How is the location of a sensor/endpoint determined?

Hi Sophos,

On the Sensor Location pane of the dashboard I have an Endpoint showing as being in a country I wouldn't expect it to be.

I'm not immediately concerned with the above fact, but I'm interested in knowing how Sophos calculates the location of the device - or could this be an end-user sat behind a VPN, or perhaps even a bug in the interface?

Many Thanks



Added tags
[edited by: GlennSen at 3:22 PM (GMT -7) on 3 Oct 2024]
Parents Reply Children
  • Hi,

    On the Sophos Central Dashboard, a widget can be deployed called 'Sensor location of detection'. This widget shows a map of the globe with icons to determine sensor location. This shows your Endpoint locations and any detections they have generated.

    As we are a UK based company, 99% of all of the sensor locations (Endpoints) are listed as being in the UK. However, there is one in a Country I would not expect to be in.

    I would like to know what information is used to determine the location of the Endpoint. If I click on the sensor location icon for the affected device I'm taken to the Detections pane in the TAC. I then have to Filter the results by location, by entering the location of the item as it was shown on the 'Sensor location of detection' widget. This then shows the detection information, but I see nothing in the Overview or Raw Data pane that defines the location.

    My concern is that there is something occurring on the endpoint that is telling Central that it is in a place that it is physically not. If so, there may be unwarranted software present, i.e. an unapproved VPN, etc.

    Many Thanls

  • I wonder the same thing, devices popping up in M.E or East Asia region based on what, public IP exposure? If that is the case, why isn't the meta data retrievable as RAW file in Sophos "detections".

    Edit: I just made a filtered search by clicking on the worldmap dot for the country of interest, or otherwise click Sophos Central > Threat Analysis Center > Detections > Show filters > location: South Korea > APPLY and I found the relevant metadata in RAW. It is due to public IP exposure as I thought.

    Make a VirusTotal or public IP search online to find out that the network autonomous system (AS) relates to that country detected in the Sophos Central worldmap widget.



  • Hey, thank you for this. I got as far as filtering Location but didn't sift through the RAW data for the Public IP. Perhaps an oversight not to include this in the alert Overview. I'll work through the few alerts we do have for these and determine whether the IP address is cause for concern. Thanks again.