With the launch of EDR 4.0 in May, Sophos has introduced significant enhancements to the Endpoint Detection and Response (EDR) offering.  A key new EDR component is the Sophos Data Lake which stores critical data from EDR enabled devices and allows Live Discover to query that data even when devices are offline. For example, look back for unusual activity on a device that has been destroyed or taken without authorization. It’s an important part of cybersecurity visibility giving organizations the ability to see their entire environment and quickly drill down to granular areas of interest.  Data Lake retention periods are 7 days (EDR) and 30 days (with our new XDR offering). This is in addition to the up-to 90 days of device on-disk data stored that could already be queried by Live Discover.

Please note that to query data in the Data Lake you need to enable the uploading of data to the Data Lake.  In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the 'Upload to the Data Lake' toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake.  From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.  

As Sophos continues to enhance Live Discover and its query capabilities with an with an ever expanding set of Sophos provided queries for threat hunting and IT operations and new pivoting functionality to help simplify the investigation process from Live Discover results, a decision has been made to retire the EDRv1 Data Feed which powers the existing Threat Search and Threat Indicators functionality.   From July 1st, 2021 these features will be removed from Sophos Central.  Below are are details on some new Data Lake queries which provide similar results to those available via Central Threat Search and Threat Indicators functionality. 

The Live Discover Query forum on the Sophos Intercept X Community is also a rich source of information and queries created by both Sophos Staff and EDR/XDR customers. 

Query Description
Decode PowerShell commands The 'Decode PowerShell commands' built in Data Lake query decodes and lists PowerShell commands that are encoded with -encodedcommand 
Events involving a SHA-256 The 'Events involving a SHA-256' built in Data Lake query lists information about events that involve a specified SHA-256 hash.
Network activity for Sophos Process ID

This Data Lake query will show network activity for a Sophos process ID that you define and are looking to investigate.  The query can be found on the query forum here

Threat Indicators Similar to the Threat Indicators report in Central, this Data Lake query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune the query to help expand or reduce the resulting list.  The query can be found on the query forum here.

Scheduling Queries:

Another benefit of using new Data Lake queries is that you can have critical information ready and waiting for you. Queries can be scheduled to run overnight so key data is ready for assessment the next day.

To set up a scheduled query you first need to choose a query by going to the ‘Threat Analysis Center’ and then ‘Live Discover’. When you have selected the Data Lake query you want to run you will see a new option to schedule the query instead of running it immediately. Scheduled queries are currently only available for Sophos Data Lake queries. 

When the query has been successfully scheduled it will appear in your ‘Scheduled Queries’ list.