We are pleased to announce that today, May 19, we have released some exciting updates for all customers using Sophos EDR (Endpoint Detection and Response) with Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR.
Introducing the Sophos Data Lake The Sophos Data Lake stores critical information from your EDR-enabled endpoints and servers, which means you get access to that data even if those devices are currently offline.
In addition to being able to get key data from devices even when they are not online (for example if knocked offline during an attack, or a misplaced laptop) the Sophos Data Lake also enables event correlation on a much broader scale. For instance, being able to quickly identify that a suspicious account has logged in across multiple devices.
Once you have identified an area of interest you can use Live Discover to query a device directly to get incredibly rich, live data and remotely access the device via Live Response to take appropriate action. It’s the best of both worlds.
You get 7 days of retention in the data lake as standard (30 days with Sophos XDR) which is in addition to the existing up to 90 days of data stored directly on devices.
Please note that you need to enable the Sophos Data Lake. In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the 'Upload to the Data Lake' toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake. From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.
The Sophos Data Lake is available now for Windows and Linux devices. Mac support will come later this year.
Scheduled queries One of the top requested features, this release introduces scheduled queries. Meaning that you can have critical information ready and waiting for you. Queries can be scheduled to run overnight so key data is ready for assessment the next day.
To set up a scheduled query you first need to choose a query by going to the ‘Threat Analysis Center’ and then ‘Live Discover’. When you have selected the query you want to run you will see a new option to schedule the query instead of running it immediately. Scheduled queries are currently only available for Sophos Data Lake queries.
When the query has been successfully scheduled it will appear in your ‘Scheduled Queries’ list.
Enhanced usability We've introduced new pivoting functionality to help simplify the investigation process from Live Discover results. You can pivot from one query directly to some other suggested new queries. You can initiate actions like starting a Live Response session or generating a Threat Case directly from query results, and you can also easily jump from results to some third party sites which can help enrich the result data.
Sophos XDR Today we are also releasing Sophos XDR (Extended Detection and Response). Sophos XDR goes beyond endpoints and servers, pulling in rich Sophos Firewall and Sophos Email data with more XDR-enabled products coming soon.
Here are just a few Sophos XDR use cases:
How can I get Firewall and Email data in to the Data Lake (requires the XDR license)?
Sophos Central Email Advanced:
For customers who have enabled the Office 365 integration and the Search and Destroy feature data will automatically be sent and be queryable in the Data Lake.
Sophos Firewall (XG/XGS) with Xstream Protection:
Customers need to enable their 'Send reports and logs to Sophos Central' setting on the Central synchronization settings page.
How can I try out these new capabilities?
In product trials are started by clicking the 'Free Trials' link in the bottom of the Left Hand navigation menu in Sophos Central:
Customers new to Sophos Central can initiate a new Central trial by clicking here.
Working on it :)
hold shift, then go to the bottom of the list: thats true
we only list in batches of 50 though so still not ideal: thats also true
Thanks for confirming. Can you push someone internally so that the team improves this table?
So a bit of help for you, it looks like you can select the first device, hold shift, then go to the bottom of the list then select the last device and that will select all devices. I think we only list in batches of 50 though so still not ideal.
That's exactly right Kyle, these are the queries Sophos is running behind the scenes to capture all the interesting data that ends up queryable in the Data Lake. In Live Discover if you select the Data Lake queries you can see there are over a 100 built in queries that can be run on the Data Lake data and the great thing is you'll be able to quickly query that data and get results from devices that may be offline at that point in time.
I'm checking into this, some of our other device pickers in Central do have the option to select all (or at least large numbers at a time). Let you know what I can find out.