The Status tab in a server's details page lets you see the server's security health and details of any alerts.
It also lets you take action against alerts.
Go to Devices > Servers and click on the server you want to view details for. Click Status to view the status of the server.
These status details are only shown if the server is using the Security Heartbeat feature.
This shows whether the device has threats detected, has out-of-date software, is not compliant with policy, or is not properly protected. The overall status is the same as that for the highest-priority item listed (red, orange or green).
This section also shows which Sophos services are running on the server.
The page lists any alerts on the device. The details include:
- Alert details: For example, the name of the malware.
- When the alert occurred.
- The actions that you can take. These depend on the type of threat or event and are the same as the actions available in the Dashboard.
Create forensic snapshot
You can create a "forensic snapshot" of data from the device. See Forensic snapshots.
This gets data from a Sophos log of the device's activity and saves it on that device. You can also save it in the Amazon Web Services (AWS) S3 bucket you specify. You can then do your own analysis.
You'll need a converter (which we provide) to read the data (see Convert a forensic snapshot).
You can choose how much data you want in snapshots and where to upload them. To do this, go to Global Settings > Forensic Snapshots. These options may not be available for all customers yet.
To create a snapshot:
Go to a threat graph's Analyze tab.
Alternatively, on the details page of the device, open the Status tab.
Click Create forensic snapshot.
Follow the steps in Upload a forensic snapshot to an AWS S3 bucket.
You can find the snapshots you generated in
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.
Snapshots generated from detections are in
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\.
You need to be an administrator with access to the tamper protection password and run a command prompt as an administrator to access the saved snapshots.