Announcements

Now with the XDR Detections EAP open folks can see all activity that has been classified to MITRE ATT&CK. The new page is in the Threat Analysis Center and has lots of really great information on what has been observed in your environment. &...

As previously communicated, from the beginning of June, no new customers are able to enroll into the XDR & EDR Data Lake Endpoint and Server early access programs (EAPs).  For customers who were already enrolled, they are no longer able to a...

As previously communicated, from the beginning of June, no new customers are able to enroll into the XDR & EDR Data Lake Endpoint and Server early access programs (EAPs).  For customers who were already enrolled, they are no longer able to a...

Hello All, With EDRv4 and our new XDR offering having become generally available in mid-May, Sophos will now begin the wind down of the XDR & EDR Data Lake Early Access Programs.  At this point we will not be introducing any new functionalit...

With the release of the product we will be adding scheduled query reports.    This feature is NOT YET available in the EAP but is coming with the general release in mid May.  For those eager to see it before it is complete I have recor...

BRIEF Video on EMAIL and the Data Lake. In this video we show the EMAIL Attachment and URL table that is available in the data lake, we also pivot from a URL seen an an email to ask if any endpoint have ever communicated to that URL and if so what pr...

A 30 min tour of some of the capabilities of Sophos Intercept X with EDR XDR.  In this 30 min video I touch on some of the core concepts in the product and explain a bit about how queries work and show some of the features. It by no means covers...

Often administrators would prefer to see the graphical view of the attack instead of the tables.   With a graphical view it is often MUCH easier to understand what was happening and come to a decision is something is malicious or not. To he...

Lots of new features are going to be enabled on Wed April 21.  We are still on track for GA in mid May. Video:

We continue to make excellent progress to the intended May release of the Data Lake version of the product. This week I wanted to demonstrate some of the capabilities we have just added around Pivots and the Depth of information available for admins ...

Welcome to the EDR Data Lake EAP (Early Access Program). How do I learn more In this forum you will find a number of documents, videos, queries and posts explaining the program and if you have any questions you can post them to the discussions area ...

Watch the video from the technical demo where we cover how to use Live Discover datalake queries. Video: https://vimeo.com/519661823 Queries used during SophSkills Demo DATA LAKE - List all EP and FW tables in the data lake This query will need ...

For those enrolled in the XDR & EDR Data Lake early access program (EAP), this week we will be launching new pivoting capabilities which allow administrators to rapidly navigate from the result of one query to an available Action, Query, or Enric...

With the data lake we can do some interesting IOC hunts that perform counts across all devices for similar IOC's and with some use of variables we allow for the administrator to rapidly focus on things of interest. Watch the Video: https://vimeo.com/...

For anyone who's joined the XDR & EDR Data Lake Early Access Program, we've been providing instructions on the different steps to join and enroll devices but I thought it would be useful to have one full blog post covering those steps and also de...

(NEW) Video on Schemas for EDR and Data Lake (15 Min) With the addition of the data lake a significant amount of new information is available.  In this document we will discuss each of the core database schemas. For those that simply want the ...

In this 7min video we show the features that were enabled on Feb 22nd for the Early Access Program for the XDR Data lake. Welcome to the EAP and stay tuned more features are coming in March and April as we add Context aware pivoting to another query...

One of the most frequently used queries by our threat hunting team is a flexible generic search query against the data lake. Often you know exactly what you are looking for but sometimes you want to start from a high level view and work your way deep...

Below is a query that will list all installed applications, the publisher, application name, and version number. It performs some nice counting so you don't have to deal with a long list of duplicates.  You can quickly search for rare applic...

Check out this webinar where the Sophos Engineering and PM team give an introduction on coding against the EDR Data Lake API and walk through using and modifying the Sophos Data Lake Test tool. vimeo.com/.../ad569fd23d

I am adding a set of queries to explore information in the data lake from the XG Firewall. For the data lake to have information from the XG Firewall you will need to have an XG FW License with Cloud Firewall reporting enabled. Once the firewall is c...

You can find the getting started guide for the EDR Data Lake APIs available here on the apigee.io site we use. Overview This guide takes you through a few simple steps to start using the new EDR Data Lake APIs in Sophos Central. All our APIs are off...

Hi all I have started populating the queries section of the forum.  I Expect to put about 50 queries into the forum to perform the basic navigation and exploration of the data.  Once I get those loaded in we will start adding more interesti...