SOPHOS ENDPOINT DETECTION

AND RESPONSE USE CASES

Available with Intercept X Advanced with EDR and
Intercept X Advanced for Server with EDR
Sophos EDR is designed for IT administrators and security analysts to solve
IT security operations and threat hunting use cases. It helps you quickly detect
issues and take any appropriate actions.
Perform IT security operations and threat hunting tasks
Ì Choose from fully customizable, pre-written SQL queries
Ì Quickly take action when you have the information you need
Ì Covers endpoints, servers, cloud hosts, containers, security groups and more

This document highlights some of the most popular use cases for this powerful EDR functionality.

IT Operations Use Cases

Sophos EDR excels at helping you keep your IT operations hygiene in peak condition. Here are just a few examples of the tasks it will help you
perform more quickly.

Device health checks Configuration oversights

Identify devices that are having performance issues then
remotely access them and take needed action. You can:
Ì Find devices with low disk space, high memory/CPU usage or that are pending reboot
Ì Remotely access devices to free up disk space, investigate
causes of high usage and reboot as needed
Vulnerabilities
Detect devices that have issues or vulnerabilities that can
be exploited by malware or attackers. You can:
Ì Locate devices with software vulnerabilities, unknown services running or unauthorized
browser extensions and detect shared or stolen cloud account credentials
Ì Remotely access devices to install patches, investigate and terminate unknown
services, uninstall browser extensions and update cloud account credentials
Find devices and cloud workloads that have configuration
issues that can pose security risks. You can:
Ì Identify servers with RDP and SSH enabled, cloud security groups with network
ports left open, monitor and inventory public cloud hosts, containers and more
Ì Remotely access the servers, disable RDP/SSH and
check for servers listening on the open ports
Compliance
Identify and address compliance issues on-premises and in the cloud. You can:
Ì Find sensitive files (e.g. financial information), assess
configurations for AWS, Azure and GCP environments
Ì Remotely access devices to delete sensitive files, ensure
secure cloud configurations against CIS benchmarks

Unwanted software Project rollouts

Track down software that could cause compliance Check whether IT projects have been rolled out across all your devices. You can:
issues or productivity issues. You can: Ì See if software has been deployed on devices to measure progress throughout rollout
Ì Find unwanted programs such as Spotify, Steam and Bittorrent Ì Remotely access devices to ensure successful deployment and
Ì Remotely access devices and uninstall the software reboot if required to make any necessary changes
Threat Hunting Use Cases
Sophos EDR gives you the tools you need to track down evasive, subtle threats and quickly clean them up. Here are a few examples of the
indicators of compromise you can hunt for:

Network attacks MITRE ATT&CK framework

Identify processes that are making unusual network The MITRE ATT&CK framework is a commonly used
access attempts. Examples include: template for identifying attack techniques. You can:
Ì Detect processes attempting to connect on non-standard Ì Use your own or Sophos built in queries to identify
ports or unusual outbound traffic from a cloud workload potential attacks using common tactics and
Ì Analyze cloud security groups to identify resources techniques by adversaries
exposed to the public internet Ì Based on the attack technique hone your investigation in
Ì Remotely access the device/workload, terminate the on potential follow up attacks or areas to double check
process and check for lateral movement
Incident scope
Modified files Understand the impact of an incident and which
devices and users were impacted. You can:
Find items that have been modified in an
unexpected manner. Examples include: Ì Identify devices that clicked on a link from a phishing email

Ì Identify process that have recently modified files or registry keys Ì See which devices downloaded files from the phishing
site, remotely access them and perform cleanup
Ì Remotely access the device, examine the
changes and take appropriate action

Obfuscated scripts To learn more about Sophos EDR and the

powerful protection capabilities in Intercept X
Fileless, memory based attacks are an increasingly head over to Sophos.com.
common attack vector. You can:
Ì Dig into the details of unexpected PowerShell executions
Ì Remotely access the device, run additional forensic
tools and terminate suspect processes

Disguised processes
Some malicious processes can disguise themselves
in order to avoid detection. Examples include:
Ì Detect processes that have disguised themselves as ‘services.exe’
Ì Remotely access the device and terminate the
suspicious process and run forensic tools

© Copyright 2020. Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks
or registered trademarks of their respective owners.

20-07-15 UC-NA (PS)