Integrations for multiple sub-estates
Read this if you have multiple sub-estates and use Sophos Central Enterprise.
Integrations let Sophos gather data from third-party products and use it in threat investigations.
If you have multiple sub-estates and use Sophos Central Enterprise, you should use a single sub-estate for all your third-party integrations.
Why use a dedicated sub-estate?
If you use a single, dedicated sub-estate, all your integrations send data to the same place. This lets us correlate detections from different sources into a single case, giving you better results.
Setting up each integration only once, for a single sub-estate, also prevents duplicate data being sent to the Sophos Data Lake. And it prevents admins seeing data they don’t usually have access to.
What happens if you have the same integration for multiple sub-estates?
If you set up the same integration for multiple sub-estates, the detections that it gathers go to the Sophos Data Lake multiple times. That means we'll create duplicate cases in each sub-estate.
Also, admins in each sub-estate might see alerts associated with users and devices that their role doesn't usually let them see.
To fix these issues, delete the integration from all your sub-estates except one.