This week, we are starting the phased deployment of Sophos NDR V 1.7, which will be completed for all existing NDR customers by August 9th. This release includes several important updates, including the new NDR Investigation Console. This tool provides a graphical interface for in-depth analysis and monitoring of network activity. Additionally, we have updated the NDR product pages and added support for new certified hardware to enhance your network protection.
NDR Investigation Console
The NDR Investigation Console provides a rich graphical interface for viewing, monitoring, and analyzing network activity. It’s an essential addition to any Sophos NDR deployment and is offered at no extra charge for all licensed Sophos NDR customers.
The new NDR Investigation Console provides a wealth of information on the dashboard
The NDR Investigation Console is designed to install on a virtual appliance on the local network and augments Sophos Central by providing deeper analysis tools on your local network, minimizing data uploads to the cloud.
While Sophos Central is still your first stop for identifying detections and handling cases, this new NDR Investigation console provides deeper analysis and forensic investigation tools for the last 30 days of network activity.
Once you deploy the Investigation Console you will need to Assign one or more NDR Appliances to it so they send data to the Investigation Console.
Here’s just a few examples of how you can use the NDR Investigation Console:
- Gain comprehensive visibility into all network activity over the past 30 days
- Analyze application activity, flow risks like expired certificates, and communication on non-standard ports and more
- Investigate potential threats or anomalies that may have gone undetected
- Monitor network activity over time to identify suspicious patterns and behaviors
- Leverage advanced data analysis tools to quickly pinpoint issues
- View the geo-location for all communications to the internet
The new NDR Investigation Console provides a wealth of information on the dashboard
Here is a 10 min video showing the Investigation Console overview
NDR Product pages
With this release of NDR we have also changed the central pages for NDR. Information on NDR is now available under 'My Products'
The new NDR product pages
NDR Product page
- Dashboard - View the Central NDR Dashboard for information on Devices, Detections and Application usage
- Appliances - Manage your NDR Appliances
- Investigation Console - Manage the NDR Investigation Console
All NDR cases remain available in the Threat Analysis Center, as well as all detections and the data lake canned queries through live discover queries
NDR Certified Hardware update
We have updated the list of Certified hardware for NDR and added support for a device from OnLogic as a replacement for the discontinued Intel/Ausus NUC v13.
Spec Sheet: NDR HW Specs (4).xlsx
If you are interested in ordering an OnLogic device please contact Jeremy Berube jeremy.berube@onlogic.com at OnLogic and specify that you are a Sophos Customer looking to order the SKU: MC510-55-SOPHOS. Jeremy will ensure you get the correctly configured NUC
OnLogic MC510-55 Configuration requirements.
https://www.onlogic.com/store/mc510-55/
Changes from default configuration:
Processor, Memory, Primary Storage and Auto Power on. Select AC Adaptor, Mounting brackets and Warranty to suite your needs
OnLogic MC510-55 Intel® 13th Gen Edge Computer MC510-55
- Processor 1 x Intel Core i5-13500TE (Raptor Lake) 1.3~4.5 GHz 14-Core Processor, 20 Threads - 35 W TDP
- Memory (RAM) 2 x Transcend SO-DIMM DDR4 3200 Memory - 16GB
- Primary Storage 1 x Transcend M.2 2280-D2-M NVMe PCIe Gen4 x4 SSD - 2TB
- Hardware Setting 1 x Set System to Auto Power On via BIOS
- AC Adapter 1 x Power Adapter DC 20 V, 6A, 120 W (US Power Cord Included)
- Mounting Brackets 1 x Wall Mounting Kit Assembly and Validation 1 x Standard Build (ships in 3-5 business days from parts availability)
- Warranty 1 x 2 Year Standard Warranty
Known Issues NDR 1.7 (Aug 12)
1. AWS - Investigation Console not available
2. Investigation Console Details - The details at the bottom of the investigation console showing specific flow records are not always updated when a filter is changes. Target fix is September 9th.
FAQ: Sophos NDR V 1.7 Release
1. What is the Sophos NDR V 1.7 release? The Sophos NDR V 1.7 release is the latest update to our Network Detection and Response solution. It includes significant enhancements, such as the new NDR Investigation Console, updated product pages, and an expanded list of certified hardware.
2. What is the NDR Investigation Console? The NDR Investigation Console is a new graphical interface designed for viewing, monitoring, and analyzing network activity. It is installed on a virtual appliance on the local network, providing deeper analysis tools and minimizing data uploads to the cloud.
3. My NDR sensor is not sending data to the Investigation Console, Why?
You will need to assign the NDR appliance to the Investigation Console from Central.
4. What are the main features of the NDR Investigation Console?
- Comprehensive visibility into all network activity over the past 30 days.
- Analysis of application activity, flow risks, and communication on non-standard ports.
- Investigation of potential threats or anomalies.
- Monitoring network activity to identify suspicious patterns.
- Advanced data analysis tools for pinpointing issues.
- Geo-location views for all communications to the internet.
5. How can I access the NDR Investigation Console? The NDR Investigation Console is offered at no extra charge for all licensed Sophos NDR customers. It is designed to be installed on a virtual appliance on your local network.
6. Where can I find more information on the NDR Investigation Console? You can view a 10-minute video overview of the Investigation Console here: Vimeo Video.
7. What changes have been made to the NDR product pages? With this release, information on NDR is now available under 'My Products'. The new product pages include:
- Central NDR Dashboard for information on devices, detections, and application usage.
- Management of NDR Appliances.
- Management of the NDR Investigation Console.
8. What is the new certified hardware for NDR? We have updated the list of certified hardware for NDR, adding support for the OnLogic MC510-55 as a replacement for the discontinued Intel/Ausus NUC v13.
9. What is the configuration of the OnLogic MC510-55?
- Processor: Intel Core i5-13500TE (Raptor Lake) 1.3~4.5 GHz 14-Core Processor, 20 Threads - 35 W TDP
- Memory (RAM): 2 x Transcend SO-DIMM DDR4 3200 Memory - 16GB
- Primary Storage: 1 x Transcend M.2 2280-D2-M NVMe PCIe Gen4 x4 SSD - 2TB
- Hardware Setting: Auto Power On via BIOS
- AC Adapter: Power Adapter DC 20 V, 6A, 120 W (US Power Cord Included)
- Mounting Brackets: Wall Mounting Kit
- Warranty: 2 Year Standard Warranty
10. How can I order the OnLogic MC510-55 device? To order the OnLogic MC510-55, contact Jeremy Berube at OnLogic via email at jeremy.berube@onlogic.com. Specify that you are a Sophos customer looking to order the SKU: MC510-55-SOPHOS. Jeremy will ensure you get the correctly configured NUC.
11. Why is the Investigation Console not part of Central?
The NDR Investigation Console is a dedicated appliance due to the volume of data generated by NDR on each network flow. Detection and summary statistics are still sent to Central for case creation, detections, and Live Discover.
The NDR Investigation Console deploys in the customer network as a dedicated appliance and should not be accessible from the internet. Direct sign-in via a proxy similar to how the Sophos FW works is planned for Q1.
13. How do I create and deploy an Investigation Console?
From Central, you can create the OVA(Vmware) / ZIP(Hyper-V) for an Investigation Console and deploy it similarly to how you deploy the NDR Sensor on VMWare or Hyper-V. Support on certified hardware is not yet available.
14. Can a customer start an NDR trial from the Free Trials page?
Yes, this release adds the ability for any Central or Central Trial customer to initiate a free 30-day in-product trial.
15. Does this work across all regions?
Yes, this update supports all legacy and FSC regions.
16. Does this work with MSPs and the Partner Dashboard?
Yes, NDR is available for MSP monthly billing and the license can be managed from the Partner Dashboard.
17. Can the customer deploy multiple Investigation Consoles?
Yes, multiple Investigation Consoles can be deployed. Each console can receive data from one or more NDR sensors.
18. Is a new license required?
No, all accounts with an NDR product license can deploy as many Investigation Consoles as desired. No license upgrade or migration is required.
19. How much disk space should the Investigation Console appliance have?
The default minimum is 512GB. This will support 30d of data from 10Gbps of network traffic from one or more sensors. If you have 40Gbps of sensor data then we would need 2TB of disk allocated for the Investigation console appliance.
We do not have a Registered Service port. You can set it to a registered port, but are probably better off setting it to one of the high range ports like 50550 or something in the range below.
Service Ports: 49152–65535 are considered Dynamic, Private or Ephemeral