Appearance
Sophos Central Setup
Sophos Central provides endpoint detection and response capabilities. Once connected, Junto can monitor endpoint health, review security alerts, trigger scans, isolate compromised devices, and run Live Discover or XDR queries.
Prerequisites
- A Sophos Central account with Partner or Organization level access
- OAuth 2.0 credentials (Junto connects via managed OAuth)
Step 1: Connect via OAuth
- In Junto, go to Settings > Integrations > Sophos Central.
- Click Connect to start the OAuth flow.
- Sign in with your Sophos partner or organization account and grant the requested permissions.
- After authorization, you are redirected back to Junto with an active connection.
Step 2: Map Companies to Tenants
Sophos Central uses a hierarchical model: Partner > Organization > Tenant. Each MSP client is typically a separate tenant.
- After connecting, Junto lists available tenants from your Sophos account.
- Use the company mapping interface to link each Junto company to its Sophos tenant.
- Save mappings.
What the AI Agent Can Do
Endpoint Management
| Tool | Description | Risk Level |
|---|---|---|
| List Endpoints | Search endpoints by hostname, IP, serial number, or health status | Low |
| Get Endpoint Details | Get full endpoint info including health, OS, user, and isolation status | Low |
| Scan Endpoint | Trigger an on-demand malware scan | Medium |
| Isolate/Unisolate Endpoint | Enable or disable network isolation to contain threats | High |
| Get Isolation Status | Check whether an endpoint is currently isolated | Low |
Security Alerts
| Tool | Description | Risk Level |
|---|---|---|
| List Alerts | List active security alerts with filtering by category or severity | Low |
| Get Alert Details | Get detailed information about a specific alert | Low |
Live Discover
| Tool | Description | Risk Level |
|---|---|---|
| Search Queries | Search Live Discover query templates by name or description | Low |
| Run Query | Execute a Live Discover query against endpoints | Medium |
| Get Query Run Status | Check the progress of a running query | Low |
| Get Query Results | Retrieve results from a completed query | Low |
XDR (Extended Detection and Response)
| Tool | Description | Risk Level |
|---|---|---|
| Run XDR Query | Execute SQL against the Sophos XDR data lake for threat hunting | High |
| Get XDR Run Status | Check the status of an XDR query | Low |
| Get XDR Results | Retrieve results from a completed XDR query | Low |
Approval Policies
- Low-risk (read-only) tools run automatically without approval.
- Medium-risk tools (scans, Live Discover queries) require approval once per session.
- High-risk tools (endpoint isolation, XDR queries) always require approval.
Troubleshooting
- OAuth connection fails -- Ensure your Sophos Central account has Partner or Organization level API access.
- No tenants listed -- Verify your account type. Partner accounts see all customer tenants; Organization accounts see only their own.
- Endpoint not found -- Confirm the company mapping is correct.
- Live Discover queries returning no results -- Ensure target endpoints are online with the Sophos agent running.