The XDR Sensor is a new deployment option specifically designed for prospects/customers who are unwilling or unable to replace their existing, non-Sophos endpoint protection platform with the full Sophos Intercept X Advanced with XDR agent but are interested in benefiting from our endpoint detection, investigation, and response capabilities. Primary use cases include:
What Capabilities Does the Sophos XDR Sensor Enable?
The Sophos XDR Sensor operates in a detection and response-only mode, which means it does not provide automated protection/prevention actions. The customer or prospect will continue relying on their existing third-party endpoint protection tool and will benefit from the following capabilities enabled by the Sophos XDR Sensor.
Threat Detection Capabilities:
Threat Investigation Capabilities:
Scheduled / rule-based data lake queries
Threat Response Capabilities:
Supported Platforms:
How to deploy:
The easiest method to deploy the Sensor is from the Protect Devices page in Central. Customers with an Intercept X Advanced with XDR Endpoint and/or Server entitlement will now have access to the XDR Sensor installers (these installers are pre-configured to only install the XDR sensor):
When downloading the installer or managing endpoint software to deploy the XDR Sensor or to downgrade to the XDR Sensor a warning will appear to caution that you must ensure you are running third party protection if deploying in this mode:
To ensure you can run Live Discover Data Lake queries you should also ensure that you have enabled Data Lake uploads for your endpoints/servers:
XDR customers expecting full protection and detection capabilities should ensure they are running the full Intercept X Advanced with XDR agent and not the XDR Sensor.
Thanks,
Kevin
Hi Rodmy, The XDR Sensor is new deployment option available to our Intercept X Advanced with XDR customers and requires that license. A new customer always has the option to trial the XDR Sensor, when starting a new Central trial a customer will get a trial of Intercept X Advanced with XDR and therefore could choose to deploy in this mode during the trial.
Hi Kevin, does XDR Sensor come with a fee? or license? or is it free?
Hi Sinan,
The XDR Sensor will raise Detections based on activity it sees on device and is completely independent of third party AV being run and doesn't take data from third party AV into account.
What you are looking for is exactly what we expect to achieve using Integrations (formerly referred to as 'Third Party Connectors') in Sophos Central. The 'Microsoft Graph Security - API' Integration should currently be available to XDR and MDR customers and there are also some additional third party AV Integrations available to customers of our MDR Services.
The Graph Security API Integration will send MS Defender data into the Sophos Data Lake. I don't think you should expect that every MS detection event will show up as a detection in the XDR Detections dashboard, but the data should be queryable and I'd expect over time Sophos will look to tune to create Detections based on the most useful events we are seeing where possible. You can find some details on setting up the Integration here: https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/Integrations/Microsoft/MSgraphSecurity/index.html
There was also some useful information shared when this feature was in early access that you might find useful:
Sophskills June 2 2022 - Microsoft Graph Security connector - Early Access Program
How to view ALL my Microsoft Graph Security Detections
Hi Kevin, thanks for this post. Can I ask if there would be any communications between a 3rd party AV agent and an XDR sensor on an endpoint regarding the detections triggered on the 3rd party AV? I tested this with Defender and downloaded the Eicar file which was stopped by Defender but didn't see this detection on Central. Is this by design please? Any other information around 3rd party AV to XDR sensor communications would be greatly appreciated.I am sure "integrated" security products will forward their logs to MDR but I am focusing on antivirus aspect in isolation.