After the launch of Intercept X Advanced with EDR in late 2018, we introduced the EDRv1 Data Feed (aka Trickle Feed) functionality to enable Administrators to easily view Threat Indicators and perform Threat Searches. Now there is a better way! The Live Discover functionality is the recommended approach to perform these tasks, and provides significantly richer results. Live Discover gives your Threat Hunters and IT Operations staff the ability to ask any question and have an extremely fast result.
Live Discover comes built in with an ever expanding set of Sophos provided queries for threat hunting and IT operations. The Live Discover Query forum on the Sophos Intercept X Community is also a rich source of information and queries created by both Sophos Staff and EDR customers. Below are links and details on some queries which provide similar results to those available via Central Threat Search and Threat Indicators functionality. Run the queries to see the results, or customize them to suit your environment.
The 'Connection and data transfer information' built in Live Discover query can take an IP Address and date range as inputs and provide details on the data sent/received and process involved.
Live Discover can query data stored on your endpoints from the past 90 days, compared to the 30 days of information stored with the EDRv1 Data feed. With the introduction of the XDR and Data Lake capabilities later this year, Live Discover can query both the data stored on the endpoint or in the Data Lake. XDR also allows Threat Hunters to pivot from endpoint data and execute cross product queries to see the bigger picture with information from their XG Firewall, Email, or Mobile devices.
The XDR and the Data Lake functionality are currently available in the Early Access Program (EAP). For more details and instructions on how to join the EAP, please read this article on the Sophos Community.
Your Sophos Team
Hi Ryan, I think we really just want to get to the position where we are investing and providing the best tools to aid you in doing your work. I know you've been kindly testing some of our EAP Data Lake capabilities if you don't mind I'd love to catch up to get some feedback and we can walk you through our upcoming plans and you can walk us through what's important to you. I'll drop you a message to set something up if you are up for it.
I'm kind of getting the feeling that there's a way Sophos wants analyst's to work instead of listening to how analysts work.
I perform bulk indicator searches from third-party's in Threat Search then perform specific searches in Live Discover based on the results from Threat Search. It seems Threat Search is being kneecapped in favor of Live Discover when Threat Search is a valuable tool.