Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Replies 9 replies
  • Subscribers 12 subscribers
  • Views 1114 views
  • Users 0 members are here
Options
Suggested

Sophos Central Threat Detection Dashboard \Detection view

Alexander Bartmann

Hello together,
are you aware of any problems with Sophos Central?

I am asking because there are no more entries in the XDR under Threat Protection\Dashboard\ Detection since today.
Datalake and Live Response are unchanged and still set to active.
Queries via Live Discovery are also successful and up-to-date, and Live Response is functional.

Licences are also in the green zone.

In the past few days, there has been a malfunction in the Scheduled Reports from Central. However, the last report was created last night without any adjustments being made.

Nothing is listed under Sophos Status and on the Sophos Community website either.

I am really appriciate any helpful information, because XDR is quite important for us.
Thank you very much.

  • 0

    We have the same problem. Our last visible data lake detection is from Nov 6, 2024, 8:24:39 PM.

    I also created a support ticket this morning.

  • 0

    I am still seeing detections in my account as usual (am using Germany as Datacenter). Have several entries for both today and yesterday.

    Please open a support case so that this issue can be analyzed.

  • 0 in reply to Jonas Stadler

    This is really helpful. Thank you very much. Hopefully Sophos will fix this soon.

  • 0 in reply to Marcel

    Yes, good point. Should help raise awareness. Our Datacenter is also located in Germany. Thank you.

  • 0

    Hello Alexander/Jonas,

    Thank you for reaching out to the community forum. I have sent you a direct message to inquire further about the issue. 
    As of now, we are not receiving complaints about this.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to GlennSen

    We are experiencing this as well. Windows Event detections are no longer showing up on Threat Analysis Center > Detections. Live queries for same info are also not returning results. This outage started for us also on Nov 6, around noon CST and has yet to be resolved. I opened up a support case on 11/7/24, and was informed by our TAC yesterday that there were similar reports being described by other customers and that this is being investigated. Out case is apparently being raised to tier 2. Please confirm that the sophos team is taking these reports seriously as this is a high level concern in terms of threat monitoring visibility.

  • 0

    A brief summary from my side:

    Sophos support informed me, that the following detections (in the detecion-view) were deprecated on November 6:

    • WIN-EVENT-4625: Failed login attempt
    • WIN-EVENT-4698: Scheduled task created
    • WIN-EVENT-4738: User account changed
    • WIN-EVENT-4780: ACL set on admin account
    • WIN-EVENT-4720: User account created
    • WIN-EVENT-4726: User account deleted
    • WIN-EVENT-4740: User account locked out
    • WIN-EVENT-4737: Security enabled group change
    • WIN-EVENT-4735: Security enabled group change
    • WIN-EVENT-4765: SID history failed to be added to the account

     Can you confirm this? )

    I don´t understand the point of irreversible removing Detections from the "Detection" view for all customers, if each customer has the option to suppress "noisy" detections independently.
    Furthermore, I don't agree with the decision that customers were not informed about this change. I hope that Sophos will change this process in the future.
  • 0 in reply to Jonas Stadler

    I was also informed today that this it is not a bug it’s a feature thing. Despite this, the missing information in the dashboard should be available in the Datalake according to the support email.

    I also don’t really understand the decision, because like you already wrote, the option to suppress the noisy detection was already given with the filter settings.

    Here is what the support sends me via email:

    This email is to inform you that we had checked internally and could see that on November 6, we released an update to reduce the number of detections for certain Windows events for which a high volume of benign activity was being recorded. By removing detection for these events, we improve the signal-to-noise ratio provided by the XDR platform without reducing the overall visibility, as all the original events are still available in the data lake.
    Labs have updated the detections and that's why you are receiving lesser detections in TAC.

  • 0 in reply to Jonas Stadler

    I have created a Live Discover query based on the list that Jonas posted above. This query uses the Data Lake as source so it would generate a list similar to what you would see previously in the detections view. 

    To use the query go into Live Discover then toggle the Designer Mode and then click Create new query. In the screen that is shown next give the query a name, select Data Lake as the source and then copy the contents of the query below in the SQL box. After doing so you can run the query and it should show the events.

     

    WITH events (DateTime, Who, Event, Device) AS (

   SELECT
      calendar_time,
      target_domain || '\' || target_username,
      CAST(eventid AS VARCHAR(8)) || ' - Invalid logon.',
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_invalid_logon'
     AND target_username <> '-'
   
   UNION ALL
   
   SELECT
      calendar_time,
      target_domain || '\' || target_username,
      CAST(eventid AS VARCHAR(8)) || ' - Account locked out.',
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_user_account_locked_out'
      
   UNION ALL
   
   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Created user: ' || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_user_account_created'
   
   UNION ALL

   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Modified user: ' || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_user_account_changed'
   
   UNION ALL
   
   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Deleted user: ' || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_user_account_deleted'

   UNION ALL
   
   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Modified security group: '  || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_security_enabled_grp_change_dc'
   
   UNION ALL

   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Created Task: ' || task_name,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_scheduled_task_created'
   
   UNION ALL
   
   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - Modified Admin ACL: ' || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_acl_set_on_admin_accounts_dc'

   UNION ALL
   
   SELECT
      calendar_time,
      subject_domain || '\' || subject_username,
      CAST(eventid AS VARCHAR(8)) || ' - SID history failed: ' || target_domain || '\' || target_username,
      meta_hostname
   FROM xdr_data
   WHERE query_name = 'windows_event_sid_history_failed_adding_to_account_dc'
   
)

SELECT * FROM events ORDER BY DateTime DESC



Unfiltered HTML