Sophos Central Threat Detection Dashboard \Detection view

Hello together,
are you aware of any problems with Sophos Central?

I am asking because there are no more entries in the XDR under Threat Protection\Dashboard\ Detection since today.
Datalake and Live Response are unchanged and still set to active.
Queries via Live Discovery are also successful and up-to-date, and Live Response is functional.

Licences are also in the green zone.

In the past few days, there has been a malfunction in the Scheduled Reports from Central. However, the last report was created last night without any adjustments being made.

Nothing is listed under Sophos Status and on the Sophos Community website either.

I am really appriciate any helpful information, because XDR is quite important for us.
Thank you very much.



Added tags
[edited by: GlennSen at 8:48 AM (GMT -8) on 11 Dec 2024]
Parents
  • A brief summary from my side:

    Sophos support informed me, that the following detections (in the detecion-view) were deprecated on November 6:

    • WIN-EVENT-4625: Failed login attempt
    • WIN-EVENT-4698: Scheduled task created
    • WIN-EVENT-4738: User account changed
    • WIN-EVENT-4780: ACL set on admin account
    • WIN-EVENT-4720: User account created
    • WIN-EVENT-4726: User account deleted
    • WIN-EVENT-4740: User account locked out
    • WIN-EVENT-4737: Security enabled group change
    • WIN-EVENT-4735: Security enabled group change
    • WIN-EVENT-4765: SID history failed to be added to the account

     Can you confirm this? )

    I don´t understand the point of irreversible removing Detections from the "Detection" view for all customers, if each customer has the option to suppress "noisy" detections independently.
    Furthermore, I don't agree with the decision that customers were not informed about this change. I hope that Sophos will change this process in the future.
  • I have created a Live Discover query based on the list that Jonas posted above. This query uses the Data Lake as source so it would generate a list similar to what you would see previously in the detections view. 

    To use the query go into Live Discover then toggle the Designer Mode and then click Create new query. In the screen that is shown next give the query a name, select Data Lake as the source and then copy the contents of the query below in the SQL box. After doing so you can run the query and it should show the events.

     

    WITH events (DateTime, Who, Event, Device) AS (
    
       SELECT
          calendar_time,
          target_domain || '\' || target_username,
          CAST(eventid AS VARCHAR(8)) || ' - Invalid logon.',
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_invalid_logon'
         AND target_username <> '-'
       
       UNION ALL
       
       SELECT
          calendar_time,
          target_domain || '\' || target_username,
          CAST(eventid AS VARCHAR(8)) || ' - Account locked out.',
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_locked_out'
          
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Created user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_created'
       
       UNION ALL
    
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_changed'
       
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Deleted user: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_user_account_deleted'
    
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified security group: '  || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_security_enabled_grp_change_dc'
       
       UNION ALL
    
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Created Task: ' || task_name,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_scheduled_task_created'
       
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - Modified Admin ACL: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_acl_set_on_admin_accounts_dc'
    
       UNION ALL
       
       SELECT
          calendar_time,
          subject_domain || '\' || subject_username,
          CAST(eventid AS VARCHAR(8)) || ' - SID history failed: ' || target_domain || '\' || target_username,
          meta_hostname
       FROM xdr_data
       WHERE query_name = 'windows_event_sid_history_failed_adding_to_account_dc'
       
    )
    
    SELECT * FROM events ORDER BY DateTime DESC



  • Huh, and the support desk seemed surprised when I complained about this in a ticket - now I look here and I see I'm not the only one...

    Unilateral, unplublished changes are confusing.

    Hopefully they'll at least notify in future, but it doesn't sound like they're rolling it back.

  • And thank you very much   for that query - works great, and I've scheduled a regular run for me to review.

Reply Children
No Data