We are pleased to announce that today, May 19, we have released some exciting updates for all customers using Sophos EDR (Endpoint Detection and Response) with Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR.

What’s new?

Introducing the Sophos Data Lake
The Sophos Data Lake stores critical information from your EDR-enabled endpoints and servers, which means you get access to that data even if those devices are currently offline.

In addition to being able to get key data from devices even when they are not online (for example if knocked offline during an attack, or a misplaced laptop) the Sophos Data Lake also enables event correlation on a much broader scale. For instance, being able to quickly identify that a suspicious account has logged in across multiple devices.

Once you have identified an area of interest you can use Live Discover to query a device directly to get incredibly rich, live data and remotely access the device via Live Response to take appropriate action. It’s the best of both worlds.

You get 7 days of retention in the data lake as standard (30 days with Sophos XDR) which is in addition to the existing up to 90 days of data stored directly on devices.

Please note that you need to enable the Sophos Data Lake. In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the 'Upload to the Data Lake' toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake.  From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.  

The Sophos Data Lake is available now for Windows and Linux devices. Mac support will come later this year.

Scheduled queries
One of the top requested features, this release introduces scheduled queries. Meaning that you can have critical information ready and waiting for you. Queries can be scheduled to run overnight so key data is ready for assessment the next day.

To set up a scheduled query you first need to choose a query by going to the ‘Threat Analysis Center’ and then ‘Live Discover’. When you have selected the query you want to run you will see a new option to schedule the query instead of running it immediately. Scheduled queries are currently only available for Sophos Data Lake queries. 

When the query has been successfully scheduled it will appear in your ‘Scheduled Queries’ list.

Enhanced usability  
We've introduced new pivoting functionality to help simplify the investigation process from Live Discover results. You can pivot from one query directly to some other suggested new queries. You can initiate actions like starting a Live Response session or generating a Threat Case directly from query results, and you can also easily jump from results to some third party sites which can help enrich the result data.

Sophos XDR
Today we are also releasing Sophos XDR (Extended Detection and Response). Sophos XDR goes beyond endpoints and servers, pulling in rich Sophos Firewall and Sophos Email data with more XDR-enabled products coming soon.

Here are just a few Sophos XDR use cases:

IT Operations Threat Hunting
Identify unmanaged, guest, and IoT devices Extend investigations to 30 days without bringing a device back online
Why is the office network connection slow? Which application is causing it? Use ATP and IPS detections from the firewall to investigate suspect hosts
Look back 30 days for unusual activity on a missing or destroyed device Compare email header information, SHAs, and other IoCs to identify malicious traffic to a domain

How can I get Firewall and Email data in to the Data Lake (requires the XDR license)?

Sophos Central Email Advanced:

For customers who have enabled the Office 365 integration and the Search and Destroy feature data will automatically be sent and be queryable in the Data Lake.

Sophos Firewall (XG/XGS) with Xstream Protection:

Customers need to enable their 'Send reports and logs to Sophos Central' setting on the Central synchronization settings page.

How can I try out these new capabilities?

In product trials are started by clicking the 'Free Trials' link in the bottom of the Left Hand navigation menu in Sophos Central:

  • Central customers looking to try out EDR can start an Intercept X Advanced with EDR Endpoint and/or Server trial.
  • EDR customers looking to test out XDR capabilities can start an XDR trial.

Customers new to Sophos Central can initiate a new Central trial by clicking here.

Anonymous