With the launch of EDR 4.0 in May, Sophos has introduced significant enhancements to the Endpoint Detection and Response (EDR) offering. A key new EDR component is the Sophos Data Lake which stores critical data from EDR enabled devices and allows Live Discover to query that data even when devices are offline. For example, look back for unusual activity on a device that has been destroyed or taken without authorization. It’s an important part of cybersecurity visibility giving organizations the ability to see their entire environment and quickly drill down to granular areas of interest. Data Lake retention periods are 7 days (EDR) and 30 days (with our new XDR offering). This is in addition to the up-to 90 days of device on-disk data stored that could already be queried by Live Discover.
Please note that to query data in the Data Lake you need to enable the uploading of data to the Data Lake. In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the 'Upload to the Data Lake' toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake. From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.
As Sophos continues to enhance Live Discover and its query capabilities with an with an ever expanding set of Sophos provided queries for threat hunting and IT operations and new pivoting functionality to help simplify the investigation process from Live Discover results, a decision has been made to retire the EDRv1 Data Feed which powers the existing Threat Search and Threat Indicators functionality. From July 1st, 2021 these features will be removed from Sophos Central. Below are are details on some new Data Lake queries which provide similar results to those available via Central Threat Search and Threat Indicators functionality.
The Live Discover Query forum on the Sophos Intercept X Community is also a rich source of information and queries created by both Sophos Staff and EDR/XDR customers.
This Data Lake query will show network activity for a Sophos process ID that you define and are looking to investigate. The query can be found on the query forum here.
Another benefit of using new Data Lake queries is that you can have critical information ready and waiting for you. Queries can be scheduled to run overnight so key data is ready for assessment the next day.
To set up a scheduled query you first need to choose a query by going to the ‘Threat Analysis Center’ and then ‘Live Discover’. When you have selected the Data Lake query you want to run you will see a new option to schedule the query instead of running it immediately. Scheduled queries are currently only available for Sophos Data Lake queries.
When the query has been successfully scheduled it will appear in your ‘Scheduled Queries’ list.