To get the full benefit of your new Intercept X Advanced with EDR licenses, customers need to ensure that the setting to Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central is enabled in their Threat Protection policies.
The following sections are covered:
Applies to the following Sophos products and versions Central Intercept X 11.5.11Central Server Core Agent 2.2.1Central Server Intercept X 2.0.8
One of the key new features delivered in Sophos EDR offerings is the ability to search across EDR enabled devices in the estate for details on portable executable files that have an uncertain or bad reputation, the network destinations those files have connected to, and the execution of admin tools that EDR enabled devices will capture. This will search across all the data that has been sent back to Sophos Central but only from EDR enabled devices where the Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central Threat Protection policy setting has been enabled.
For existing customers who added the EDR license, this feature had been set to off in existing policies. Moving forward, Sophos plans to set this policy on by default in existing policies.
If you want to be able to use the search capability, you need to allow devices to continuously send this data on suspicious files and the network destinations they are connecting to and admin tool executions. Enter your Threat Protection policies, click on the Settings tab and in the Remediation section of the policy ensure the policy setting to Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central is enabled, as shown below:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.