Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Replies 12 replies
  • Subscribers 14 subscribers
  • Views 3093 views
  • Users 0 members are here
Options
Suggested

Sophos Central Threat Detection Dashboard \Detection view

Alexander Bartmann

Hello together,
are you aware of any problems with Sophos Central?

I am asking because there are no more entries in the XDR under Threat Protection\Dashboard\ Detection since today.
Datalake and Live Response are unchanged and still set to active.
Queries via Live Discovery are also successful and up-to-date, and Live Response is functional.

Licences are also in the green zone.

In the past few days, there has been a malfunction in the Scheduled Reports from Central. However, the last report was created last night without any adjustments being made.

Nothing is listed under Sophos Status and on the Sophos Community website either.

I am really appriciate any helpful information, because XDR is quite important for us.
Thank you very much.



Added tags
[edited by: GlennSen at 8:48 AM (GMT -8) on 11 Dec 2024]
Parents
  • 0

    A brief summary from my side:

    Sophos support informed me, that the following detections (in the detecion-view) were deprecated on November 6:

    • WIN-EVENT-4625: Failed login attempt
    • WIN-EVENT-4698: Scheduled task created
    • WIN-EVENT-4738: User account changed
    • WIN-EVENT-4780: ACL set on admin account
    • WIN-EVENT-4720: User account created
    • WIN-EVENT-4726: User account deleted
    • WIN-EVENT-4740: User account locked out
    • WIN-EVENT-4737: Security enabled group change
    • WIN-EVENT-4735: Security enabled group change
    • WIN-EVENT-4765: SID history failed to be added to the account

     Can you confirm this? )

    I don´t understand the point of irreversible removing Detections from the "Detection" view for all customers, if each customer has the option to suppress "noisy" detections independently.
    Furthermore, I don't agree with the decision that customers were not informed about this change. I hope that Sophos will change this process in the future.
  • 0 in reply to Jonas Stadler

    I was also informed today that this it is not a bug it’s a feature thing. Despite this, the missing information in the dashboard should be available in the Datalake according to the support email.

    I also don’t really understand the decision, because like you already wrote, the option to suppress the noisy detection was already given with the filter settings.

    Here is what the support sends me via email:

    This email is to inform you that we had checked internally and could see that on November 6, we released an update to reduce the number of detections for certain Windows events for which a high volume of benign activity was being recorded. By removing detection for these events, we improve the signal-to-noise ratio provided by the XDR platform without reducing the overall visibility, as all the original events are still available in the data lake.
    Labs have updated the detections and that's why you are receiving lesser detections in TAC.

Reply
  • 0 in reply to Jonas Stadler

    I was also informed today that this it is not a bug it’s a feature thing. Despite this, the missing information in the dashboard should be available in the Datalake according to the support email.

    I also don’t really understand the decision, because like you already wrote, the option to suppress the noisy detection was already given with the filter settings.

    Here is what the support sends me via email:

    This email is to inform you that we had checked internally and could see that on November 6, we released an update to reduce the number of detections for certain Windows events for which a high volume of benign activity was being recorded. By removing detection for these events, we improve the signal-to-noise ratio provided by the XDR platform without reducing the overall visibility, as all the original events are still available in the data lake.
    Labs have updated the detections and that's why you are receiving lesser detections in TAC.

Children
No Data
Unfiltered HTML