Adjustment of the SOPHOS threat analysis

Hi Daniel,

Thanks for reaching out to the Sophos Community Forum. 

Regarding your questions:
It is not possible to keep firewall data displayed persistently in the Threat Analysis Center. The data returned from the queries will only be displayed after each query is run. The Sophos XDR Query API may allow you more freedom to display this data as you wish.

Could you elaborate on this question? Do you mean in the Investigations tab, or Threat Graphs?: 

Daniel Kleine-Moellhoff said:

Where can I see in the Threat Analysis Center whether the data from the firewall logs was included in the detections?

The data returned from each query can only be displayed one at a time. Depending on the data you're trying to extract, it may be possible to join/merge the data returned from two different queries, however, this requires you to make changes to the query syntax.

Hi Kushal,

We have more of a problem that we have integrated our firewalls into the Threat Analysis Centre, but we don't recognise whether or what data is flowing in and being taken into account there. Yes, we can see on the general dashboard, under recent alerts, if something should have happened, although this is also rather meaningless, but we don't see which analyses happen in the Threat Analysis Centre. Only the clients and servers are shown there, but the firewalls are not really taken into account, or at least not explicitly recognisable. What is the purpose of integrating the firewall into the Threat Analysis Centre? Especially as it is not the case that nothing happens on the firewall, IPS and ATP report something every day. When I look at the latest detections in the Threat Analysis Centre, I miss the entries of the firewalls, especially if I integrate them specifically for this purpose. I had only used the queries as an idea to see data there at all, although this has no effect on the threat analysis and is more an evaluation of the logs. 

Kind Regards

Daniel

Hi Kushal,

We have more of a problem that we have integrated our firewalls into the Threat Analysis Centre, but we don't recognise whether or what data is flowing in and being taken into account there. Yes, we can see on the general dashboard, under recent alerts, if something should have happened, although this is also rather meaningless, but we don't see which analyses happen in the Threat Analysis Centre. Only the clients and servers are shown there, but the firewalls are not really taken into account, or at least not explicitly recognisable. What is the purpose of integrating the firewall into the Threat Analysis Centre? Especially as it is not the case that nothing happens on the firewall, IPS and ATP report something every day. When I look at the latest detections in the Threat Analysis Centre, I miss the entries of the firewalls, especially if I integrate them specifically for this purpose. I had only used the queries as an idea to see data there at all, although this has no effect on the threat analysis and is more an evaluation of the logs. 

Kind Regards

Daniel

Thank you for the additional context. I'll try to provide some additional insights below, I have also inquired internally to learn more about this topic and will follow up with you here.

The Threat Analysis Center was originally built around the Sophos Endpoint product. Many of the processes and services on the endpoint contribute points of data that are then analyzed in Sophos Central. This is where Threat Graphs are typically sourced from.

The Sophos Firewall Integration has been added primarily to allow better visibility into the operations occurring on the environment. If you are a Sophos MDR customer, this will also allow the MDR team to run regular queries against the XDR data to check for known/malicious attack patterns. 
Pivots from the Detection Dashboard can also allow you to query data generated from the Firewalls. 

For detections or firewall events where traffic originates externally but is blocked directly on the firewall, I would not expect to see much information in the Detections Dashboard as there would be limited information to present/look further into. If an event began on an endpoint device and progressively resulted in the firewall generating an ATP or IPS detection, you may see some additional data.