XDR for All

Detection and response for security experts and IT administrators.

Designed for both security analysts working in dedicated SOC teams and IT administrators covering security and other IT responsibilities, Sophos XDR enables organizations to quickly answer business critical questions and respond remotely.

Reduce Time to Detect and Investigate

Immediately get to the information that matters to you by choosing from a library of pre-written, customizable templates covering many different threat hunting and IT operations scenarios – or write your own. You have access to live device data, up to 90 days of on-disk data, 30 days of data stored in the Sophos Data Lake cloud repository, and an automatically generated list of suspicious items so you know exactly where to start.

Examples include:

• Why is a machine running slowly? Is it pending a reboot?

• Which devices have known vulnerabilities, unknown services, or unauthorized browser extensions?

• Are there programs running on the machine that should be removed?

• See unmanaged and unprotected devices such as laptops, mobiles, and IoT devices

• Are processes trying to make a network connection on non-standard ports?

• Have any processes had files or registry keys modified recently?

• Which programs are causing office network issues?

• Analyze cloud security groups to identify resources exposed to the public internet

Know Where to Focus

Starting with protection Sophos saves your analysts valuable time. Machine learning and threat intelligence provide an AI-prioritized risk score for each detection, so it’s easy to identify items that need immediate attention and quickly resolve them. Detections are ranked on a 0-10 scale and include crucial information such as time and description of detection, process name, and hash. With a few clicks you can add detections to an investigation, isolate a device, or pivot to additional information in the Sophos Data Lake. Enrich data by looking up a hash on VirusTotal, the reputation of an IP address on SANS, or by creating your own enrichments with any web service. Collaboration is straightforward with multiple analysts able to assign information and detections to the same investigation offering full context of an incident.

Speed Up Your Incident Response

When you have the information you need, it’s easy to respond quickly, even if the device in question isn’t physically present. From the same cloud management console, you’re able to remotely access devices in order to perform further investigation, install and uninstall software, or remediate any additional issues.

Using a command line tool you can:

• Terminate active processes

• Run scripts or programs

• Edit configuration files

• Install/uninstall software

• Reboot devices

• Run third-party forensic tools