Getting Started with Sophos XDR & Data Lake Hydration


Overview

This post is going to cover setting up XDR agent and enable the Data Lake Hydration features inside of your Sophos Central dashboard. 

If you are a new Sophos Central user or recently purchased the licensing to enhance your Intercept-X agents and want to learn how to deploy the software. Are you neither? If you're new to Sophos entirely you can start a FREE 30-day trial using this sign-up link.

What is XDR?

Here at Sophos, XDR stands for eXtended Detection and Response - some vendors will refer to the technology as "cross layered" detection and response. The technology will collect data from various sources (endpoint, firewall, etc) like a SIEM but instead consolidates the view to provide correlated event data. XDR is key in any incident response or security plan. Many insurance providers require it. It serves to create a response action - automated with other tools or manual - using the same technology.

See this Sophos TechVid by for the full technical demonstration and potential.


Prerequisites

What operating systems support XDR?

XDR is available on Windows, Mac, and Linux. You can find the system requirements for each respective platform below:

What Central permissions do I need to use XDR?

Sophos Central Admins or Super Admins will have access by default for both Live Discover and Live Response. If you are using a custom role, ensure you have the proper access levels from the Sophos Central Dashboard

  1. Click Global Settings
  2. Click Role Management
  3. Click your "roleName"
  4. Click Edit Role
  5. Scroll to "Additional settings for Sophos Central Admin" and ensure the following are checked:


Install XDR Components

This section will review how to install Sophos Intercept-X with XDR on a new Sophos Central dashboard and an existing Sophos Central dashboard that has only Sophos Intercept-X installed. 

New Sophos Central Dashboard

In this section, we are going to assume that you are installing your agents onto a Windows 10 desktop.To be able to use Live Discover and Live response, you need to ensure the XDR software is fully installed on your endpoint and server devices. If you are new to Sophos and purchased the Intercept X with XDR license, simply run the complete installer on your devices. The installer will verify XDR is included in your license and download the required installer files. Here are the steps:

Perform the following in the dashboard landing page:

  1. Click Protect Devices
  2. Under Endpoint Protection, select Choose Components from under Download Complete Windows Installer
    1. NOTE: if you are not licensed for Sophos Central Encryption, this option will not appear
  3. Verify you see "Sophos Intercept-X Advanced with XDR"
  4. Click Download Installer
  5. Run the installer 

If you are installing on a Mac:

  1. Click Protect Devices
  2. Under Endpoint Protection, select Choose Components from under Download Complete MacOS Installer
    1. NOTE: if you are not licensed for Sophos Central Encryption, this option will not appear
  3. Verify you see "Sophos Intercept-X Advanced with XDR"
  4. Click Download Installer
  5. Run the installer

If you are installing on a Windows Server:

  1. Click Protect Devices
  2. Under Server Protection, click Download Windows Server Installer
  3. On the new dialog box, save the installer.
  4. Run the installer

If you are installing on a Linux Server:

  1. Click Protect Devices
  2. Under Server Protection, click Download Linux Server Installer
  3. On the new dialog box, save the installer.
  4. Run the installer

Existing Sophos Central Dashboard

If you're an existing Intercept X customer just adding XDR to your devices, you'll need to add XDR to your devices software list, so they'll install the file on the next update. Here are the steps:

For applying the new software to your existing Endpoint agents (Windows 7, 8/8.1, 10 or MacOS)

  1. Click Endpoint Protection
  2. Click Computers
  3. Either select ALL of your computers OR selectively choose where you want to deploy the agent
  4. Click Manage Endpoint Software
  5. From here, change the first drop down menu under PROTECTION to "Intercept-X Advanced with MTR"
  6. Click Save

For applying the new software to your existing Server agents (Windows Server 2008 R2 & UP or Linux)

  1. Click Server Protection
  2. Click Servers
  3. Either select ALL of your computers OR selectively choose where you want to deploy the agent
  4. Click Manage Endpoint Software
  5. From here, change the first drop down menu under PROTECTION to "Intercept-X Advanced with MTR"
  6. Click Save

Enable Data Lake Hydration

Sophos Central will not hydrate the Data Lake automatically by default, so you will need to enable hydration for both Endpoints and Servers. This applies to both new customers and existing customers.

To enable hydrating the data lake for endpoint:

  1. Click Endpoint Protection
  2. Click Settings
  3. Scroll down and click Data Lake uploads
  4. Toggle the switch to enable Upload to the Data Lake
  5. (OPTIONAL) - if you want to exclude any devices, select them from the available list and move them to the excluded list

To enable hydrating the data lake for server:

  1. Click Server Protection
  2. Click Settings
  3. Scroll down and click Data Lake uploads
  4. Toggle the switch to enable Upload to the Data Lake
  5. (OPTIONAL) - if you want to exclude any devices, select them from the available list and move them to the excluded list

Enable Live Response

Just like Data Lake Hydration, Sophos does not enable Live Response by default, so you'll need to enable Live Response for both endpoint and server. This applies to both new customers and existing customers.

To enable live response for endpoint:

  1. Click Endpoint Protection
  2. Click Settings
  3. Scroll down and click Live Response
  4. Toggle the switch to enable Allow live response connections to computers
  5. (OPTIONAL) - if you want to exclude any devices, select them from the available list and move them to the excluded list

To enable live response for server:

  1. Click Server Protection
  2. Click Settings
  3. Scroll down and click Live Response
  4. Toggle the switch to enable Allow live response connections to servers
  5. (OPTIONAL) - if you want to exclude any devices, select them from the available list and move them to the excluded list

Testing Your Features

Let's verify your settings are working. Keep in mind an in-place upgrade of software can take several minutes to complete depending on bandwidth, if the machine is online, reboot, etc.

Live Discover

To test your live discover ability, perform the following:

  1. Click Threat Analysis Center
  2. Click Live Discover
  3. Scroll down to Device Selector and see if your devices appear

To test your live response settings (continued from above):

  1. Click on ANY of the listed devices
  2. You should see a Live Response button appear now
  3. Click it and test your connection to the agent

Closing

You are now successfully setup to use XDR to its fullest. Follow along as we are creating content on building out your live discover query, how to schedule data lake queries, and more.

Cheers

-jk



Added additional context + screenshot
[edited by: JeramyKopacko at 9:16 PM (GMT -7) on 29 Sep 2021]