Note: With special thanks to AK, mward19, Maxim-Sophos, and JoeLevy
This post provides information about Sophos XDR. It has three main sections:
The Sophos Data Lake includes information from Sophos and non-Sophos data sources. While performing a threat-hunt, security analysts are not limited to the Sophos Data Lake. There are various data enrichment and pivoting options available to them, including pivoting to an endpoint or server to see real-time state and up to 90 days of historical data for a level of detail that a data lake alone could never offer.
Sophos Data Sources
Non-Sophos Data Sources
Intercept X Advanced with XDR enables access to detailed Windows and macOS information in on-premises, cloud and virtual environments for endpoint devices.
Sophos Data Lake
On Device: real-time state and up to 90 days of rich historical data
Endpoint and Server, Sophos Extensions, OSQuery
Example use cases
Intercept X Advanced for Server with XDR enables access to detailed Windows and Linux information in on-premises, cloud and virtual environments for servers and cloud workloads (AWS, Azure, GCP and Oracle).
Sophos Firewall enables access to rich network data in on-premises, cloud and virtual deployments.
Sophos Email Advanced delivers rich email data from Office 365 deployments.
Sophos Mobile Advanced delivers rich mobile configuration and usage data across Andoid, iOS, and ChromeBooks.
To be published
Cloud Optix Advanced provides access to key data from cloud deployments including workloads, security groups, containers, serverless functions and more across AWS, Azure, GCP and Oracle deployments.
Security analysts can use telemetry and data from various resources to further understand a detection.
In Sophos XDR there is a concept of a Pivot. A pivot lets you select a significant piece of data (for example: a hash, IP address, device name, path, etc.) in a detection and use it as the basis for further investigation.
Pivots can be accessed by clicking on the ellipsis next to a particular item. Depending on the data type, a set of possible options will be displayed.
In the example shown below, clicking the icon beside the IP address lets you run queries based on that IP address or look up third-party information about risks associated with it.
Sophos provides a number of default pivots and data enrichments for various data types. Security analysts can create their own pivots and enrichments, whether that is searching the Sophos Data Lake, or an external resource. Sophos XDR will learn from the behavior of the security analyst and present the pivots/enrichments used most frequently used as the first options.
Enrichments are user programable. Any web service is potentially an enrichment, and security analysts can access internet-based repositories for additional data like YARA rule repositories, compliance rules, threat actor information etc.
Direct enrichment as part of Detection/Investigation can add context from any online resource accessible with curl.
A curl request can access internet hosted data for additional documents, rules or other data. The YARA scanning example from above connects out to the GIT project https://virustotal.github.io/yara/ to index the list of available YARA rules and to pull the current YARA rule down to the endpoint for execution.
The following data enrichments and pivots are provided by Sophos
Sophos Central is an open platform with an ever-expanding set of integration and API Partners. For the latest list, please refer to Sophos.com.
Sophos Central has exposed APIs to automate security and management workflows. Information on getting started, how the APIs work, and API document can be found on the Sophos Developer website.
The Sophos Community is a location where Sophos, Sophos Partners and Customers share valuable information.
Customers can use SIEM and data management solutions to ingest data via the SIEM Integration API.
SophosLabs Intelix allows anyone to leverage the technology behind SophosLabs through a suite of RESTful APIs.