Another round of updates have been released as part of the Endpoint Detection and Response early access program. The latest new enhancements include:
Threat Search to now support Network Events:
The endpoint will be enhanced so that on top of tracking and sending metadata to Sophos Central on detected or suspicious portable executable files, it will also now start to track network connections to IP addresses and domains from these files with a bad or uncertain reputation. This means admins can now search for IP addresses or domains to see which endpoints have made connections to those network addresses and tie it back to the initiating process.
Admin Generated Threat Cases:
A new action available from Threat Search results now allows Admins to Generate a Threat case when they want to understand the history surrounding a file that has been returned from search results. The admin generated Threat Case looks much the same as a system generated Threat Case except the item searched for serves as the beacon in this case rather than it being a file that was detected.
On Demand Forensic Snapshots:
At the launch of the EDR Early Access Program, Sophos released the SDR Exporter utility which could be used to convert the Sophos Data Recorder snapshots on an endpoint into formats where advanced queries could be run. At the time snapshots were only available for conversion if there was a detection on an endpoint which caused the snapshot to be created. This new ability allows admins to create a forensic snapshot on an endpoint on demand so that there is no longer a dependency on a detection happening to get access to a snapshot. Admins can request Forensic snapshots be created from the Endpoint Protection > Computers page in Sophos Central, or from within an existing Threat Case for an associated endpoint. Once the snapshot is created a similar process is followed to use the SDR Exporter utility to convert the snapshot into a format that can be used for further investigation. See this KBA for more detail. Also see this previous blog post and videoon using the SDR Exporter.
New Threat Case enhancements:
Admins will also notice some additional new enhancements inside of Threat Cases. A new option to choose between showing the full threat case graph, or simplifying the graph by showing the direct path between what has been determined to be the root cause and the detected item or beacon event is now available:
When viewing aggregated nodes inside of Threat Cases, we will now show the full list of items contained in the node and we also now give the file path for both files and registry keys:
Finally when analysing processes in a Threat Case, command line arguments passed (where available) and the user who has executed the process will also now be available when viewing details on a process.
This update does include a refresh of the Sophos Endpoint and therefore will require a reboot to EAP endpoints. New functionality won't be available until that reboot happens.
Enjoy testing out these new features and please help us to improve by providing feedback and asking any questions to the Endpoint Detection and Response forum.