Name: Delta Technical Certifications - Sophos Central
Uploaded: 2025-02-25T12:31:25.336Z
Duration: 1 h 56 min 56 s
Description: Delta Technical Certifications - Sophos Central

Transcript for "Delta Technical Certifications - Sophos Central": Good morning, and welcome to the software central version three to version five engineer and architect Delta today. Today, I'll be taking you through quite a few slides over the next two hours. So, hopefully, we get a lot out of this in terms of, training, preparation for the exam. You'll need to pass the exam at the end of this. And to be able to pass that, you will need to be able to, pass a score of more than 80% of the 20 questions. So that's getting 16 right. There will be links at the end of this as well for the QR code that will take you to the exam page, and the duration of this training should be over two hours. So as we go through this, feel free to ask questions, into the the q and a chat box on the right hand side. And we'll do our very best to answer those. Those that we can't answer, we'll definitely be following up with a reply at the end. The agenda today is broken down into, modules. And as we'll see here, we have, software central dashboard, through to Linux, controlled updates, detection response, troubleshooting, updating managements, etcetera in here. These are largely around the deltas themselves. The, exams that you've passed previously would have contained a lot of the background information. So this will be very much focused on the what's new and the changes subsequent to your previous exams. And as we, roll through this, we'll start with the Software Central dashboard as those modules indicated. And the software central user interface here has been redesigned, so we can see new features, controls are available now at the top of the screen, with drop downs for each sections where previously the navigation bar used to be on the left hand side. The account health check enables you to, look at the best protection that can be applied to your devices and your environment. It can be accessed through this quick menu icon at the top of the screen, just for quick navigation and also from the icon in the top right hand corner there as well. Equally is through global settings has been renamed. General settings, the settings themselves access via the cog icon on the top right hand corner or via the my products, drop down menu. The general settings used to specify security settings that apply to all of our users and devices. These pages displayed will depend on the features included in your license. And as we go through this, we'll see the account preferences has got some new additions as well, to do with controlling what data is sent to Sophos for purpose of improving your protection. And you can set, as it's highlighted in here, different regions for submission to the Intellix dynamic sandbox for analyzing code, and the default in this particular location is let us decide. As a hint, as we go through this training today, you will see, for example, there's the box on the indicated in the screen there, and they could be exam questions as we go through these. So definitely pay notes to those. Equally, you'll see in the top right hand corner, there'd be a docs page, during this session. So feel free to download some of the content as well so you can refer to it post this training session. Moving on to user management. To use software central APIs and the Windows directory sync tool, you'll need to create a set of credentials. Now these are separate to users in Software Central. An API credential will have a credential ID and sorry. A credential ID and c and the secrets that work with your username, such as, like, your username and password, as well as this role to manage the permissions in the and the expiry dates. You'll need to be a super admin, role to manage API credentials in Sophos Central. And at the time of writing this, the API credentials are not available for trial accounts. And you can have up to, as the blue banner suggests, 10 API credentials inside Sophos, central management. Creating API credentials is easy. You just need to essentially create a name, optionally a description in there. You must select a role, which we use and determine the permissions for, credentials to be given. In In this example, the API credential, is being used as created, that will use a Windows Active Directory synchronization tool. The role selected, in this case is service principal directory sync user, which will give API credentials the correct permissions needed to perform that role. Moving on here to, also the roles tab. We will see, for example, the descriptions for, for each of the roles. By clicking on the role, on the left hand side, you'll see which permissions are granted, to that individual role. The credentials, once you've, created a set of API credentials, they'll be displayed. It's important to note here, highlighted in the blue banner, that the client secret will only need to be displayed once. Should you choose to display it when you're ready to use it. If not and you've lost the API credential and you want to recover it, you'll need to create a new API credential in there. You can use the directory service to synchronize your users and your groups from multiple sources as well as synchronize devices, device groups, public folders, mailboxes, from either a Windows Active Directory or Azure Active Directory. You can synchronize multiple Azure AD domains to Software Central as well as synchronized devices and device groups from a Windows Active Directory users and user groups, from Azure directory, for the same domain. Equally, you can synchronize Windows active directory for a different domain in the same forest, selecting multiple child domains in a single forest, as examples as well. Directory synchronization. There are a few restrictions around directory synchronization. So when you're currently able to, synchronize users or email addresses to multiple Sophos admin accounts, users and, email addresses must be unique in each Sophos account to synchronize multiple active directory sources for the same domain, I e, the same domain can't name can't appear in two separate domains being pulled into a single central console. With Azure Active Directory from the same domain, it's synchronized more than 25 sources, up to in there as well, which is quite nice. You can configure federated authentication for Sophos Central administrators, which allows you to use existing identity provider for a single sign on to manage administrator access. When the administrator goes to Sophos Central to sign in, they enter the email address, and the Sophos Central will redirect your configured identity provider. The administrator enters the password, and the identity provider authenticates them and redirects them to Sophos Central. Sophos Central completes the authentication and logs the administrator into the console at that stage as highlighted in the in the slides there. One key note's also highlighted in the blue banner again. I was just making a subtle hint there. Configuration takes place in three stages. The first, you need to verify the domain for use, for a single sign on. Next, you can, identify the provider, and then finally choose the settings as we're logging in. You must be a super admin to configure federated authentication inside Sophos Central. So to verify the domain, the first h, if you want to use federated sign in as your sign in option, you must ensure that all administrators, users are assigned to a domain to have identity provider. To verify the domain, navigate to global settings at the top of the screen, verify domains, click add domain, then enter the domain and click save. The documentation is also available on top right hand corner underneath the help icon there. On the next page or screen, you'll see, instructions on how to verify the domain ownership. We will need to add a DNS text record with the domain name and value, then click verify. Please note that depending on your DNS provider, may take up to twenty four hours for this to synchronize through. The key point here, which probably should have a blue banner on here, is it's in the format of a text record. Continuing on the verify of federated domain, you can see what we have added here in terms of the text record. The name of the record is the name of the domain, that we've used as an at symbol to denote the domain. The value of the record has been copied from Sophos Central in here as well. Verifying the federated domain. Once the domain is verified, you'll see it's reflected in the verification status, which you'll then be able to also click on and reverify. As I say, these slides were running for a good rate of knots. So if there are questions, feel free to to drop them into the chat panel. I'm a do our best to answer those. And continue on the identity provider thread. Once you validated the domain and you add the identity provider, will appear, for example, on the global settings, federated identity providers. Select the type of identity provider you want to add, and in the supported vendor, a link to the instructions, for configuring the selected identity provider will be displayed in that page as well. Complete the fields as required. Select the domains that will need authenticated by this identity provider. Finally, select whether the identity provider will be enforcing MFA or not. Where the identity provider is not enforcing MFA, Sophos Central will continue to prompt for MFA. And that's another key point, just to make a note of there. Once you've added the identity provider, you must turn, it on before you start using this, in the top right hand corner denoted inside that image. With the identity provider configured and turned on, the final step is to choose how the administrators to authenticate. This is done in two parts. First, you need to select the global sign in at the top of the screen there, method. This will apply to all administrators. This can be either Sophos Central credentials or federated credentials only or Sophos Central admin or federated credentials. You can define exceptions in the box further below, but you may want to keep, the sign in options method, reducing any single points of failure if there's issues with, MFA or the federated provider. Once federated credentials have been selected, inside, in the settings, the administrator logs into Sophos Central. They'll enter their email address as usual, but they'll be redirected to enter the password, for Sophos Central credentials. And the administrator can choose either single sign on or to enter their Sophos Central credential password. So look at the example above. The email address, in this case, we're using Okta to verify, and then we're signing in, essentially, that option there for single sign on for Central managed password. But with the introduction of the extended, detection and response, the role for each users has changed, in this delta, specifically highlighting those changes. The the working with the intercept x and XDR, there are additional permissions for some of the roles. To review these permissions above, have a look, at the graph above just to highlight as to which roles are required for for which permissions, and changes, with XDR. So it's a useful reference to this, again, by going to the roles within Sophos Central and clicking help to take you to a similar view. In addition to the sort of available predefined roles, you can also create custom roles. Custom roles are based on predefined role that you select, full, which an equivalent to an admin, help desk or read only. These are defined, initial sets of access rights that you're creating in here, and then you can define permissions for individual components based upon that role. You can select the access rights for each of the products in Sophos. You must select at least one product for the role. There are three additional settings to apply to all products, each to enable access to logs, reports, and policy management, and enable, policy assignment to users, devices, and groups, etcetera. In addition to these, there are settings related to the live response, which are shown in, will depend on what level of access being granted for endpoints and servers respectively. For example, the live, response session on servers option will only be available if you've chosen the server products with full or help desk type of roles. Endpoints and, server shared settings. If the role has access, to endpoint protection, server protection, but not both, the shared settings are read only. This is quite a key point at the top of the screen highlighted in the blue banner. In the case of bandwidth usage, the role need access to encryption. To have a look at the review settings, and your page here, but definitely have a look at the help section as well when looking at those those permissions. But definitely take note of the blue banner in the top there. Moving on to the Linux Max deployments as part of the delta here. Softwares protection for Linux, virus detection, and response capabilities for Linux, servers and workloads and containers hosted in the cloud. You can protect both physical and virtual Linux servers against threats and view those servers in one place, which optimizes the performance and the integration with security and development operation workflows. To install Sophos Protection for Linux, log in to your Sophos Central accounts and navigate, to protect devices on the left hand menu. In the server protection section, you can either download the server installer or right click the downloads, installer copy link. And we'll refer more to that link in this section. So protection for Linux installer. The on your Linux server, at the command prompt or in a script, use the w get, and then the link address that you previously copied. Paste it into this section here. The example is shown and highlighted in the text there above. And once you've changed the permissions of the file to include the execution permissions, do this run chmod command shown as above seen here. Once the, has been completed, once the install has been completed, run the installer itself. If you're not logged in as roots, run the install of a sudo command, to allow those permissions for it to execute. Use the command to apply the execute permission, chmod plus x software setup dot sh. This command to run the installer, dot forward slash software setup, dot sh to run the actual installer when not logged in as a root, sudo, then dot forward slash SophosSetup.sh. Again, with this, you can go to the help section, and this will give you just guidance or make sure we refer to the documents, in the top right hand corner of this shared screen. The Sophos Protection for Linux installation directory is in the, directory structure here shown above, the opt Sophos SPL. Using the command, it can view directories, included inside this installation. We're using the ls command here as an example shown above. Automated deployment for Linux using third party management tools, can be used can be used to, deploy the softwares management for agents to Linux. For one reason, not using the installer directly and having it downloaded by a target device to ensure that it's always the latest installer, as it includes certificates configuration. Here, we're gonna use a tool called Puppet as an example for third party management tool, which allows in both open source and paid for versions. And the example here is configuring puppets to use the module. It's largely broken down into the four steps as highlighted at the top of the screen. Firstly, create a new puppet module, Upload a script to install the Sophos, such as the one we've already covered previously. Create a class manifest for the module that defines the actions that the nodes need to take. Configure the manifest, to assign the module nodes. More about these are in details in the, full course page as well. Bulk deployment on macOS. So moving away from Linux to macOS, requires manual configuration to set permissions for the device and services, that are required by the system. Fortunately, this step can be automated. Third party tools can be used to automate the softwares deployment to macOS. This could be using on premise or SaaS tools. Here, we're gonna use Jamf Pro as an example for that third party management tool deployment. So, again, with Jamf Pro here, to push the Sophos installation to devices, there's broad broadly, again, four steps. We seem to make that into four steps quite consistently. Download the installer, and copy the URL. Create and configure computer groups in the Jamf Pro, uploads and set configuration profiles in Jamf Pro, and create and configure script policies in Jamf Pro. These processes are fully documented as part of the Sophos Central online documentation. So more details can be found on that online documentation or, indeed, about the help page or the full Delta course information as well. Managing and updating. And, you can display, your devices in software central, for the the device page. Selecting a device from this will allow, to display additional options for each of those devices. To manage software on a device, you can click on the device, the tick box next to the name of the device, and then manage endpoint software. From the drop down, option menu, you can select to change the protection of a single device or multiple devices. So this is a lovely new step, where we can now select multiple devices and change the management's software on those multiple devices as opposed to individually. You can choose to remove the protection of a managed device as well. Once you select change to the endpoints, protection, you'll see a progress bar. Please note you cannot install software on a device that does not support it or is licensed for. In the encryption column, the the device list, you'll see the ability to add encryption software to a device or multiple devices if required here as well. To make it easy to manage protected devices, you can create computer groups within with computer groups together so you can assign the same policy to multiple devices at the same time. Computer groups are created by navigating to endpoint protection and then computers and then selecting computer groups. Does make management a lot easier when they're all grouped together. Yeah. If you've synchronized your, Software Central accounts with Active Directory, you may have already had computer groups set up. The number of devices assigned to a group are displayed, and you can also search this, list by entering the name of the group that you're searching for in the search box. You can manually create a computer group and selecting add computer group, further details, again, with inside the, help pages and the software central, console for managing groups. You can either create a group at a top level or you can create a group inside an existing group. For example, here, create a group inside an existing group has been selected in the screen above. Name the group and assign, the required computers to the available, to the available group newly created from the list. The list is filtered to show unassigned computers by default. However, you can change the view to show all computers inside that view section there. If you have a group that's not in the correct place, for example, a top level group that should be at a sublevel group location, you can move the group, to the correct place, by selecting the group you want to move and select where you want to move it to and then clicking save. The device group membership can be edited using the computer groups tab. For example, in a individual device on the device page, selecting change group as indicated at the top of the screen on the right there. To assist with health checks, there's a number of built in features that will alert you to vulnerable settings. For example, on the devices page, tamper protection column is included. That tamper indicates that if tamper protection is enabled or disabled, this is reflected in the view above. The protect computer and server pages can be filtered, to show any devices with medium or bad statuses. Only a bad status, for example, are these devices have tamper protection disabled. This allows you to filter out a device page to show those devices that require attention from an administrative point of view. Selecting a device from the list, will also show additional options that allow you to help manage or remediate those devices. For remediation, this means you can easily turn on tamper protection if turned off and reset the health status of a device should you need to. You can reset the health status device by selecting the device you wish to reset to green or healthy. It's important here to note that resetting the health of the device does not clean up threats or fix software issues. That's a really key important point. A health status reset will clear alerts in Sophos Central on the device. A health reset should be done if you want to clear old issues to flush out any white noise, for example, and so and to allow you to focus on the current issues. Devices that have a free state, I e, healthy status, for example, after the reset will remain in their state if those issues have been resolved. This doesn't affect protection of the device. So if, an issue that requires action, the status of the, device will return to a yellow or red status. Again, that's quite a key point. It should be denoted with a blue banner on the screen here, but definitely make note of that that statement. So software central updating overview. How does this work? Once the device has been protected and installed, components are maintained by the Sophos auto update service. The Sophos central updating uses TCP four four four three to communicate. Now the key important point, between itself and Sophos Central. You need to allow obviously updating for a firewall or proxy to ensure that domains, displayed or allowed. If your proxy file doesn't support wildcards, you must identify the exact domains you need, as a full list can be viewed on the, Sophos help pages. Example, giving them the list of domains and ports above. On a Windows device, the software protection agent displays the update status, in the about menu. You can select to force an update by clicking update now. Opening the endpoint self help tool also allows you to view, further updating information. So you can see where the device is updating from. For example, if the device is updating directly from Sophos or in fact using a proxy or a proxy has been configured. Updating on macOS, and the softwares protection agent displays the update status on the about page. In the diagnostic tool in the update tab with the latest updates time and date information and connection details, you can view the update location and server along with the proxy settings if they've been configured in this section as well. Updating on Linux. So for Linux server protection, protection that's been applied to softwares protection for Linux, you cannot force an update directly on the server. You can click update now in the device details page in Sophos Central, which will force an update on the server. The proxy configuration itself in Sophos Central, you can define a proxy that will be used, by protected devices for updating and managements. The Sophos endpoint agent will try other methods to access software central in order to try message relays, if any, are configured. Software central proxy settings, the default system proxy, configured on the device, proxies that are discovered automatically, and finally, without a proxy where you have multiple sites or authenticated proxies and the same settings will not work for all of them, you may need to use an update cache or message relay to route traffic through that, further information in the update cache and relay help page. Let's have a look at how the updating works and the flow of that. So a Sophos device requests and updates. The request is received by the management communication system, which processes the request, and passes it on to the auto update service. The auto update service calls the Sophos update service to perform, an update. The Sophosupdatestatus.XML is checked, denoted in the top of the screen there on the right hand side, to determine which updates are required. The update files are requested from the update location, either soft or so, for example, as we mentioned earlier, an update cache. These are stored in a repo directory, dot z f dot dot format, for for example. These files cannot be used until they've been extracted and stored in the local cache folder, decoded. Any updates or new components which were installed, when an update completes via the Sophos update status dot XML is updated, with the current status of which is reported back to Sophos Central. Files are downloaded to the c program data or to update data repo. The local cache folder can be found at program data auto update cache decoded, whilst the Sophos update status dot XML can be found at program data auto update data status. And lastly, the Sophos update log can be found at program data, auto update logs. For further information on this, definitely use the documents, in the top right hand corner of the screen here to refer back to. The Sophos up auto update is made up of largely two components, auto updates and updates in here. The Sophos auto update services is always running on a protected device. It's called the Sophos update service, and it performs essentially hourly tasks to perform updates. The Sophos update dot xe is the update executable here. It's only run when an update is requested. Therefore, you only see that service run when Sophos is running. Sophos update downloads the files and processes the component installations. All steps processed during this, update can be viewed in the Sophosupdate.text, which is available from in the auto update logs directory as mentioned on a previous slide. It's useful to know how Sophos determines which files are updated and downloaded to the device during an update. The license applied to the device in Sophos Central in, which the device is managed and installed from, when it's protected. So in the repo folder on the device, the package folder contains all license packages made up from, of compressed files containing the installation files. These are known as subscription packages, which the subscription packages map to the suites to which contains the required software. The metadata included in the stored files in the suite folder tells the device which package to update. The software's update only downloads each package once, which means that updating is processed quickly. Multiple subscriptions and suites can be applied to a single device. The folder that's used to, for the auto update and file is c k on program data Sophos auto updates data repo as the location there. Moving on to updating subscriptions. You can see the subscription packages applied to the device by viewing the config dot XML. This is stored in a repo directory. The text file details that contain the suites packages associated to the device on the platform itself. Again, these are stored inside, the c program data Sophos auto update repo packages section there as well. Update communication with Sophos Central. Sophos Central uses a customer ID known as tenant ID, sometimes referred to as that, associated to the Sophos Central account. You can view the customer ID used in the Sophos update log in the registry on a Windows device to extract, from the Sophos update.log displays information around tenant ID and the device ID being used here. On Mac OS X devices, the customer ID is stored in a plist file. And whilst on Linux, the customer ID is stored in a file that is actually unreadable. But the registry location for Windows is stored in HP local machine software, mouse, sixty four thirty two node, softwares auto update location. So, again, talking about controlled updates in a bit more detail, package types. Software packages let you control your software protection install software, protection, that's applied to those devices and how they're being updated. By default, recommended packages are applied and updated automatically. However, you can select packages that allow you to remain on the same version for a set period of time. There are three main package types here. So recommended, which is automatically updated, latest protection does not expire, etcetera. And then fixed term packages, these packages contain protection available on the release date plus updates against threats. And the package will expire generically a hundred and twenty days after the release, or at least thirty days prior to the next release, and, of course, long term fixed term support packages. Please know that this is important, that these packages are only sort of using device that can't update regularly, for example, or very, very changed control restrictions applied to them, for example, there, but generically but default recommended is the one most people will be on and use. Software packages can be viewed by navigating to this section in the console here. So underneath general settings, software packages, packages available displayed, with their start and end dates. By clicking the arrow next to the package name will display further information on there, and you'll also see a package notes link, so that will take you back to the Sophos website for further details that in for the information that is contained within that package version. So to select select a different package for the first time or to replace a package that's expired, you can navigate to, the product policies menu. To do this EVE endpoint or for service, select the update policy that applies to those devices that that you want to have a specific package, applied to in that section. Then on the settings, select the software package you want to apply to those devices from the drop down menu as pictured in the image above there, and the groups you wish to assign that package to. Some consideration for packages here. When a software package is due to expire, you'll receive an email notification, which will ensure that you can select a new package before the expiry of the existing one that's been subscribed to you. If you do not replace the expired package, you will stop getting security updates, and you will not spoof text against the latest threats. So it's a key point to note around the considerations there. To do with health checks section, so moving into that module, The account health check dashboard displays the overall health of the security products. The health check score for each section reflects whether your devices or policies are using recommended security settings. All scores are out of a hundred, and the score of a hundred indicates we did not find any issues with the configuration of those settings. The overall health score is if it's a lower score and for all of the health checks, they're split into, an overall number. So we'll take the lowest number as we can see from the image above there. Now health scores and checks to do with policies and configurations, they can be snoozed, and postponed, by selecting on those individual score numbers. For information about how scores calculated, there is a useful page on the Sophos, website under docs and central customer help endpoints, manage your products, account health check, and then health check scores. So to view how those scores are calculated, it's a useful link to know about. It's also in the documentation for this material here. Let's have a look at how currently available sections with inside the scoring parameters above. Firstly, the protection installed section, which checks to see whether all licenses, protection have been applied to those devices and is and then stored correctly to those devices. If an account health check warns that a device, does not have all of the licensed products available installed, to those machines, then that will reflect in the overall health score. The tamper protection section indicates if any device, have tamper protection turned off. The health check will also check the general settings for tamper protection. If the general setting is disabled, this needs to be enabled before you can enable tamper protection for individual devices. We recommend that those devices have tamper protection disabled to understand why. Without this protection, devices are more vulnerable to attack. You can select a snooze, as mentioned from earlier, an account in journey an account health check for up to six months. This means you're postponing and dealing with, the issues identified. You may want to, you may want to check to see whether you're troubleshooting any of these devices, etcetera, and you can put notes and comments into that section as well. Just to reiterate, yes. This session is being recorded and should be available in the partner portal post this event. When you select the, fix automatically button, an additional window will be displayed here just confirming that you're happy to resolve and fix that particular issue. Just be careful with this one that, if you've got multiple settings and certainly in terms of policies and you click fix automatically, there may be a reason why somebody's put those exclusions or configuration settings in there. So it's always worth investigating before you use that fix automatically button as a side note. Policy section checks against your configured, endpoints and servers. A red warning is displayed in the policy section of the account health check if the policy setting differs from the recommended settings of the Sophos Central console. This recommended setting is often best security practice that we can apply from those settings. So if you must change settings to fix an issue, change a few as least as possible if you can. The exclusions health check, I will apply all policies and global exclusions configured. This should be an exclusion identified as a security risk, and it will be highlighted in this section here. You'll be you'll see you'll see a banner across the top of the screen, against the exclusion entry in global exclusions. Whilst we do not prevent you from adding, exclusions that pose a security risk, we may highlight the risk when you add the exclusion as indicated essentially by highlighting that in a red line, with inside that policy setting. Please note additional health checks, may be added in the future versions of software central, monitoring more features and configuration options of the console. So moving swiftly onto detection response. So we've just had a couple of questions answered by Nathan. Thank you very much for doing that. And, yes, the recording is gonna be shared to the partner portal post this event. So what is XDR, extended, detection response? Essentially, it's evolved from an endpoint EDR or endpoint detection response solution. We're providing the tools to allow administrators to have full visibility of what's happening across their state and leverage data from the data lake, not just live endpoint querying information, but allows us to perform cross product threat hunting and investigations. This provides us with a native endpoint server, firewall, cloud, email, mobile, m three six five, o three six five integrations, etcetera, in here as well. And, of course, when we move into the world of XDR, these also include an XDR sensor, which is designed for organizations who want to benefit from Sophos detection. Sophos detection from the sorry. Sophos XDR includes a sensor. It includes Sophos detection capabilities and investigation response capabilities without having a Sophos protection agent installed. The XDR sensor essentially operates as a detection response only mode, which means it's not provided and doesn't provide automated protection and prevention actions. So an organization can continue to consume an existing third party security product, but then have the benefits from the Sophos XDR sensors capabilities. And that can include, on device behavior, cloud based detections, live discover, live response, etcetera, in there as well. So compliance views, reporting, and so forth. So, again, a huge benefit to having a sensor there. Installation source only supports Windows 10 and above there, and it's configured and viewed in the slide from the page above. What does the sensor look like? Following sort of the installation of a sensor or display, in the, view page here under devices or computers and devices, as an XDR sensor, you'll notice that the arrow to be able to upgrade it to the full blown Intercept X advanced with XDR, or optionally use the tick box next to the name of device to, manage computer software to to change the software package from sensor to full blown protection agent. The data lake, essentially, what does this look like? It's essentially a big pool of information collected from computers, servers, emails, mobile, cloud optics, for example. Softwares managed queries are run on protected devices at intervals to extract data and share that information to the data lake. Not all the available data is is from the devices stored on the devices is shared to the data lake, but the majority is. So and, usually, sharing data from third parties, products or Sophos Firewalls, for example, into this particular space or integration with m Office three six five into the data lake to allow us to be able to hunt and query as as administrators in that space. The information here is sent to the data lake, activity, of the device inquiries that that run to collect this information. The typical Windows endpoint, we tend to send around 10 meg of data a day. And we can upload up to 250 meg of, data, as a maximum amount in here. But, typically, we're seeing an average Windows server can send approximately around 20 megs of data to the data lake at their day. So, again, with the data lake concept of if the machine is offline, or down, we can still historically go back and view information from the data lake when we're conducting threat hunts or investigations or compliance queries, etcetera, in here. On Windows, though, the the device, reset occurs at midnight. So each time that that number counts is enforced, it essentially runs from a midnight to midnight on that, total daily limit there. With an XDR license, the data lake will store data for up to ninety days. Another really key point for those of you gonna go and do the exam, a a a fact to definitely make a note of. It can so it can restore it can store data, from endpoint agents, products, and also, those connector information points for up to ninety days. The data allows you to run queries against that stored information, whether it's protected devices that are online, offline as previously mentioned. This also includes devices that have been wiped or reimaged. So, again, really useful to be able to backtrack and look at that information for device that may no longer exist to see if there's any issues to do with that. In comparison, Live Discover can, hold access of data for up to ninety days to a device individually. But this comes in cost of a essentially a CPU, load count by asking the endpoint device to query locally as opposed to querying the data lake. So there can be additional CPU loads when those queries are performed directly to the device. To start collecting data from protected devices, you need to enable the data lake. So turning on data lake in your Sophos Central account, making sure that uploads are enabled independently. These are separate options for endpoints and for servers. Make sure both are enabled in that section there as well. Enabling. What does it look like? Once you've selected data lake uploads, you'll see the options to enable uploads in this section in here, and you'll be able to navigate from the endpoint view. We're currently into the server view in top right hand corner of the screen, so you can navigate just to make sure both are enabled there as well. Once you've enabled data lake, you can exclude individual devices or computers from sharing information to the data lake by simply moving them into the right hand box. Definitely remember to click save when you do that. Software central XDR allows administrators to view, and the events and incident detections and determine the best response to a threat if it's in dashboard, in the threat analysis center. So recent investigations, detections, and frack graphs, recent live discovery queries, and recent scheduled queries, etcetera inside this view of this page. So detections can be used to determine, devices, processes, users, events, and signs for potential threats, other Sophos features have not blocked. For example, unusual command that indicated, attempts to inspect your system, establish persistence, avoid security, steal credentials, detect identity, activity on a protected device that are considered unusual suspicious events that have not necessarily been blocked. Detections for those activities may require investigation. Based upon data or devices been uploaded to the data lake, you can view detections, from this information. But to enable data lake uploads in general settings, make sure they're both enabled for the endpoints and the servers. On the threat analysis center dashboard, you can break down your view into total detection count for recent detections, have them mapped out into MITRE attack techniques, TTPs, tactics, techniques, and procedures. Sophos checks against the data against, threat classification rules. So if there's a match, a detection is shown. Rules are categorized by severity, informational, low, medium, high, critical, for example. The detection here shown, can be filtered through severity type, detection category source, ID if required. For each detection, the severity of the detection is displayed as for above here, and the measure is used to indicate how risky a threat could be. The classification rule, that a detection matched against is, listed in the detection column. Clicking on the ellipses of the menu, you can view the raw detection data, so the section in the middle of the screen with three dots. The time column details, date, time, detection when it was logged. The entity column here displays the device rule that was matched against that detection. Further details. Text and column here displays the detection threat, vulnerability, or process. The column can be filtered as well. So looking at the options in the in the image supplied above here, we can see we can pick out, for example, if we were looking for network or endpoint or firewall based detections and filter that view. And, again, the right hand column is indicated here in the picture above. The MITRE ATT and CK column displays the identified attack, technique, and procedure, with inside this column. Down here, clicking on the detection, that we displayed on the overview detection page in a fly out, for example, here, you can see additional details around the detection, by simply selecting that. And this fly out page will pop out on the right hand side. But when viewing this detection, overview, details around what to investigate and further clicking on the ellipses will provide you with a pivoting option, into allowing you to further investigate information. Maybe that's running queries against the data lake or queries against the endpoint or a lookup service as indicated in that image on the right. So cases inside software central XDR provide a way of grouping similar detections together to aid investigations of potential threats. Cases are created automatically. Some detections, they can also be created manually, by e from a detection or from a case's page, as indicated in the above. In the case messages tab, we can document, investigative steps taken. If you have an MDR, then this tab can be done by the MDR team. So it's great to be able to put notes in to say individuals investigating, currently date and time, etcetera, those sorts of comments and notes to a case. The case history tab shows, the case history action actions, for example, changing, the health status of the device, for example, case notes being added, etcetera, inside here as well from an auditing perspective. You can also create new case, from the detections page, by simply selecting the detection, then selecting the actions drop down menu. Click create case, as indicated here on the right hand side of the screen. Enter the case details in the detection that you've selected here and the severity status. Once again, create a user and click, for example, create inside this space as well. Or select assign the case, I should say, to a user, which is a key point. It won't allow you to create a voice. A new case will be listed in the cases page above as the example. And being able to pivot into running data lake queries to navigate the threat analysis center here, You can select the data lake tab at the top of the screen. When you run a data lake query, there's no need to select devices. This is because all queries obviously run against the data lake of information as opposed to the individual data devices. Additional options, around pivoting here, available as results are often referred to as the pivoting options by selecting the ellipses as denoted from the image above. This allows administrators to look at contents of a return set of data and then identify if they want to, perform additional actions, based upon the results already viewed. The pivoting options, are context aware. This will allow, display options that are generally available for a variable. In this case, the example of the options for the endpoint name allows the administrator to select from a data lake queries. An administrator can also select and scan the device, or start a live response session. Pivoting actions also allow administrators to navigate away from, sort of navigate from the results, from one query to another to initiate that that hunt and that search for information as part of that case. A list of variable data queries in this section here and pivots. So queries are determined by variables used in a query already in in the system. Some queries provided by Sophos and some by those that you can create manually yourself. These work by associating the variable from one available pivot type. When a query is edited or created, the variables are used automatically updated. For example, if you have a query that you will identify as Sophos, process ID, this value can be set as a variable, which will become available as you pivot the value in the future. Over time, softwares will add more pivoting types. These were displayed and will be available as small variables. Along with this, many queries and pivot types are developed with starting to introduce a pivot management function. There's a detail on the community page on the community.softos.com interceptor x a endpoints, e d or XDR data lake. So if you search for that, it should take you to the community page with further information on that section. When you select a query to run, from the available pivoting options, a new Internet browser tab will be opened. If you select the data lake pivoting query in the browser tab, you'll see a new query available to run. The variable data is automatically populated into that query. Continuing on the theme of pivoting, this shows the example here for a live discover pivot. Again, a new browser tab is opened. The variable data is automatically added for you. However, the additional variable information may be required, for example, dates or limit conditions or the percent symbol, can be used as a wild card, in this case. Further information on the pivoting can be looked at the help page as well. You can select the available enrichment, which will redirect you to a third party site. This example of a new Internet browser tab that was opened to the virustotal.com website, which provides additional information on the detection. Please note that Sophos is not responsible for any product, service, or content that these sites may deliver. Sophos Central allows for integration, of other security software or services. These integrations allow data to be sent from other security software services to the data lake. There are two types of integrations available, a REST API and a data collector or appliance. These types of integrations you use depend on the product you want it to integrate and the data you wish to ingest. XDR integrations are split into categories depending on the type of product they are for. For example, the Sophos XDR category is, for products that included within the Sophos XDR, those integrations tagged as network for products that detect breaches, threats, network security data can be integrated to be used for Sophos Central XDR or MKMDR. Telemetry sources are used to expand visibility across your environment, generate new threat detections, and enable threat hunting to have a wider view and scope from those multiple providers. To integrate a product that uses an API, you must collect authentication information about the account for that product. The required information may differ between products or vendors. For an appliance integrations, the XDR sensor is used to send, send data from a third party product to the data lake or to manage integrations, to navigate threat analysis center integrations, and then configure the marketplace for additional information there. In this example, we're gonna configure a Microsoft, Graph Security API, by selecting the Microsoft Graph API in the middle of the top of the screen there, from the integrations marketplace. We're able to then click configuration to start configuring the, integration, Enter the integration details by adding a name and a description for the integration. These instructions are included for each integration that can assist with the integration configuration. If the first integration you've added, you'll be asked for details about your internal domains' IPs. Once you've entered those details, click save, continue. You'll be redirected then to the 365 Microsoft three six five to grant my permissions to create an app the an application Sophos, integration API example above. Log in to your Microsoft account to create the application as indicated in the picture above. Once you've signed in, you'll be then you'll be promoted to give permissions or prompted, sorry, to give permissions to to the application. These permissions allow you to create a Microsoft application to integrate, with Sophos Central. You'll also be prompted to give permissions to newly created XDR security alerts application so it can run and pass Microsoft Graph data to software central console. You'll see a new confirmation. We know that it confirmed the integration has been successful. A new integration is then listed. After about five minutes, the Microsoft app synchronizes with Sophos Central to hydrate the data lake, for the first time. The data lake will continue to receive regular Microsoft Graph security alerts from that point forward. You can remove the configured integrations by selecting, the neck the cross next to the integration name. When you delete an integration, Sophos will no longer receive data from that integration. Click disconnect to remove the integration. Please note that the Sophos firewall integrations can only be removed by disabling the option to send logs and reports to Sophos Central from the firewall. Depending on the integration, you may need, to also remove the integration configuration or permission from the integrated product. In this example, that we configured the Microsoft Graph API and, Microsoft Azure, we'd need to remove the application permission. So moving on to NDR. Just checking for questions. All looking good. Thank you guys for answering those. So what is NDR? Network detection and response known as, Sophos NDR. This is Sophos Central managed appliance that monitors network traffic to detect suspicious activities that indicate malicious activity. The Sophos NDR connects to a SPAN port on a physical or a virtual switch and leverages a combination of machine learning, analytics, rule based matching techniques when monitoring network traffic to, detect potential threats in that space. The NDR, appliance requirements, essentially, the NDR appliance is an Ubuntu based and uses a lightweight version of Kubernetes for the application, orchestrations, and upgrades. Before your NDR appliance can be deployed, you must have a Sophos Central account, and that NDR and a valid NDR are license. The appliance currently supports deployments using VMware, VMware, ESXi, Hyper V, etcetera in that space. Requirements. To ensure compatibility, the CPU of the system running, the NDR appliance must support instruction sets shown in the above. These instruction sets are supported in most business grade x 64 CPUs. The minimum system requirements are the same across all the supported deployment platforms across VMware, SXI, OVA. The image is stored, preconfigured to meet those minimum requirements, which are four CPUs, 16 gig of RAM, and a 60 gig of storage, for example. Depending on the workload of the appliance, you may need to adjust the sizing of the virtual machine as denoted in the images there above. What are requirements of deploying, the NDR appliance, on VMware, ESXi, or Hyper V? Take a moment to just quickly review the specs, and requirements above, ESXi and Hyper V, or screenshot. Each virtual appliance must be sized according to the amount of network traffic to be analyzed. Take a moment to quickly review those settings here above. So let's move into deployment best practices. When that direct traffic is being scanned across multiple sources, this could mean that the SPAN or NDR appliance or SPAN port of the NDR appliance becomes oversubscribed. Our recommendation is to be selective about the network traffic you want to mirror, focusing on the traffic that is most important for security. This helps us to understand what traffic is important to consider, which locations are in scope for monitoring, and which segments an attacker is likely to target. How would you prioritize those segments? What does each site have a networking stack capable of mirroring those, network traffic in terms of ports available? Figure out where the NDR appliance, would likely do, the most use, I e, deployed in terms of which networks are using that, which maybe hide, hiding IP MAC addresses, etcetera, in that space. There are certain types of networks that could, cause disruptions if the traffic is mirrored. Do not recommend including, ports or VLANs. If you're carrying the following types of traffic, WAN traffic due to, obviously, the volume of traffic, these, are gonna be a little value in terms of monitoring the traffic. If there's external facing applications, DMZ may want to monitor, ensure that the interface being mirrored is internal to the parameter. Storage area networks or SANs traffic. If the NDR appliances are better optimized monitoring other traffic, for example, This could lead to disruption with monitoring SAN traffic. VMware management traffic, another example there. So if you're using ESXi for your virtual appliance, it's likely to cause issues when mirroring that traffic as well, and, specifically, again, the last one here, VoIP traffic, around performance, etcetera, degradation. When designing the NDR deployment, understand there is no limitations to the number of appliances that can be deployed, which means you can optimize your NDR sensor placements. Each NDR appliance supports two span interfaces. If both interfaces are used, the appliance needs to be sized according to large traffic configuration as on the previous specs sheet, we showed earlier. If there's a requirement for an appliance to process more gigabyte data, for example, more than a gigabyte cheap gigabytes per second of data, the multiple appliances sensors, NDR appliances may be required. If there's a requirement for bridging traffic from, a physical network, etcetera, in here, additional, dedicated Ethernet adapters may be required, etcetera, on deploying the multiple NDR appliances. Span traffic can be directed through the appropriate NDR appliance using VLAN tagging on a port group. These sizing recommendations apply to appliances that only run running only the NDR, as, appliance. If the appliance is running additional integrations, additional resources may be required for the sizing configurations. The NDR center is deployed as a virtual appliance here, and it's connected to the switch port analyzer or SPAN port for a network switch. SPAN is a feature is often most is supported on most network switches that mirrors traffic from one or more interfaces to destination interface on the same switch. When using a SPAN port, all source ports must be located, on the same device. In some environments, it is it is also not possible. In environments where a local SPAN port is not an option, SPAN, ERS ER SPAN, can be used, which encapsulate SPAN, traffic using a sort of a generic, routing encapsulation GRE. Virtual extensible, VXLAN allowing captured traffic to be routed across layer three networks. This is ideal for organizations that are unable to support, transport layer two span or span traffic due to, desired network capture device as denoted in the image there above. NDR data engines. There's five data engines, independently operate inside, the NDR appliance. Machine learning is used to analyze encrypted traffic and identify patterns across unrelated network flows. Deep packet inspection is used to identify malicious tactics, techniques, procedures across encrypted and unencrypted traffic. Encrypted payload analytics can detect zero day threats, new variants of malware, and patterns of size, direction, rival times, etcetera. Identifies dynamic domain generation, technology used, by malware to avoid detection, and it uses a logic engine that utilizes rules that can send alerts based upon session, based risk factors covering those five. Detection detection engines extract metadata from encrypted parts of a data packet that is processed. Whilst groups and stores the metadata, the raw packet is never written to disk. This raw data is released from memory as soon as the packet session ends. So as a result, no raw data was ever transmitted to Sophos. Data lake. The metadata is stored locally on the appliance, up to twenty four hours and then purged from disk. Only NDR detections and the associated metadata is transmitted to the data lake. The default data retention period is ninety days. However, there is a one year data retention period that could be purchased if required. The deployment of the NDR center is broadly broken down into the following steps. First, add configure the NDR integration in Sophos Central. This will create a file that you will need to provision a virtual machine, for example, ESXi deployments. This will be an OVA file. You'll next configure the network switch span ports to enable port mirroring to enable that all traffic is passed through the NDR sensor. Next, create a virtual machine that is used to download, be downloaded from the Sophos Central. Once the virtual machine has been deployed, confirm the sensor is connected and managed, using the Sophos Appliance Manager. This chapter will explain more about how to deploy the NDR sensor into a VMware based host, for example, there. So the NDR sensor is configured in Sophos Central. It's noted in the image there above. We're going to central for analysis sensor integrations and clicking the NDR integration and the menu to add new n t NDR or new integration. This scenario, you're gonna be deploying, an NDR sensor on a virtual switch hosted on ESXi. So the first step is to enter the name of the integration And the name of the appliance you're going to use to collect data, this can be configured. This can configure one NDR appliance integration per appliance. So it's quite a key point here. Highlighted in the section above, you can configure one NDR integration per appliance. You'll need to create, for example, a new integration for that appliance. If you, have an existing appliance, there'll be a drop down list that you could select from existing appliances for, when selecting other integrations. You can either select a, use DHCP or manual, configure the IP address for the network settings. You can use DHCP. Must reverse the IP address in this scenario, as above. You can figure the domain name and protocol exclusions. Any items listed here will be excluded from detection. The exclusions, can be added later. And, however, they must enter an exclusion list name, for multiple domains protocols. Do not recommend just adding a master protocol completely. Any exclusion added can be exported as a JSON file. So you can also upload exclusions from a JSON file to Sophos Central. When you save integrations here to your appliance, you'll be presented with the credential that we use to access and manage your appliance. These are shown in the image above. You cannot retrieve them later. Therefore, ensure that you store them, these credentials securely. The password can be reset in the appliance manager once the NDR sensor has been deployed. Again, highlighted in blue here across the top, OVA files, which can are created, can take up to fifteen minutes to complete. The new integrations listed in the OVA file is created, as I say, can take up to fifteen minutes to complete. Whilst you wait for the a valve for OVA file to be created, configure the spam port and network, switch. This will mirror the traffic generated by your host locally and allowed to be routed through the NDR sensor. As we're deploying the NDR virtual appliance, port mirroring must be configured, as previously mentioned, to feed traffic from the physical network to the hypervisor. In this scenario, we are using ESXi. To create a new SPAN port, we navigate to networking port groups, add port group, give the port group a name, enter the, VLAN ID. This must be with a, 4095 as the example shown above. This will tell the switch that all traffic will be mirrored. Therefore, the switch, you may want to mirror traffic from or where the device is to monitor, reside on the same network, for example. For promiscuous mode, select the radio button accept. This means that all traffic going through the switch, will be seen and getting further information by clicking on the help when in that page just to confirm. You can also, want to if you want to also mirror, network traffic coming from outside the network, you can do this, by creating a new virtual switch created, for example, in here. Navigate to virtual switches, add a standard virtual switch, give the switch a name, click add. Another port group, will now be created to span the traffic generated on this switch. The new spam port is configured in the same way using VLAN ID 4095. Key point 4095, again, just highlighting that. The switch selected in the new external network switch and the security permissions are the same for the first span port configured. Span port one will watch the traffic inside the network. Span port two will watch traffic coming from outside of the span port into it. Port mirroring has successfully been configured in the view denoted above. Now we can deploy the NDR sensor into a virtual appliance. To do this, we'll download the AVA file, from the end, for the NDR sensor. From software central, we're clicking on the ellipsis button on the right hand side and selecting download image. In the ASXI, we'll deploy a virtual machine via the OVA file. The virtual machine must be given a name, in this section. Download the OVA file from the selected. Ports are selected, and network mappings section is the SPAN ports that are selected in the example as mentioned before. First SPAN port is for internal traffic, the second one being external. Syslog and management tool ports can be left as default or changed if required. Click finish to deploy the virtual machine. This can take some time to complete depending on the resources and allocations to that machine. If the machine will go through an installation process, downloads, updates, etcetera, and connect back to Sophos, this can take between ten and thirty minutes. Once the virtual machine has started, you will see this message. It's noted in the picture above. The message confirms that successful setup of the NDR sensor advises to log in to the appliance manager. In Sophos Central, the sensor will display a connected. If the end NDR sensor is not connecting, check the HPS traffic is allowed to Sophos Central. The appliance will be listed in the above as collector in the integrations menu, and Sophos in Sophos Central. Clicking on the ellipses menu allows you to edit, delete the appliance. You can select, to collect logs or enable remote assistance and open the appliance manager. You cannot download the image as an OVA file once. It's, can only be used once. If you want to provision a new collector, you will need to add a new integration and generate a new OVA file. You can only log in to the appliance manager from a device that's connected to the same network as the appliance as the site notes here. Username and password are the details that you saved, securely earlier when creating the integration. In the appliance manager, you can view the status then, of the appliance as noted in the images above. The NDR the NDR detection, data engines monitor for traffic, and behaviors like connections, to and from malicious devices, like, and locations. Advanced attackers are skilled in evading detection. However, they must move across a network to carry out an attack. The NDR data engine helps to identify unprotected device on a network, rogue assets by pinpointing unauthorized and potentially malicious devices communicating across the network, and they can detect zero day attacks looking for further control attempts based upon pans found in session packets. These provide the ability to look into network traffic flows, and normal data movement allowing for detection of insider threats. The NDR central generate data that's communicated, to Sophos Central. In threat analysis center detections page, you can filter detections on category. Filtering this list allows you to, look at the category, for example, network, which display display the NDR detections. Data Lake queries can be run against the NDR. There are several canned queries and, optionally, customizable queries by looking at the schema information. In this example, results are, devices are not managed by Sophos Central capturing data. This is because the NDR center reports data across the network, whether a device is managed or not. And the appliance manager allows you to monitor, manage integrated appliances. You can view the system usage figures, monitor and manage integrations, and view the status and restart time for those containers, the integrations you run-in. You can also modify the settings of the NDR sensor by configuring, the proxy, the syslog, the span set port settings, for example, used by the appliance. Again, additional information is viewed on the help page. You can only, connect directly to the appliance management managed by browsing securely to the IP address of, the appliance AMP port 8443. You can also connect via Sophos Central by navigating to threat analysis center integrations, data collectors, clicking on the ellipses, menu, and opening connect to open, to the appliance manager. You can connect to the appliance manager as well, if you're on the same network, as that device. If you enter, incorrect password too many times, your account will be locked. You can unlock the account by resetting the password using the link in the pop up message when you open the appliance manager from Software Central. Alternatively, you can unlock the account from the web console of your, virtual machine. The appliance manager dashboard, displays the versions of the appliance along with the uptime, the amount of time the VM's been running for in days, hours, minutes, seconds. From the actions drop down menu, you can select download the log, modify settings, and restart, or shut down the appliance if needed. You can edit the management interface to change network details that were configured on the appliance when it was initially created. Please note these settings can only be edited when there is, for example, please note that these settings can only be edited when there is no network connectivity to your appliance. You can also configure a web proxy if required. The span settings apply to the NDR sensor, etcetera. The status tab uses, usage figures, for the appliance CPU memory, disk drive interactions, these figures can be used to decide where we need to amend the configuration, of allocation of resources to the appliance. The NDR, app displays percentage of data uploaded, to software central. Span two, data will only be seen if you've configured the second port, to handle traffic from additional switches. You may need to restart the NDR traffic analyzer if not running successfully. This will not affect any third party integrations that also use the appliance. The advanced tab settings, display settings in here is it'll show display the status of restart times, the containers where integrations are run. And the NDR query, provides you with a tool that, to be able to search local database of NDR events, and this is useful for troubleshooting. The NDR events on the virtual machine where your appliance runs is not the same as the Sophos data lake. It's currently only predefined queries are available. However, for future versions, a schema will be available, so you can run queries and write your own in that section as well. To select a predefined query example, from the the image above. Estage appliance manager, copy the icon. Oh, sorry. Copy the icon you'll want to copy the query too and then run. Paste the query into the box. The results are displayed in the screen shown above. You can drag, by the way, the columns around here for viewing in order that you prefer. There may be circumstances you want to create your own live discovery queries, or editing, and building your own sets of queries and categories in this section. We do not expect people to know SQL, but in order to use live to square live discover, it's however, it's useful to view how SQL is being used, for the basics of creating queries. When you view, create, or edit a query, you can access the Sophos schema viewer as denoted on the right hand side by the schema picture icon. The the option will be in the top right hand corner when SQL is used as well. The Sophos schema, view allows you to browse the data lake endpoint schema. The data lake schema is grouped into Sophos product categories. The endpoint queries make a use of two schema, schemas such as OS query and the Sophos extension. Viewing the data is available for allows us to be able to better understand how the data can be used for a specific query about your environment. Further information as well, this is on the the link above. So let's have a quick look at how creating, a new query looks like. So to return all data held in a single table, you can use a select statement. Using this statement, with an asterisk allows you to to return all data available in that table. To return a particular set of data, you'll be you'll need to be able to specify exactly what data you want to return. To return a column of data within a table, type in the column name you want returned for. For example, returning all of the data in the processes table, which contains around 30 different columns, you only want to return data on against a process ID, name, path, for example. To do this, you just type in the names of the columns within the query. We use the comma to separate out each column in here. This is required if you're returning from multiple columns of data, as the example shows in the above there. Now that we know how to specify which columns of data, all returned in a query, we can filter the data returned from the data table columns. To explain how to do that, let's look at the query again. We want to find out how let's find out the process ID for a Sophos endpoint defense service running on each endpoint where we use the where statements as listed above to specify that the query should only return data with the same said service dot x e as highlighted and above. This equals the operator, will return only data that matches is of the specified name. If we take a look at the the reverse of this, we want to exclude data. That includes the word Sophos. We need to use a different operator. These are there are several operators that we can use, in a where statement, that is displayed in the table shown above. In this example, we create a query that will exclude any data returned by Sophos. It's important to note that in this example, the results must match the string value. If there are any characters before the string or asterisk or both, then the query will not execute, or not exclude data that matches the above string. Another way to exclude data is to, use the not like operator. This operator is usually used by a percentage symbol, used to represent any string value including null characters. The operator is not case sensitive. The operator is, useful if you want to know specific name and data, that you want to exclude in this example. We're excluding any path of the string value of Sophos or HITMAN PRO. The results will exclude any process, which will include the term Sophos or HITMAN PRO anywhere in the path string. In this example, which is sorted, by the service name said service.xe is no longer listed as we can see from the image above. I would like to take this further. If if you know, the specific name of the data you want returned, but you know you want to find all processes with Sophos in the name, and you can use the like operator when creating your query. The like operator is used with a where statement, to search for specified, pattern in columns. There are two wildcards often used in conjunction with the like opera like operator. The percentage symbol, represents essentially, zero, one, or multiple characters, and the underscore represents, essentially a single character. We want to use like operator, to filter the query to return any data soft or somewhere in that column as the example shows from above. Creating a new query. We've used the select statements, to return all the data in the table, or column data that we specify in the query. We can also use the distinct statements. This statement is used to return any data values that are often data tables that will contain multiple values. However, you may not, may only want, to list a distinct value. Here, we have created a query that will return specific data, from the process table. We only want to list the different values, so we use the distinct statement, as listed above here. Many of the canned queries, we use, a a join statement. A join statement simply joins together two different tables. In this example, we use join, the data from interface addresses table, with the interface details table. However, because we've not defined the data, we want returns using a where statement. This query will return all columns from each table as denoted in the image there above. When you join, the tables so in the example here, when when we join the tables, in the first table listed in the query becomes table one, and the second table becomes table two. A left join, will return all rows from the left table. But in our example, the process table, even when there's no matches in the right table, the users table in this case, this means that if the on statement matches zero, records in the process table, the join will still return a row in this result, but with null in each column. The on statement used to specify a join condition in this example, as highlighted as above. Once we save to run the query and the results will be returned, we recommend that any new queries, run on one device or a small group of test devices before running, to the general population or, generally all devices. That way to see if there's any performance impact that could be improved by that query. For any queries created or edited, can include up to six variables. You can select a variable for each string, dates, SHA, two fifty six, IP address, etcetera, in there, a registry key, file path, etcetera. But up to six variables is the key takeaway from that point. You can include a variable in a query. It needs to be specified in the SQL code. Once added, the variable will be given a dollar dollar prefix and postfix. When the query is run, the administrator enters the information for the variable, which will automatically be substituted in the variable data provided. Here's the example as provided in the above here. I mean, in this case, we've got doll dolla username. I'm looking at data across multiple devices. It's useful to, be able to determine if the time frame of the data, we want to return. In this example, we've requested data from the Sophos DNS journal, and the results we can see in in the time column, which is returned in epoch seconds, the Sophos PID column for which the process ID listed with a time trying to do the DNS lookup. The name column, which lists the DNS host name, was resolved, the epoch time, for Unix time or postfix time, and in is the number of seconds that have elapsed since January 1970, midnight as the example. To restrict the amount of data returned, we can use a where time statement. We've selected to use a time restraint to limit the data returned. The number is the epoch time stamp. So we can query only return results, if they happened after, for example, Monday, August 2023, or 2022 in this case, by using an epoch time converter. For example, used here the conversion listed below, the epoch time stamp, just highlighted with the 166055 number in milliseconds, from that time stamp date since as previously mentioned. Whilst the epoch times, seconds can be converted, it'd be more useful to understand, and useful to have a time returned in an easily readable format. To achieve this, to use the date and time function, date time. This will define the date that is combined, with a time and day of a fractional seconds is based on a twenty four hour clock. Then use modifiers to convert the Dame types Dame date time function. Firstly, we can add a column, name time, and then we add the, UNIX epoch modifier, which causes the time value to be converted to a UNIX time. Lastly, we add the local time modifier, which will convert, the time into local time. The results for this time query, we can see the time date now displays in a readable format. Let's look at editing, query in this example that we've done, and we had to enable the, interface to be in designer mode. Again, another key point if this should accidentally pop up in the exam, enable designer modes to view the SQL query for the existing query. The selected, query will return the following data in the services table for all devices as it runs on, the service name, the start type, path, status, user account, software central, etcetera. Viewing the services data, table, there's an additional data that could be returned. In this example, existing query will be edited to include the description to the service. To add this element to the element, select edits in the query section on the right hand side. The query is renamed, so we can be saved as a new query in the SQL field. The column name description is also added to the column list. And this list, of the data columns, that will be returned, from the service table. You'll need to rename the query and then click save to the changes. Again, in this example, we did not amend the category of the query. Therefore, a new query, we have created can be found in the devices category and is listed alphabetically in the list of queries. In the created column, you can view, any edited newly created queries as these will be listed as your Sophos central account name that's created it. Again, editing a query. Selecting the query, edited query gives you the option to delete or edit the query. Please note that canned queries created by Sophos cannot be deleted. However, edited and saved as a new name is an option. When the edited query is run, you will see the results in the description column as returned when you can now view a description for each service, that installed on your protected devices is the example here. Administrators can use scheduled queries to run regular reports based upon information in a data lake. Another really key point, it's important to understand that it's not possible to schedule sorry. It's only possible to schedule data lake queries as these can be run on devices that are both online or offline. Again, visit techvids.softos.com. There's some example videos on that page as well, which may be useful in that section. In this case, how to schedule a query? Pretty simple to set up a scheduled query. Navigate to threat analysis center, live discover, then select a data lake query before you schedule the query. You recommend that you try to run a query once on a test or sample group of machines to see if there's any performance impact on the or a sample on the on the query, and it's it's it's working correctly as we'd expect. Once you've selected query, in the right hand side, you'll see a schedule query option, so allowing you to schedule that query. The query can now be scheduled, and you can change the name, and the description if required. Determine that the frequency of the query has been applied correctly. In this example, we've selected a query to run daily on Monday to Friday. It will run until the user cancels the schedule. Please know that the query, will run at midnight in the time zone the administrator creates the query in. This remains true if the administrator later logs in from a different time zone. Scheduled queries can be viewed, by navigating to the threat analysis center, preferences, and schedule queries. Newly created queries will appear at the top of the query list. There is a limit to the number of queries that can be scheduled, and the, activity scheduled by indicates how many query spaces let you have left. In this case, you can see top right hand corner is three of a hundred. And the schedule query list displays the frequency of the query along with administrator who's created it and the scheduled, the scheduled status. The option allows for you to, view the query, the schedule query, including the variables that are included, disable the schedule, edit the frequency, and view the results of the query as needed. Checking progress on time. Yep. So far. To delete the, schedule query, simply select the query from the right hand side, and you'll be able to delete it from there. It will need to confirm you're actually sure you want to delete the query. Please note when you delete the query, it will delete the schedule and all associated results. It's the key point there to take away. Let's quickly now dip into the API overview. So the Sophos data lake, can be queried using, Sophos Central APIs. And all of the APIs are restful, HTTPS, or HTTP using, standard authentication, JSON requests and response and, standard HTTP verbs. The use of API requires you to have a set of API credentials, which we'll dip into now. So let's have a quick look at the process of how that runs. Using the API can be broken down into three phases. Essentially authenticate, identify, and then query. We'll see, for example, we firstly need to authenticate, gain access to a token, similar as we did before. You'll be able to send a request using, with a client ID and the client secret of the API credentials you created in the Sophos Central admin dashboard. The access token that you receive is valid for one hour. I see another key point. It's valid for one hour. After that, you need to request a new token. Please note that the access token is also referred to you as JWT or JSON web token. Next, you need to identify that your tenant ID and your IP API host for your data region. To do this information, you've essentially continue the the following step. Finally, we need to, start the query with the API, with a data lake. You need to send your access token and tenant ID with every request, for the regional API hosts from step two, as indicated in the graph there above. Definitely worth visiting, guys, using APIs. There is how do I get started and so forth onto the website, Sophos. And, threat remediation section, heading towards the end very quickly here. The Linux threat remediation, so with, soft server protection for Linux includes, sort of automatic cleanup, as indicated in the right however, on access scanning requires you to to turn on, that particular feature, as indicated in the graph there above. And malware is detected, by the software server protection for Linux. So we're trying to clean it up and quarantine it. This only applies to essentially malware. The status of the server remain green if the malware has been successfully cleaned. But where the malware has not successfully been cleaned up or a PUA has been detecting the health status of the server turning yellow, you'll need details of the detection, in the service summary and events tabs. You can also review, detections in the malware PUA's blocked reports. You can use live response remotely access a Linux server, for example, that you want to manually clean up PUA detection, and they must ensure that live response has been enabled in general settings for that to be used. On the server page, click, live response to initiate the session. You'll be prompted to enter a description and the purpose of initiating a live response. The live response will open up in a new tab. In In this example, we're manually removing the icard.com. And location of the clean logs, when an item is detected, the Sophos is used to clean up the item. When removing a file, Sophos checks the references to the file and removes them as well. This means that any other links such as registry entries are removed. All items are moved to SafeStore, which stores, and encrypts detected items. The Sophos log will display the threat counts, and restoration information of a file if it's been allowed, following a detection. The scan logs include detection triggers and the actions taken. You'll see multiple scan logs for a device that corresponds, to scans run on that device. Finally, troubleshooting. The endpoint self help tool here, provides a method, a way of running a set of rules from Sophos to be able to analyze the health of the local agents. You can select from the local agents here, run tech to see if there is any issues, known issues, for example, here. If a known issue is detected, we'll provide you with a link and knowledge base ask you on to help some steps and help to help rectify that issue. There's a networking test page that provides methods to check specific communication channels to Sophos, if configured correctly or, in fact, routing for a message relay or an update cache. This from test provides feedbacks on areas of failure there if there are communication issues. And, the file information tab, this one's really useful, around the file information tab providing methods to analyze PE based or portable executable based files, to display characteristics used, by software to determine if a file is a threat, if it's malicious, benign. Using characteristics, we can show the file's reputation, whether or not it's controlled, whether it's malicious potentially on my application. So it's super useful under file information. Product logging tab provides option to configure different logging levels and capabilities in here as well. The ability to amend, logging level information, may be required, obviously, in steps to maybe troubleshoot or further diagnose any performance or, detection, information. And nearly lastly, guys, the SDU for Linux, how to run the SDU to Linux, essentially launch the SDU Linux utility tool, which is for servers using the softwares protection for Linux. We can open up a console command, run the softwares, diagnose command as shown as above. This will output a file of the current directory to where the command was run to specify, the diagnostic output of the file it's been created and the run that's been, sent to the commands of this, to the selected directory. It's the first argument in the example here using the temp directory. This tool carries all the log information from the agent or plugins, and the audit log. Once the SDU has been finished, you can locate, the archive and send it to, support, for example, our Sophos, for further information should be needed. There's a useful KB article on here, which is finishes in, double three five zero eight, which goes into further information on that. So, frankly, thanks very much for managing to sit through all of this and so many slides, and so much information being dropped onto you on this this Delta training course. The the exam, as we mentioned from earlier on, now that you've completed the training, firstly, congratulations on that. And secondly, here's a link to the, exam page, which is essentially in a forms page. And as I mentioned, you have one hour to complete the exam, to be able to score a pass mark of 80% or greater out of 20 questions, which means 16 or more. I hope you found the training certainly useful, and I'll leave this slide up for one more second. So anybody wants to take a a reference to this or hasn't pulled down the documents in, in the right hand side, this is in there, so you will have reference to this as well. We'll take your, your cameras out and link to the forms page. And if there is any feedback on these training courses, you're always welcome here at Sophos. So, please feel free to email in to globaltraining@Sophos.com. And that concludes the end. Was there any questions that we did miss out? Excellent. No. I think we got those the most of the way through. So I'd like to conclude with thanking you for your time today. Better luck with the exam. And as we've just posted in here, we've got a scheduled office hours on the thirty first here to support of any q and a, for the exam. Thank you, and have a good rest of your day.