.id user.org.uid / user.org.name Sophos tenant → OCSF organization string Tenant ID is used for both uid and name of the Organization object
updatedAt (or createdAt) per user context.known_users[id] Incremental collection checkpoint for change detection string A full id→timestamp snapshot is persisted at the end of each run. On the next run, users whose timestamp matches the cache are skipped (change-detection).

OCSF Model Structure

Named user with email – OCSF output

Transformed OCSF UserOCSFModel for a user with firstName/lastName/email

{
  "activity_id": 2,
  "activity_name": "Collect",
  "category_name": "Discovery",
  "category_uid": 5,
  "class_name": "User Inventory Info",
  "class_uid": 5003,
  "type_name": "User Inventory Info: Collect",
  "type_uid": 500302,
  "severity": "Informational",
  "severity_id": 1,
  "time": 1686927656.87,
  "metadata": {
    "product": { "name": "Sophos EDR", "version": "N/A" },
    "version": "1.6.0"
  },
  "user": {
    "uid": "00000000-0000-0000-0000-000000000001",
    "name": "Jane Doe",
    "full_name": "Jane Doe",
    "email_addr": "jane.doe@example.com",
    "type_id": 1,
    "type": "User",
    "account": {
      "name": "Jane Doe",
      "type_id": 0,
      "type": "Unknown",
      "uid": "00000000-0000-0000-0000-000000000001"
    },
    "groups": null,
    "org": {
      "uid": "00000000-0000-0000-0000-000000000010",
      "name": "00000000-0000-0000-0000-000000000010"
    }
  }
}