AppOmni integration
You can integrate AppOmni with Sophos Central so that it sends data to Sophos for analysis.
This page gives you an overview of the integration.
AppOmni product overview
AppOmni is a SaaS security platform that provides visibility, risk detection, and access control for cloud applications. It helps organizations prevent data exposure, enforce security policies, and monitor threats across their SaaS environments.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
- Mass Download Actions
- Group Policy Object deletion by USERNAME
- Suspicious Location Detected
- Mail Transport Rule Deleted or Disabled
- Suspicious Session Activity Detected
We also ingest many other standard alert types.
Alerts ingested in full
We target the internal detection alerts endpoint provided to us by AppOmni and not featured in their external docs.
Filtering
We filter only to confirm data returned is in the correct format. We do not drop any alerts.
Sample threat mappings
{"alertType": "Mass Download Actions", "threatId": "T1213", "threatName": "Data from Information Repositories"}
{"alertType": "Group Policy Object deletion by USERNAME", "threatId": "T1485", "threatName": "Data Destruction"}
{"alertType": "User Added To High Privileged Role", "threatId": "TA0003", "threatName": "Persistence"}
{"alertType": "Suspicious Location Detected", "threatId": "T1078", "threatName": "Valid Accounts"}
{"alertType": "Mail Transport Rule Created or Updated", "threatId": "T1098.002", "threatName": "Exchange Email Delegate Permissions"}