Sophos Community

XDR - Detection and Investigation EAP Known Issues

Kevin Kingston — Mon, 11 Oct 2021 13:09:18 GMT

This document lists known issues for the XDR - Detection and Investigation Early Access Program

SS Polyfilms Private Limited

Sophos User1819 — Sat, 20 Jun 2020 07:07:11 GMT

Dear Sir,

We are facing some erros from your sophos software. problems detail Attached .

Live Session Beta it is not responding

Alex Paredes — Wed, 27 May 2020 16:27:16 GMT

Im trying to connect a device through Live Session Beta and i had a following error The session has expired. I trying several times since yesterday but i had the same error. My central sophos it is working well and fine just this issue with Live Session Beta

Regards

Alex Paredes S

Live Discover Schema

Karl_Ackerman — Wed, 08 Apr 2020 18:11:47 GMT

UPDATED May 26 2020

The schema for Live Discover will vary by operating systems.

See the online osquery schema https://osquery.io/schema/4.2.0 for more information on the default schema.

On Windows and Windows Server Sophos has extended the base OSQuery schema to provide access to the 90 days of information in the Sophos Data Recorder. This document covers the detailed Sophos Extension schema.

4min video on query building

Karl_Ackerman — Mon, 06 Apr 2020 10:27:45 GMT

Accelerated video on the Iranian IOC Threat Hunt query creatioin

Building an advanced query 20 min

Karl_Ackerman — Mon, 06 Apr 2020 10:25:58 GMT

In this video we build a threat hunting query to search for Indicators of Compromise for Iranian threat actors. The query creates a table then search across IP, Name, Domain, Port and Hash tables to find the threats.

Live Response

Karl_Ackerman — Tue, 31 Mar 2020 13:29:38 GMT

Using Live Response and Live Discover to identify devices with RDP ports open and perform remediation them directly from Sophos Central

Live Discover Tested with Caldera

Karl_Ackerman — Tue, 31 Mar 2020 13:28:42 GMT

Using Caldera to determine if Live Discover can successfully observer activity and be used to craft a detection query to detect this type of activity and map it to the MITRE ATT&CK framework.

Forensics Investigation with Live Discover

Karl_Ackerman — Tue, 31 Mar 2020 13:27:25 GMT

How to investigate the activity observed for deeper forensics using Live Discover

Threat Hunting with Live Discover

Karl_Ackerman — Tue, 31 Mar 2020 13:26:44 GMT

How to perform hunting operations with Live Discover

Live Discover IT operations

Karl_Ackerman — Tue, 31 Mar 2020 13:26:02 GMT

Watch a brief video on how to use Live Discover for IT Operations

Device Selection for Live Discover

Karl_Ackerman — Tue, 31 Mar 2020 13:25:10 GMT

See a brief demo on device selection and filtering for Live Discover

Joining the Early Access Program

Karl_Ackerman — Tue, 31 Mar 2020 13:24:14 GMT

Instructions on how to Join the Early Access Program for EDR 3.0 with Live Discover and Live Response

Overview of Live Discover and Live Response

Karl_Ackerman — Tue, 31 Mar 2020 13:23:14 GMT

Watch a 5 min presentation on the new Live Discover and Live Response features

Enhanced Protection - Known Issues List 20 January 2020

Vincent Vanbiervliet — Mon, 20 Jan 2020 10:15:13 GMT

Known Issues List for AMSI and IPS EAP - 2019-12-03.pdf

Vincent Vanbiervliet — Tue, 03 Dec 2019 15:01:55 GMT

How to Join the Early Access Program

Vincent Vanbiervliet — Wed, 09 Oct 2019 10:28:39 GMT

This slide deck provides details on the 'New Endpoint/Server Protection and EDR Features' early access programs and describes how to enroll into the early access programs.