Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=appomni-overview

AppOmni integration

API Public Cloud

You can integrate AppOmni with Sophos Central so that it sends data to Sophos for analysis.

This page gives you an overview of the integration.

AppOmni product overview

AppOmni is a SaaS security platform that provides visibility, risk detection, and access control for cloud applications. It helps organizations prevent data exposure, enforce security policies, and monitor threats across their SaaS environments.

Sophos documents

Integrate AppOmni

What we ingest

Sample alerts seen by Sophos:

  • Mass Download Actions
  • Group Policy Object deletion by USERNAME
  • Suspicious Location Detected
  • Mail Transport Rule Deleted or Disabled
  • Suspicious Session Activity Detected

We also ingest many other standard alert types.

Alerts ingested in full

We target the internal detection alerts endpoint provided to us by AppOmni and not featured in their external docs.

Filtering

We filter only to confirm data returned is in the correct format. We do not drop any alerts.

Sample threat mappings

{"alertType": "Mass Download Actions", "threatId": "T1213", "threatName": "Data from Information Repositories"}
{"alertType": "Group Policy Object deletion by USERNAME", "threatId": "T1485", "threatName": "Data Destruction"}
{"alertType": "User Added To High Privileged Role", "threatId": "TA0003", "threatName": "Persistence"}
{"alertType": "Suspicious Location Detected", "threatId": "T1078", "threatName": "Valid Accounts"}
{"alertType": "Mail Transport Rule Created or Updated", "threatId": "T1098.002", "threatName": "Exchange Email Delegate Permissions"}

Vendor documentation

AppOmni API