Sophos Central Operations Guide: Intercept X Advanced with XDR


Introduction

This guide is intended to help Sophos customers running Intercept X Advanced with XDR carry out the regular tasks in Sophos Central needed to ensure smooth operations and prevent threats. It's broken into two parts, the first focuses on proactive threat related activities which should be carried out each day. Triaging Threat Cases (telemetry from an automated detection) and actively hunting for as yet undetected threats are critical to protect organizations from cybercriminals. In part two, the guide focuses on operational tasks which help customers manage their deployment of Intercept X Advanced with XDR.


Threat Detection and Response - Daily tasks

Task
Process

Review Threat Cases

The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security.

The purpose of a threat case is to help admins understand what happened on the affected computer before the detection occurred. Using this information can help you understand ongoing infections, as well as how to further improve your security against similar attacks in the future.

NOTE: Sophos recommends urgently investigating certain detection types as their presence can be an indicator of threat actor activity in the environment, these detections are:

  1. From the "Overview", click “Threat Analysis Center”
  2. Click “Threat Cases” under “Detection and Remediation"
  3. Review the new Threat Cases since your last review
  4. Review the links below for more information about how to triage a threat case, detection types which should be investigated urgently and detail on the various different detection types.
  5. As you triage Threat Cases we recommend identifying trends and considering the factors which could reduce the malicious activities shown, for example:
    1. If a lot of your Threat Cases have a "Root cause" of an email application, you may need to consider enhancing email security by adding an attachment sandboxing capability, or proactively training your users to identify suspicious emails
    2. If you have a lot of Threat Cases for the same user(s) you may need to consider enhanced training or mentoring for these users

Working with Threat Cases

Details on detection types

Threat Hunting

Behind every cyberthreat is a cybercriminal, and today’s advanced attacks often combine the latest technology with hands-on live hacking. Protecting against these human-led attacks requires human-led threat hunting.

  1. Review the links below for practical information on Threat Detection and Response practices and specific resources to be an effective threat hunter using Sophos XDR

Console Hygiene - Daily tasks

Task
Process

Check machines showing as unprotected in Computers and Servers reports

This identifies machines which have not had a successful installation of the agent and are therefore unprotected. Unprotected machines are an easy entry point for attackers to pivot to other areas of your network.

  1. From the "Overview", click “Logs & Reports”
  2. Click “Computers” under “Reports" > "Endpoint Protection”
  3. Change to the “Not protected” tab
  4. Attempt to reinstall the Sophos Central agent on the identified machines, check the documentation link below for detail on troubleshooting the installer logs
  5. Once remediated go to the "Status" page for the endpoint or server
  6. Scroll down to the "Alerts" section
  7. Mark as Acknowledged / Resolved any outstanding alerts for the services status of the machine(s)
  8. Repeat steps 1 to 7 for “Servers” under “Reports”

Check high severity alerts

High severity (Red) alerts are the highest priority warnings in Sophos Central. These typically indicate the need for admin intervention and should be addressed as soon as possible to ensure good security posture. This can include detections that will require manual intervention or further investigation, API tokens expiring, and, real-time protection being disabled on an endpoint.

High events will remain in the list until they are remediated or acknowledged by an administrator. By checking these daily, you ensure no high severity incidents are overlooked.

  1. From the "Overview", click "Alerts"
  2. Click the "High Alerts" tab
  3. Follow the instructions in the links below to triage High alerts

If you believe the detection to be a false positive, we recommend carrying out an investigation using the detected Threat Case (see Threat Case section). Legitimate applications can be made to carry out malicious tasks, especially scripting or command interfaces like PowerShell. If you have carried out an investigation and are comfortable that the detection is a false positive, we recommend following these steps:

  1. Create the appropriate exclusion for the file or behavior detection to mitigate the detection and cause no further impact to the end user
  2. Contact Sophos Support via a support case to make them aware of the false positive and share the details of the detection with Sophos Labs - this will help the Labs team refine the detection capabilities and reduce future unwanted detections

Check machines with a bad / red health state

Similar to High Severity alerts, machines in a bad/red health state indicate action needs to be taken by an admin. Machines will have a bad / red health state for one of the following reasons:

  • Active malware is detected
  • Running malware is detected
  • Malicious network traffic is detected. This traffic might lead to a command-and-control server involved in a botnet or other malware attack
  • Communications sent to a known bad host is detected
  • Malware was not removed
  • Sophos security software is not working correctly
  • Check alerts related to malware / PUA cleanup

(See steps below to create the custom query for its first execution)

  1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
  2. Expand the Query selection area and search for your custom query name
  3. Check the devices you want to query and click "Update selected devices list"
  4. Select the query and click "Run query"
  5. Follow the instructions in the links below to triage the machine

You can also view the overall health status from the machine list:

  1. From the "Overview", click “Devices” (the default view Is Computers)
  2. Change the “All Health Status” filter to “Computers with a bad status”
  3. Click on the machine name then click on the “Status” tab to see the detailed reasons for the bad health state and follow the Instructions in the links below to triage the machine - the Sophos Endpoint Self Help tool, available on each device, can run rules to identify problems with the device
  4. Once triaged, clear any outstanding alerts for the device
  5. Repeat for Servers by clicking "Dashboard", "Devices", Change to the "Servers" tab, change the “All Health Status” filter to “Servers with a bad status”

Follow these steps to prepare the query for its first execution:

  1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
  2. Check the devices you want to query and click "Update selected devices list"
  3. Expand the Query selection area and click "Create new query"
  4. Enter a name and category for the query and select the operating systems (Windows & Windows Server)
  5. In the "SQL" section paste the query from the URL below
  6. Click "Save" and "Run query" then follow steps 5-9 from above to triage the results

Check alerts related to malware / PUA cleanup

You should investigate cleanup failures because they can indicate more serious issues. For example, many threats have multiple components, if one is active and undetected, it can lock other items. This prevents them from being removed if they're detected causing a cleanup failure on the other component.

  1. From the "Overview", click "Alerts"
  2. Change the "All categories" filter to "Malware"
  3. Check for any new Threat Cases for the device as this could indicate the clean up failure is a symptom of a wider problem
  4. Follow the instructions in the links below to triage any alerts with the following descriptions
    1. "Manual malware cleanup required"
    2. "Manual PUA cleanup required"
    3. "Malware not cleaned up"
    4. "Computer scan required to complete cleanup"

Console Hygiene - Weekly tasks

Task
Process

Check machines have all appropriate modules deployed

This is especially important if you have recently upgraded your license to include Intercept X or Managed Threat Response functionality. Machines (servers and endpoints) not assigned the desired modules will not have the appropriate functionality and additional layers of security for which you are licensed.

  1. From the "Overview", click “Devices”
  2. Change the "All Products" filter to "Computers without all protection"
  3. Click the "+" button to deploy all protection capabilities to individual machines or select multiple machines and click the "Manage Endpoint Software" to modify the installed Protection capabilities
  4. Repeat steps 2 and 3 for Device Encryption by changing the "All Products" filter to "Computers without Device Encryption"
  5. Repeat steps 2 and 3 for Servers by clicking on the "Servers" tab and changing the "All products" filter to "Servers without all protection"

If many endpoints are regularly missing desired components, consider updating the installation script to be sure that the correct components are configured. Details are in the links below.

Check global Tamper Protection status Is set to enabled

Keeping Tamper Protection enabled across your entire estate is vital to ensure an unauthorized administrator or adversary cannot perform any of the following actions on a device:

  • Change settings for on-access scanning, suspicious behavior detection (HIPS), web protection, or Sophos Live Protection
  • Uninstall the Sophos agent software
  1. From the "Overview" click "Global Settings"
  2. Click “Tamper Protection” under “General"
  3. Ensure "Tamper Protection" is enabled

Customers using the Sophos Central Enterprise Dashboard should check the Global Tamper Protection status in all subestates.

Check audit logs for any of the following:

  • Changes to Policy or Global Settings, confirm if changes are desired or should be reverted
  • Unexpected logins from Sophos Central administrators, Audit Logs also include the IP address of the connection

Review and examination of administrator activities is essential to assessing the adequacy of system controls, to ensure compliance with established policies and operational procedures.

  1. From the "Overview", click “Logs & Reports”
  2. Click “Audit Logs” under “Logs" > "General Logs”
  3. Click "Export" then "CSV of current view" to export the default view of 7 days of audit logs
  4. Open the CSV file in a spreadsheet application and filter "Item Type" to include the following types
    1. Policies
    2. Global Settings
    3. Global exclusions
  5. Review each of the Policy, Global Settings and Global Exclusions changes to ensure they are wanted in the environment and revert any changes if unwanted

If many unwanted changes are being made, consider changing the role of the administrator(s) responsible to limit unauthorized policy or global changes. Details are in the documentation site below.

Check medium severity alerts

Medium severity events are reported where actions are required, such as for computers out of compliance with policy, or that require a reboot. Malware detections that can automatically be remediated are also reported as medium, but they will only be displayed until they have been cleaned up.

  1. From the "Overview", click "Alerts"
  2. Click the "Medium Alerts" tab
  3. Follow the instructions in the links below to triage Medium alerts

Check machines with medium / orange health state

Machines will have a medium / orange health state for one of the following reasons:

  • Inactive malware is detected
  • A Potentially Unwanted Application is detected
  1. From the "Overview", click “Devices” (the default view Is Computers)
  2. Change the “All Health Status” filter to “Computers with a medium or bad status”
  3. Click on the machine name then click on the “Status” tab to see the detailed reasons for the bad health state and follow the Instructions in the link below to triage the machine
  4. Clear any outstanding alerts for the device
  5. Repeat for Servers by clicking "Dashboard", "Devices", Change to the "Servers" tab, change the “All Health Status” filter to “Servers with a medium or bad status”

Identify unprotected machines in the environment

You can’t secure what you can’t see. It is imperative to identify and manage all assets that have the potential to access corporate information. Unprotected machines increase your overall attack surface and are a typical entry point for attackers.

If synchronizing Active Directory with Sophos Central

Sophos Central Active Directory synchronization can import machine objects from your AD and consolidate machines which are present in the AD but not protected by Sophos Central, follow the process below to see a list of these machines. You might need to update your AD sync settings to include machine objects.

  1. From the "Overview", click "Devices"
  2. Click the "Unmanaged devices" tab
  3. You will see a list of computer objects from AD which are not protected
  4. You can export a list of the machines for ingestion into a script or 3rd party software deployment application by clicking the "Export to CSV" link at the top right of the list

If using a Sophos Firewall managed in Sophos Central with Cloud Reporting Enabled

The Sophos Firewall can upload connection data to the Sophos XDR data lake and a Live Discover query can extract data for devices which are not managed in Sophos Central.

  1. From the "Overview" click "Threat Analysis Center"
  2. Then click "Live Discover" and search for a Data Lake query called "Firewall: Devices without Sophos Endpoint installed"
  3. Click the "Run Query" button to generate the report from the Sophos Data Lake
  4. The results will display the MAC address and IP address of any devices which have been seen to send traffic through the Firewall, but are not known to be protected by Sophos Central
  5. You can export the results by clicking on the "Export" link at the top right of the results section

If using neither of the technologies above

You can export a list of computers and servers to compare to your 3rd party asset management system.

  1. From the "Overview", click "Devices"
  2. On the "Computers" tab, click the "Export to CSV" link at the top right of the list
  3. Repeat step 2 for Servers by clicking on the "Servers" tab

Console Hygiene - Monthly tasks

Task
Process

Check the Controlled Updates status for new endpoint or server agent updates

Checking that updates are not paused or controlled when not required ensures your endpoints and servers are receiving the latest feature updates as they are released by Sophos automatically.

  1. From the "Overview", click “Global Settings”
  2. Click “Controlled Updates” under “Endpoint Protection"
    1. If updates have been paused for 90 days
      1. Ensure the pause is still required, and if not, click "Resume Automatic Updating" (see note below about 90 day limit)
    2. If updates have been paused to a specific date
      1. The "Pause" and "Restart" dates can be edited (see note below about 90 day limit)
      2. If the pause is no longer required click "Resume Automatic Updating" (see note below about 90 day limit)
    3. If updates are being controlled manually
      1. Ensure test computers are defined, use the "Manage Computers" link to add or remove machines
      2. When ready you can click "Update test computers to newest version" to update specified test machines to the latest version
      3. When ready you can click "Update to match test computers" for non-test computers to update all remaining machines to the same version as test machines
  3. Repeat for Servers by clicking “Global Settings” then “Controlled Updates” under “Server Protection"

Full details of the Controlled Updates options are in the documentation site below.

NOTE: Paused versions expire after 90 days and will be automatically upgraded if no action is taken.

Check Directory service sync status

Checking the status of your Active Directory synchronization to Sophos Central ensures you have a clean list of users and groups without stale/deleted accounts filling up your console and with newly created users populated automatically. This makes setting up user/group-based policies more efficient, as only relevant data is available for assignment.

  1. From the "Overview", click “Global Settings”
  2. Click “Directory service” under “Administration"
  3. Ensure the AD sync completed successfully according to the schedule
  4. If the synchronization has not occurred as expected review the links below for troubleshooting information

Check low severity alerts

  1. From the "Overview", click "Alerts"
  2. Click the "Low Alerts" tab
  3. Review the details of the alert and take any action required
  4. Click "Mark As Acknowledged" to clear the alert from the Sophos Central Dashboard

Check Windows machines with a pending reboot, a long uptime or a long time since the last installation of a Microsoft update

Outside of the obvious benefits of regular reboots (e.g. flushing memory, halting memory leaks, installing security updates, etc.), there are instances in which the Sophos Endpoint Protection also requires a reboot to ensure the latest feature updates can be successfully applied.

(See steps below to create the custom query for its first execution)

  1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
  2. Expand the Query selection area and search for your custom query name
  3. Check the devices you want to query and click "Update selected devices list"
  4. Select the query and click "Run query"
  5. From the query results area click "Export" (a CSV file will be downloaded)
  6. Open the CSV file in a spreadsheet application and filter devices reporting results in "Reboot pending evidence" column
  7. Then sort by "Uptime (decimal days)", descending.
  8. Reboot the longest running machines first.
  9. Then sort by "Latest MS patch install data", ascending and check for updates on the machines which have not had an update applied for the longest time.

Follow these steps to prepare the query for its first execution:

  1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
  2. Check the devices you want to query and click "Update selected devices list"
  3. Expand the Query selection area and click "Create new query"
  4. Enter a name and category for the query and select the operating systems (Windows & Windows Server)
  5. In the "SQL" section paste the query from the URL below
  6. Click "Save" and "Run query" then follow steps 5-9 from above to triage the results

Review "What's new" change notes

Sophos regularly updates Sophos Central with improvements or new features. Reviewing the “What’s new” change notes is a great way to stay on top of UI changes and feature updates that will benefit administration and overall security.

  1. From the "Overview", click “Help” Then "What's New?" or click the link below
  2. Review the latest announcements from Sophos
  3. For more information about any new features or products reach out to your Sophos account team

Console Hygiene - Quarterly tasks

Task
Process

Identify & delete old machines from Sophos Central

Similar to the benefits of keeping your AD Sync up to date, deleting machines no longer in use from Sophos Central aids in easier navigation and administration of accurate and relevant device information.

  1. From the "Overview", click “Devices” (the default view Is Computers)
  2. Sort the "Last active" column to see the machines which are oldest at the top
  3. Check the box next to computers to be deleted and click the "Delete" button
  4. Repeat for Servers by clicking "Dashboard", "Devices", Change to the "Servers" tab, sort the "Last active" column to see the machines which are oldest at the top
  5. Check the box next to servers to be deleted and click the "Delete" button

Tamper Protection passwords remain recoverable for a short time by following these steps:

  1. From the "Overview", click “Logs & Reports”
  2. Click “Recover Tamper Protection passwords” under “Reports" > "Endpoint & Server Protection"
  3. Expand "View password details" to see the Tamper Protection password history

Sophos Central Device Encryption recovery keys remain recoverable permanently by following these steps:

  1. From the "Overview", click “Devices” (the default view Is Computers)
  2. Click "More " then click "Retrieve Recovery Key"
  3. Enter at least the first 5 characters of the Recovery Key Identifier or Volume Identifier (shown at the pre-boot login screen)
  4. The Recovery Key Identifier or Volume Identifier field will suggest the complete identifier and display Machine details
  5. Click "Show Key" to see the Recovery Key for use on the endpoint

Review admin users and roles

Following the Principle of Least Privilege, periodic assessment of administration roles ensures that only those who need access to certain responsibilities (e.g. access sensitive logs, edit configurations, etc.) have those rights.

"Least Privilege" at US-CERT

  1. From the "Overview", click “People”
  2. Change the “All users” filter to “Admins only"
  3. Review each admin account and role

To delete an admin account that is no longer a user at your organization follow these steps:

  1. Click on the user name
  2. Click "Delete User"
  3. Click "Delete" to confirm

To edit an admin account's role follow these steps:

  1. Click on the user name
  2. Click "Edit"
  3. From the "Role" drop down box choose the new desired role

Full details of the built in and custom roles are in the documentation site below.

Review MFA requirement for admin users

Requiring Multi-factor Authentication for all administrators allows authentication into Sophos Central upon presenting a second form of identification. If admin credentials are harvested by an unapproved individual, that third party will be unable to log in to the admin console without a second factor, preventing unauthorized access and changes.

  1. From the "Overview", click “Global Settings”
  2. Click “Multi-factor Authentication (MFA)” under “General"
  3. Ensure this is set to "All admins need MFA."

Review email alert settings

Make sure the frequency and types of email alerts align with your organization’s expectations. Ensure that events your organization wants to be notified on immediately are set appropriated – and also that seemingly unimportant alerts do not flood inboxes and delay response to those that are higher priority.

  1. From the "Overview", click “Global Settings”
  2. Click “Configure email alerts” under “General"
  3. Ensure the email alerts settings are correct

Full details of the granular email alerts settings are in the documentation site below.


Console Hygiene - Annual tasks

Task
Process

Full heath check via Sophos PS / TAM

Sophos recommends a full health check each year by Professional Services or your Technical Account Manager. Please reach out to your TAM or account team to schedule your health check.


Fixed a couple of typos
[edited by: AndrewMundell at 3:16 PM (GMT -7) on 2 Sep 2021]