We're pleased to announce that the XDR & EDR Data Lake Early Access Program is now publicly available to our Intercept X Endpoint and Server customers.

For customers who join and enroll devices into these endpoint and/or server early access programs, the version of the endpoint/server that will get installed to enrolled devices will run scheduled Sophos managed threat hunting focused queries (similar to those run by the Sophos Managed Threat Response team).  The results of queries will be stored in the new Sophos Data Lake which is queryable via APIs and also via our Live Discover functionality in Sophos Central.  The Sophos Data lake will include XG Firewall data if Central Firewall reporting is enabled.   This new functionality means that customers will be able to threat hunt using this offline data regardless of the actual state of the device.  Admins will have the ability to:

  • Query device information even when it is offline or destroyed
  • Correlate information between devices and XG Firewall data
  • Track lateral movement between devices
  • Use data lake queries to search for Indicators of compromise across all devices without generating CPU load on the devices

To get started now check out this blog post 

Customer interested in the topics below will be great candidates for this early access program: 

  • Customers using Live Discover and who would like to be able to query data from offline devices.
  • Admins who have a role where they are tasked with threat hunting or incident remediation
  • Customers looking to correlate XG Firewall data with their endpoint and server data
  • Customers who want to run queries via APIs

Over the coming months then we plan to introduce some exciting new functionality in to Central to allow customers to:

  • Introduce pivot capabilities to start a new query from an existing query
  • Enrich the data provided in query results
  • Provide One-Click actions from query results

Check out this blog post which tells you everything you need to know about joining the EAP and please visit our XDR EAP community here where you'll find all related blog posts, a query and file repository, and a discussion forum where you can ask your EAP related questions.  

Anonymous