Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Sophos XDR

We are excited to announce that we will be launching a Respond tab to enable Response Actions in the new Case Management (Cases) User Experience (UX) for Response Actions on December 11, 2023.

Response Actions will start with Okta first for the Identity (IAM) and is powered by Sophos Factory

Integration Setup in Threat Activity Center (TAC)

Setup of the integration for Okta in the marketplace will be required to use response actions and enable them in the respond tab. The integration for Okta uses the new Integration Credential Manager feature in Central Global Settings launching with Response Actions. All new response actions will use Credential Manager and long term we will expand the use of Credential Manager across Central. 

Add Configuration 

Okta Response Actions can be setup by clicking the Add Configuration button. A wizard will guide the process of setting up the credential to use in XDR cases. 

XDR Cases Respond Tab

The new Respond tab shows a list of all response actions available to users of the new case management feature in XDR.  


Respond Tab Overview

Users can run four Okta response actions located in the Identity category of the all actions section at the top of the page. 
The four response actions coming with Okta are:
  • Suspend User
  • Unsuspend User
  • Reset Password
  • Reset User Sessions
There are additional categories coming including cloud, email, endpoint, firewall, network, and threat intel. 
At the bottom of the page there is a table of response actions that have been run by the user. Columns in the table of response action data including name, status, started, completed, action by, and results.

Response Action Run Dialog 

When a response action is selected a user can select from a setup integration or setup new from the TAC integrations page and input an applicable field like username and the reason for running the response action and click run. 

Once the response action has started the run it will appear in the list on the Respond tab. The completed run will show the status and other data applicable to the run, e.g. inputs, outputs. etc.

Thanks you for all the hard work put in to make Response Actions a reality including SecOps Engineering, SecOps PM, and the Sophos Factory Engineering team! 

Please respond in the comments on feedback and enhancements for Response Actions or reach out to the SecOps PM team.