Thread Info
  • State Verified Answer
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 2 subscribers
  • Views 2436 views
  • Users 0 members are here
Options
Suggested

Clarification Needed on Sophos Peripheral Control Parameters: enabled and monitor Behavior

Suhas Khade

Hi Community,

We’re reviewing a client’s SOPHOS policy configuration and noticed the following parameter is set:

1) My first question is on   "endpoint.peripheral-control.enabled": true

From what we understand, this parameter determines whether the Peripheral Control feature is active. If it is set to false, then any other related settings — for example:

"endpoint.peripheral-control.actions.usb-storage": "blocked"

— would have no effect, and USB storage devices would still remain accessible.

Could someone please confirm whether this understanding is correct? Specifically, does setting enabled to false override all other peripheral control actions, regardless of their individual values?

2) My second question is related to the monitor parameter within the same Peripheral Control policy:

"endpoint.peripheral-control.monitor": false

From what I understand, when this is set to false, the configured actions like block, allow, or read-only for devices are actively enforced.

However, when it is set to true, I’d like to confirm the exact behavior. Does enabling monitor mode mean:

  • The policy operates in a monitor-only state, where device activity is logged but not restricted, allowing users to connect and use USBs or other peripherals without enforcement?

Or

  • Do restrictions like block or read-only still apply, but the system just additionally logs the activity?

In short, when monitor is set to true, do all peripherals behave as if no restrictions exist, or is it more of a dual-mode — monitor plus enforcement?

Would appreciate some clarity on this. Thanks again!

Thanks in advance!

  • +1

    Hello,  

    Thank you for reaching out to the Sophos Community Forum.

    I appreciate your questions about the Sophos Peripheral Control policy settings. Here’s a clear explanation of how these parameters work if that helps you:

    1. endpoint.peripheral-control.enabled
    When set to false:

    • The entire Peripheral Control feature is disabled.
    • No related settings (such as blocking or allowing USB storage devices) are enforced.
    • All peripherals, including USB storage, remain accessible to users, regardless of other policy configurations.

    When set to true:

    • Peripheral Control is active.
    • All configured actions (block, allow, read-only) for device types are enforced according to the policy.

    2. endpoint.peripheral-control.monitor
    When set to false:

    • The policy enforces the actions you have configured for each device type.
    • For example, if USB storage is set to "blocked," access to those devices will be prevented.

    When set to true:

    • The policy operates in monitor-only mode.
    • No restrictions are enforced; users can connect and use all peripherals, regardless of any block or allow settings.
    • All device activity is logged for auditing and review purposes.

    Key Points:

    • Setting enabled to false turns off all peripheral control, overriding any other settings.

    • Setting monitor to true activates a log-only mode: no restrictions are enforced, but device usage is recorded.

    Please refer to this article for reference:

    Peripheral Control policy

    Let me know if you need any further help. 

    Regards, 
    Rutvik Chavda
    Global Digital Endpoint Security Engineer
    If a post solves your question, please use the "Verify Answer" button.

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
    • 0 in reply to Rutvik Chavda

      thanks for above.  my client has set endpoint.peripheral-control.enabled: True and endpoint.peripheral-control.monitor: False on all custom & base policy under that Peripheral Control feature.  so I feel that with .enabled:True if we are already enforcing action as per configured rules (e.g. block or allow, etc) via then with .monitor: False we are asking same thing to do isn't it ? because there is no logging or auditing happening at all ?

      • Can we safely recommend setting .monitor to true alongside .enabled: true to log all peripheral device activity without affecting the current enforcement behavior?

      • Or would setting .monitor: true override enforcement and allow unrestricted access, defeating the purpose of .enabled?

      • 0 in reply to Suhas Khade

        Hello  

        Thank you for your follow-up and for providing details on your client’s configuration.

        Please refer to this information if that helps you. 

        Current Configuration
        endpoint.peripheral-control.enabled: true

        endpoint.peripheral-control.monitor: false

        With this setup:

        Peripheral Control is fully enabled, and all configured actions (block, allow, or read-only) are actively enforced.

        Only enforcement actions (for example, a device being blocked) are logged. General device usage isn’t comprehensively audited.

        About the .monitor Parameter:
        Setting .monitor: false means enforcement is active and only enforcement-related events are logged.

        Setting .monitor: true switches the policy to monitor-only mode. In this mode, no restrictions are enforced, all peripherals are allowed, regardless of any block or allow settings. However, all device activity is logged for auditing purposes.

        Key Points:
        Monitor mode (.monitor: true) disables enforcement and only logs activity.

        You can't have both enforcement and full activity logging simultaneously.

        For active enforcement, keep .monitor: false. For comprehensive logging without enforcement, set .monitor: true.

        Recommendation:
        If your goal is to enforce device restrictions, don’t enable monitor mode (.monitor: true), as this will override enforcement and allow unrestricted access to all peripherals. At this time, Sophos Peripheral Control does not offer a mode that simultaneously provides both full enforcement and comprehensive logging.

        There is currently no built-in feature in Sophos Peripheral Control that allows strict enforcement and full device activity logging simultaneously. If this capability is important for your organization, you can contact your Sophos account manager or partner to request that a feature enhancement be submitted on your behalf.

        Please let us know if you have any further questions or need additional assistance.

        Regards, 
        Rutvik Chavda
        Global Digital Endpoint Security Engineer
        If a post solves your question, please use the "Verify Answer" button.

        The New Home of Sophos Support Videos!  Visit Sophos Techvids
        • 0 in reply to Rutvik Chavda

          Thanks for the explanation!

          For capturing the “general device usage” and gaining broader visibility into all peripheral activities, would it be advisable to complement SOPHOS peripheral control logs with additional monitoring solutions such as:

          1. Sophos Live Query (XDR) for real-time endpoint insights

          2. Native Windows Event Logging focused on USB device events

          3. Sysmon configured with SIEM integration to enable detailed and granular endpoint activity tracking

          • 0 in reply to Suhas Khade

            Hello  

            Thank you for your question regarding peripheral activity monitoring and Sophos Live Query (XDR) use.

            Peripheral Activity Monitoring with Sophos:

            • Sophos Peripheral Control is designed primarily for policy enforcement (block, allow, or read-only) and does not provide comprehensive logging of all device activity when enforcement is enabled. For broader visibility into general device usage, it’s advisable to supplement Sophos Peripheral Control with additional monitoring tools.

            About Sophos Live Query (XDR):

            • Sophos Live Query offers powerful, real-time endpoint insights through custom SQL-based queries.
            • At this time, Sophos does not provide a pre-built or default Live Query specifically for comprehensive USB or peripheral activity monitoring.
            • Most detailed USB or device tracking queries must be custom-built to meet your organisation’s needs.

            Recommendations:

            • Custom Queries: If you require specific queries for USB or device activity, you’ll generally need to write them manually. The Sophos documentation and community forums may offer sample queries, but there’s no official, comprehensive, pre-built query for all peripheral activity.
            • Please refer to these articles for reference:
            • Getting Started with XDR Query
            • XDR Query API

            Contact Your Account Manager or Partner:

            Additional Monitoring Options:

            • You may also consider complementing your setup with:
            • Native Windows Event Logging: Configure Windows to log USB device events for auditing and correlation with user activity.

            • Sysmon with SIEM Integration: Deploy Sysmon for granular device event tracking and integrate with a SIEM for centralised analysis and alerting.

            • Please refer to these articles for reference:

            • Sophos Central APIs: Send alert and event data to your SIEM

            • Sophos Central Admin: SIEM frequently asked questions
            • If you need help building a custom query or want more information on what’s possible with Sophos Live Query, please get in touch with your account manager or partner. Let us know if you have any further questions or need additional assistance.
            Regards, 
            Rutvik Chavda
            Global Digital Endpoint Security Engineer
            If a post solves your question, please use the "Verify Answer" button.

            The New Home of Sophos Support Videos!  Visit Sophos Techvids