We are pleased to announce that today May 19, 2021 we have released some exciting updates for all customers using Sophos EDR (Endpoint Detection and Response) with Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR.
Introducing the Sophos Data Lake
The Sophos Data Lake stores critical information from your EDR-enabled endpoints and servers, which means you get access to that data even if those devices are currently offline.
In addition to being able to get key data from devices even when they are not online (for example if knocked offline during an attack, or a misplaced laptop) the Sophos Data Lake also enables event correlation on a much broader scale. For instance, being able to quickly identify that a suspicious account is logged in across multiple devices.
Then when you have identified an area of interest you can query the device with Live Discover and get incredibly rich, live data and remotely access the device via Live Response to take appropriate action. It’s the best of both worlds.
You get 7 days of retention in the data lake as standard (30 days with Sophos XDR) which is in addition to the existing up to 90 days of data stored directly on devices.
Please note that you need to enable the Sophos Data Lake. In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the ‘Upload to the Data Lake’ toggle. From the same window you can also select which devices send data to the Sophos Data Lake.
The Sophos Data Lake is available now for Windows and Linux devices. Mac support will come later this year.
One of the top requested features, this release introduces scheduled queries so you can have critical information ready and waiting for you. Queries can be scheduled to run overnight so key data is ready for assessment the next day.
To set up a scheduled query you first need to choose a query by going to the ‘Threat Analysis Center’ and then ‘Live Discover’. When you have selected the query you want to run you will see a new option to schedule the query instead of running it immediately.
When the query has been successfully scheduled it will appear in your ‘Scheduled Queries’ list.
Scheduled queries are available now for Sophos Data Lake queries. Windows and Linux devices can use scheduled queries now with Mac support coming later this year. Scheduled queries for on-disk queries are coming later this year.
Work even faster with enhancements to workflows and pivoting. You’ll get to key information faster and be able to take actions and respond even more quickly.
Today we are also releasing Sophos XDR (Extended Detection and Response). Sophos XDR goes beyond endpoints and servers, pulling in rich Sophos Firewall and Sophos Email data with more XDR-enabled products coming soon.
Here are just a few Sophos XDR use cases:
|IT Operations||Threat Hunting|
|Identify unmanaged, guest, and IoT devices||Extend investigations to 30 days without bringing a device back online|
|Why is the office network connection slow? Which application is causing it?||Use ATP and IPS detections from the firewall to investigate suspect hosts|
|Look back 30 days for unusual activity on a missing or destroyed device||Compare email header information, SHAs, and other IoCs to identify malicious traffic to a domain|