We are excited to announce that Intercept X for Server Advanced with EDR has been enhanced with powerful cloud visibility features from Cloud Optix.
In addition to even more detail on AWS, Azure and GCP cloud workloads, this integration gives Sophos partners and customers critical insight into their wider cloud environment including security groups, hosts, shared storage, databases, serverless, containers and more.
Hi everyone,
Sophos Central Migration Tool v2.1.0 has been released! This tool helps administrators to move management of protected computers from Sophos Enterprise Console 5.0 and later to Sophos Central. Please see the following articles for more information:
Sophos continues to enhance our new EDRv3 capabilities and over the past week numerous improvements have been introduced:
Role Based Access Controls for the Live Response Beta:
One of the top requests received during the Live Response Beta during the Early Access Program was to provide Administrators better control around defining Central admins who can use Live Response and who can manage the Live Response settings.
The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries:
Deleted security groups -
Variable to specify the number of days to checkWindows
/* Deleted Security Groups */SELECT source, eventid, CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made', JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS…
Last week SophosLabs published a report about the Glupteba malware. According to Sophos Labs this malware family has been growing in numbers. "This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers....The core malware is, in essence, a dropper with extensive backdoor functionality, but…
We are thrilled to announce that the latest version of Sophos EDR (endpoint detection and response) is now available to all Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR customers. This release brings powerful new capabilities that enable both IT admins and security analysts to ask detailed IT operations and threat hunting questions across their entire estate. It also provides new functionality …
There have been posts about our exciting new Linux EDR release elsewhere on the forum, but in case you missed them; here they are!We have had our Live Discover feature available for Linux Servers in our Early Access Program for a couple of months; this will be launching next week. Live Discover allows admins to search their data to answer almost any question they can think of by searching across their servers using SQL…
In the next two weeks we will be fully launching the EDR Live Discover for LINUX.
The capabilities on Linux are simply astounding, we have been busy creating the prebuilt queries and finishing the last bit of work before this is fully available.
In the video, Ethan Vince-Urwin, one of the core linux developers who has been building the features we all love takes the product for a test drive and shows off some of the power…
See the story from SophosLabs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/
The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks is that many of the indicators of compromise are non-deterministic. The domain names and URLs they use are all auto generated. I read through the article and crafted a query to check if you have experienced…
We are thrilled to announce that the latest version of Sophos EDR (endpoint detection and response) is now available in Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR. This release brings powerful new capabilities that enable both IT admins and security analysts to ask detailed IT operations and threat hunting questions across their entire estate. It also provides new functionality to remotely respond…
We have added a new table to the sophos forensics journals. The sophos_process_activity table.
Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup location for that information.
This table contains a subject for each of the other Sophos 'journals' and collects some of the more useful information like Registry Key/Values for the registry…
Posting a query to the Live Discover Queries board will now include a review process. This will allow us to review any question and proposed answer prior to it being visible by others. We are adding this to ensure that the content of the queries do not contain anything inappropriate and that the query has been reviewed and tested and is not believed to cause harm. as for how well it does what it says. we advise administrators…
While we have the schema posted on the EAP community pages, I have had a number of request for how to find it and how to use it.
First how to find the schema(s):
From the Sophos Community: We provide a link to definition of the sophos windows schema on the community form in the documents section. You can downlaod the file with this link: https://community.sophos.com/products/intercept/early-access-program/m/files/9491/…
We're pleased to announce that a new version of the Sophos Endpoint user interface is being rolled out to customers. Windows clients will begin updating this week, with Windows servers following in June.
The key goal of the update is to better represent our different endpoint components (Intercept X, Central Device Encryption, and the upcoming Unified Endpoint Management agent), and to bring a consistent look across…
Starting on the week of may 18 we will be adding variable support to queries.
You can create queries that now include support for up to 6 variables. A variable will be given a $$ prefix and postfix and can be either a TEXT or DATE value. You will write your query and specify the variable information in the query. Then when you run it you will be able to simply drop in the information for the variable and we will automatically…
The week of May 18 we will be turning on two powerful new capabilities in the EAP, Edit Query and Query Variables.
CREATE, SAVE queries - With this new capability you can now create and save your own queries, This will allow you to start from scratch or modify an existing query. You will need to give your query a name, description, identify one or more categories it will be a part of and specify what operating systems…
Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.
We are excited to announce that Live Response is now available in early access.
Live Response allows admins to remotely connect to devices and get access to a command line interface so that detailed investigations can be performed, or to take prompt action to contain or remediate a…