Frequently asked questions

Welcome to the EDR Data Lake EAP (Early Access Program).

How do I learn more

  • In this forum you will find a number of documents, videos, queries and posts explaining the program and if you have any questions you can post them to the discussions area of the community or comment on a post, or email us directly at interceptbeta@sophos.com.  We will be providing regular updates as the EAP progresses.

How do I join the EAP

  • Anyone with access to Sophos Central can join the early access program and if new to Sophos you can kick off a Sophos Central trial to get access to Central and then enroll in the endpoint or server early access programs.  See this blog post which has all the details on joining the EAP and getting up and running.

What is included in the Early Access Program

  • For customers who join and enroll devices into these endpoint and/or server early access programs, the version of the endpoint/server that will get installed to enrolled devices will run scheduled Sophos managed threat hunting focused queries (similar to those run by the Sophos Managed Threat Response team).  The results of queries will be stored in the new Sophos Data Lake which is queryable via APIs and also via our Live Discover functionality in Sophos Central.  The Sophos Data lake will include XG Firewall data if Central Firewall reporting is enabled.   This new functionality means that customers will be able to threat hunt using this offline data regardless of the actual state of the device.  Admins will have the ability to:

    • Query device information even when it is offline or destroyed
    • Correlate information between devices and XG Firewall data
    • Track lateral movement between devices
    • Use data lake queries to search for Indicators of compromise across all devices without generating CPU load on the devices
  • Over the coming months we will introduce additional new capabilities in Central to allow customers to:
    • Introduce pivot capabilities to start a new query from an existing query (now available in the EAP)
    • Enrich the data provided in query results
    • Provide One-Click actions from query results
  • We will be providing videos, web-casts and forum posts as those new features enter the EAP and will collect feedback before making them generally available.

What information is included in the data lake

  • The data lake consists of information collected from Intercept X EDR endpoints and servers as well as the Sophos XG FIrewall
  • The endpoint is filling the data lake by using Sophos managed queries that run on intervals
    • The queries do not extract ALL the available data from the endpoint only what is necessary for threat hunting and investigations, A full schema is available in the documents section.
  • If you have deployed the XG Firewall with Central Firewall Reporting enabled then all the information used for the firewall reports are included in the data lake.

How much information does each endpoint send to the data lake

  • This is very much dependent on the activity on the endpoint and the queries we are running to collect the information. A typical Windows endpoint will send about 10MB of data per day and a windows server will send about 20MB per day, but depending on what is running on those devices the amount of data can vary significantly.

Will all my devices be filling the Data Lake with information?  Can I select what devices will participate?

  • Like other EAP's as the admin you can select which devices are enrolled in both the endpoint and server EAPs and only data from enrolled devices will be filling the Data Lake.  This is initially configured when joining the early access program and can be adjusted by selecting the 'Manage' button for a specific EAP from the Early Access Programs page in Central (click the drop down on your user name in the top right hand corner of Central to access).

Can I test the Data Lake if I do not know how to use APIs, will Sophos supply any test tools?

  • Yes, you can now query the Data Lake directly by using the Live Discover Data Lake queries in Sophos Central. 
  • If you want to try out our APIs we are posting a GIT project with a test tool that allows you to connect to the data lake and run queries.  It is intended to demonstrate how to use the API's but you can also use it to simply write, save and run queries against information in the data lake.  The Test Tool can be downloaded from GitHub here (click the Code drop down and choose to 'Download ZIP) or the files section of the community forum: https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/m/files/9495 

Will Sophos provide sample queries for me to use

  • We have published a query pack of about 80 queries here that you can run in Central or use with the test tool/API's to explore information in the Data Lake.  You can also access our Data Lake EAP Query forum here where you can find other example queries provided by Sophos and members of the community, you can request queries you'd like to see and provide feedback on posted queries.  

Are there any known issues to be aware of?

  • You can find a list of known issues in our Known Issues Document available here.
Anonymous