XDR Sensor deployment mode now available to Endpoint and Server XDR customers

7 Nov 2022

The XDR Sensor is a new deployment option specifically designed for prospects/customers who are unwilling or unable to replace their existing, non-Sophos endpoint protection platform with the full Sophos Intercept X Advanced with XDR agent but are interested in benefiting from our endpoint detection, investigation, and response capabilities. Primary use cases include:

For customers interested in our upcoming MDR service who want want/need to continue running third party endpoint protection. Those customers will run the XDR Sensor in combination with their existing endpoint protection technology while getting access to Sophos MDR, our fully managed 24/7 service.
Prospects who are currently using a non-Sophos endpoint protection tool but are interested in trialing Sophos as part of a proof-of-concept (POC) without it interfering with their existing endpoint protection platform.
Existing customers who are using Sophos endpoint protection (Intercept X Essentials or Intercept X Advanced) in one segment of their environment while using one or more non-Sophos endpoint protection tools in other segments. These customers may be looking to move their entire organization to Sophos over time but need to use the Sophos XDR Sensor to bridge the gap during the consolidation process.
Prospects who want to complement a non-Sophos endpoint protection tool with the detection, investigation, and response capabilities enabled through Sophos XDR. In many cases, these will be prospects who only have endpoint protection today but are looking for an immediate path to EDR and XDR capabilities.

What Capabilities Does the Sophos XDR Sensor Enable?

The Sophos XDR Sensor operates in a detection and response-only mode, which means it does not provide automated protection/prevention actions. The customer or prospect will continue relying on their existing third-party endpoint protection tool and will benefit from the following capabilities enabled by the Sophos XDR Sensor.

Threat Detection Capabilities:

On-device behavior and cloud-based detections

Threat Investigation Capabilities:

Live Discover (direct device and data lake queries)
Scheduled / rule-based data lake queries

Threat Response Capabilities:

Live Response (manual response)
Isolation (on Windows platforms only)

Supported Platforms:

Windows 10 x64 and later
Windows Server 2016 and later
MacOS Big Sur and later
All current supported Linux platforms

How to deploy:

The easiest method to deploy the Sensor is from the Protect Devices page in Central. Customers with an Intercept X Advanced with XDR Endpoint and/or Server entitlement will now have access to the XDR Sensor installers (these installers are pre-configured to only install the XDR sensor):

When downloading the installer or managing endpoint software to deploy the XDR Sensor or to downgrade to the XDR Sensor a warning will appear to caution that you must ensure you are running third party protection if deploying in this mode:

To ensure you can run Live Discover Data Lake queries you should also ensure that you have enabled Data Lake uploads for your endpoints/servers:

XDR customers expecting full protection and detection capabilities should ensure they are running the full Intercept X Advanced with XDR agent and not the XDR Sensor.

Thanks,

Kevin

Kevin Kingston 2 months ago in reply to Andrew Fox

Hi Andrew, I'll drop you a DM to try to give some help.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Andrew Fox 2 months ago

Is this feature available to customers with CMDR already deployed? We are looking to run a trial with a customer who is wanting to use MS Defender for a very specific piece of their estate, and this XDR Sensor option doesn't appear in the Protect Devices Tab, only the Complete Windows Installer.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Kevin Kingston 4 months ago in reply to Rodmy Rojas

Hi Rodmy, The XDR Sensor is new deployment option available to our Intercept X Advanced with XDR customers and requires that license. A new customer always has the option to trial the XDR Sensor, when starting a new Central trial a customer will get a trial of Intercept X Advanced with XDR and therefore could choose to deploy in this mode during the trial.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Rodmy Rojas 5 months ago

Hi Kevin, does XDR Sensor come with a fee? or license? or is it free?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Kevin Kingston 5 months ago in reply to Sinan Taskin1

Hi Sinan,

The XDR Sensor will raise Detections based on activity it sees on device and is completely independent of third party AV being run and doesn't take data from third party AV into account.

What you are looking for is exactly what we expect to achieve using Integrations (formerly referred to as 'Third Party Connectors') in Sophos Central. The 'Microsoft Graph Security - API' Integration should currently be available to XDR and MDR customers and there are also some additional third party AV Integrations available to customers of our MDR Services.

The Graph Security API Integration will send MS Defender data into the Sophos Data Lake. I don't think you should expect that every MS detection event will show up as a detection in the XDR Detections dashboard, but the data should be queryable and I'd expect over time Sophos will look to tune to create Detections based on the most useful events we are seeing where possible. You can find some details on setting up the Integration here: https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/Integrations/Microsoft/MSgraphSecurity/index.html

There was also some useful information shared when this feature was in early access that you might find useful:

Sophskills June 2 2022 - Microsoft Graph Security connector - Early Access Program

How to view ALL my Microsoft Graph Security Detections

Thanks,

Kevin
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel