Sophos Central Threat Detection Dashboard \Detection view

Hello together,
are you aware of any problems with Sophos Central?

I am asking because there are no more entries in the XDR under Threat Protection\Dashboard\ Detection since today.
Datalake and Live Response are unchanged and still set to active.
Queries via Live Discovery are also successful and up-to-date, and Live Response is functional.

Licences are also in the green zone.

In the past few days, there has been a malfunction in the Scheduled Reports from Central. However, the last report was created last night without any adjustments being made.

Nothing is listed under Sophos Status and on the Sophos Community website either.

I am really appriciate any helpful information, because XDR is quite important for us.
Thank you very much.



Added tags
[edited by: GlennSen at 8:48 AM (GMT -8) on 11 Dec 2024]
  • We have the same problem. Our last visible data lake detection is from Nov 6, 2024, 8:24:39 PM.

    I also created a support ticket this morning.

  • I am still seeing detections in my account as usual (am using Germany as Datacenter). Have several entries for both today and yesterday.

    Please open a support case so that this issue can be analyzed.

  • This is really helpful. Thank you very much. Hopefully Sophos will fix this soon.

  • Yes, good point. Should help raise awareness. Our Datacenter is also located in Germany. Thank you.

  • Hello Alexander/Jonas,

    Thank you for reaching out to the community forum. I have sent you a direct message to inquire further about the issue. 
    As of now, we are not receiving complaints about this.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • A brief summary from my side:

    Sophos support informed me, that the following detections (in the detecion-view) were deprecated on November 6:

    • WIN-EVENT-4625: Failed login attempt
    • WIN-EVENT-4698: Scheduled task created
    • WIN-EVENT-4738: User account changed
    • WIN-EVENT-4780: ACL set on admin account
    • WIN-EVENT-4720: User account created
    • WIN-EVENT-4726: User account deleted
    • WIN-EVENT-4740: User account locked out
    • WIN-EVENT-4737: Security enabled group change
    • WIN-EVENT-4735: Security enabled group change
    • WIN-EVENT-4765: SID history failed to be added to the account

     Can you confirm this? )

    I don´t understand the point of irreversible removing Detections from the "Detection" view for all customers, if each customer has the option to suppress "noisy" detections independently.
    Furthermore, I don't agree with the decision that customers were not informed about this change. I hope that Sophos will change this process in the future.
  • I was also informed today that this it is not a bug it’s a feature thing. Despite this, the missing information in the dashboard should be available in the Datalake according to the support email.

    I also don’t really understand the decision, because like you already wrote, the option to suppress the noisy detection was already given with the filter settings.

    Here is what the support sends me via email:

    This email is to inform you that we had checked internally and could see that on November 6, we released an update to reduce the number of detections for certain Windows events for which a high volume of benign activity was being recorded. By removing detection for these events, we improve the signal-to-noise ratio provided by the XDR platform without reducing the overall visibility, as all the original events are still available in the data lake.
    Labs have updated the detections and that's why you are receiving lesser detections in TAC.

  • I have created a Live Discover query based on the list that Jonas posted above. This query uses the Data Lake as source so it would generate a list similar to what you would see previously in the detections view. 

    To use the query go into Live Discover then toggle the Designer Mode and then click Create new query. In the screen that is shown next give the query a name, select Data Lake as the source and then copy the contents of the query below in the SQL box. After doing so you can run the query and it should show the events.

     

    WITH events (DateTime, Who, Event, Device) AS (
    
       SELECT
          calendar_time,
          target_domain || '\' || target_username,
          CAST(eventid AS VARCHAR(8)) || ' - Invalid logon.',
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_invalid_logon'
         AND target_username <> '-'
       
       UNION ALL
       
       SELECT
          calendar_time,
          target_domain || '\' || target_username,
          CAST(eventid AS VARCHAR(8)) || ' - Account locked out.',
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_locked_out'
          
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Created user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_created'
       
       UNION ALL
    
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_changed'
       
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Deleted user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_deleted'
    
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified security group: '  || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_security_enabled_grp_change_dc'
       
       UNION ALL
    
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Created Task: ' || task_name,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_scheduled_task_created'
       
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified Admin ACL: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_acl_set_on_admin_accounts_dc'
    
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - SID history failed: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_sid_history_failed_adding_to_account_dc'
       
    )
    
    SELECT * FROM events ORDER BY DateTime DESC



  • Huh, and the support desk seemed surprised when I complained about this in a ticket - now I look here and I see I'm not the only one...

    Unilateral, unplublished changes are confusing.

    Hopefully they'll at least notify in future, but it doesn't sound like they're rolling it back.

  • And thank you very much   for that query - works great, and I've scheduled a regular run for me to review.