Sophos continues to enhance our new EDRv3 capabilities and over the past week numerous improvements have been introduced:
Role Based Access Controls for the Live Response Beta:
One of the top requests received during the Live Response Beta during the Early Access Program was to provide Administrators better control around defining Central admins who can use Live Response and who can manage the Live Response settings. We are pleased to announce that we have now introduced role based access controls that help achieve this.
Things will remain the same in regards to Administrators with Super Admin permissions, they will continue to have the ability to start Live Response sessions on all supported devices and Manage Live Response endpoint and sever settings. Also for any admin looking to start Live Response sessions we will continue to require that they have signed in to Central using multi factor authentication.
If looking to give permissions to other types of admin accounts this can now be done by creating new Custom Roles using our Role Management capabilities on the Global Settings page. When creating a new role, if you choose Endpoint Protection -> Full, at the bottom of the page you will see the option to select and enable the ability to 'Start Live Response Sessions on computers' and/or 'Manage Live Response settings for computers.'
Similarly if you choose Server Protection -> Full you will see you have the option to select and enable the ability to 'Start Live Response sessions on servers' and/or 'Manage Live Response sessions for severs'.
If 'Start Live Response sessions on computers' (or servers) is enabled it means admins with this custom role will be able to initiate Live Response sessions to computers or servers.
If 'Manage Live Response settings for computers' (or servers) is enabled that means that admins with this custom role will be able to manage the Endpoint and/or Server Live Response Global Settings pages.
Note: If you choose Endpoint Protection -> Helpdesk, or Server Protection -> Helpdesk, then you will see the option to 'Start Live Response sessions on computers/servers' however you won't be offered the ability to 'Manage Live Response settings for computers or servers'.
Check out a video walking through the new functionality here.
Live Discover Canned Queries:
Last week we have also introduced approximately 40 new Live Discover queries bringing the total number of built in queries up to 83 so please check them out and have a play. Also to check out custom queries others have written or to get a hand writing your own Live Discover query, please check out the Live Discover query forum here.
Live Response now available to Linux in early access program:
A new version of our Linux EDR agent is now available to customers in our New Server Protection and EDR Features early access program. This version of the agent now supports Live Response, you can see a demo of the Live Response functionality on Linux here.