Sophos Data Extraction Guide (for SIM Template)

Sophos Endpoint collects device and application information through its endpoint agent and reports it to Sophos Central.
The relevant data sources for SIM import are:

• Endpoints (Computers / Servers) – Device name, operating system, and status.

• Installed Applications – Software name, version, and publisher detected on endpoints.

• Sophos Central REST API – Programmatic access to endpoint and application inventory data.

Note: Visibility of installed applications requires Endpoint Inventory to be enabled in Sophos Central.

Prerequisites

For Console (UI) Method

• Access to Sophos Central Admin.

• Role with permission to view Endpoints and Inventory data.

• Endpoint agents actively reporting and in a healthy state.

• Permission to export inventory data (CSV).

For API Method

• Sophos Central API credentials (Client ID and Client Secret).

• Access to the Sophos Central API endpoint (https://api.central.sophos.com).

• A PowerShell, curl, or Postman environment to execute REST API calls.

• (Recommended) Understanding of pagination and rate limits for large estates.

Recommended Query or Method

Two supported extraction methods are available.

Option 1: Sophos Central Console Export (UI)

This method is suitable for manual or ad-hoc exports.

Steps

1. Log in to Sophos Central Admin.

2. Navigate to Devices → Computers.

3. Select one or more devices, then open View details → Software / Applications.

4. Use the Export option (where available) or switch to Reports → Inventory.

5. Ensure the following fields are included:

   • Device Name

   • Application Name

   • Version

   • Publisher

6. Export the report as CSV.

7. Save the file as Sophos_SIM_Export.csv.

Tip: For recurring exports, create a custom Inventory Report under Reports.

Option 2: Sophos Central REST API (Recommended for Automation)

For automated or large-scale environments, use the Sophos Central APIs.

Step 1: Authenticate to Sophos Central

# Sophos Endpoint SIM Template Export Script
# Requires Sophos Central API credentials

$ClientId = "YOUR_CLIENT_ID"
$ClientSecret = "YOUR_CLIENT_SECRET"
$TenantId = "YOUR_TENANT_ID"
$ExportPath = "C:\Exports\Sophos_SIM_Export.csv"

# Get OAuth token
$TokenResponse = Invoke-RestMethod -Method Post `
  -Uri "https://id.sophos.com/api/v2/oauth2/token" `
  -Headers @{ "Content-Type" = "application/x-www-form-urlencoded" } `
  -Body "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret"

$AccessToken = $TokenResponse.access_token

Step 2: Retrieve Endpoint and Application Data

$Headers = @{
    "Authorization" = "Bearer $AccessToken"
    "X-Tenant-ID"   = $TenantId
    "Accept"        = "application/json"
}

# Get endpoints
$Endpoints = Invoke-RestMethod -Uri "https://api.central.sophos.com/endpoint/v1/endpoints?pageSize=100" `
    -Headers $Headers -Method Get

$ExportData = @()

foreach ($Endpoint in $Endpoints.items) {
    # Get installed applications per endpoint
    $Apps = Invoke-RestMethod -Uri "https://api.central.sophos.com/endpoint/v1/endpoints/$($Endpoint.id)/applications" `
        -Headers $Headers -Method Get

    foreach ($App in $Apps.items) {
        $ExportData += [PSCustomObject]@{
            "Device Name"        = $Endpoint.hostname
            "Software Name"      = $App.name
            "Software Version"   = $App.version
            "Software Publisher" = $App.publisher
        }
    }
}

# Export to CSV
$ExportData | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8
Write-Host "Export complete: $ExportPath"

For large environments, loop through paginated results using the pageFromKey parameter returned by the API.

Exporting to CSV

• Console Method:
  Export directly from Reports → Inventory or the device inventory view as CSV.

• API Method:
  The PowerShell script automatically generates Sophos_SIM_Export.csv.

Ensure the CSV includes the following headers: