NDR Appliances

Sophos Network Detection and Response (NDR) integration appliances can receive data from Sophos NDR or third-party products via syslog exports, and forward it to the Sophos Data Lake for analysis.

To see your NDR appliances, go to My Products > NDR > Appliances. You're redirected to the Integration Appliances tab of the Configured Integrations page.

For help with NDR setup, including creating an NDR integration appliance, see Sophos integrations or Sophos NDR on AWS.

For Sophos appliance requirements, see Appliance requirements.

Integration appliances list

The list shows all your integration appliances. These can include appliances for NDR, third-party product integrations, or both.

The list shows the following details:

• Integrations: Number of NDR or third-party product integrations using the appliance.
• CPU: CPU usage.
• Memory: Memory usage.
• Storage 1: The main drive.
• Storage 2: The data drive.
• Type: Virtual platform.
• Network protocol: Internet-facing network settings. DHCP or Manual.
• Syslog IP
• Log requested: Indicates whether you've sent a Collect Logs request.

To edit or delete the integration appliance, click the three dots in the rightmost column.

View the integrations

You can view the integrations hosted on each appliance.

In the integration appliances list, click the arrow next to an appliance name. The integrations hosted on that appliance are then listed with their details. The example below shows an NDR appliance.

• Integration name: Name of the integration.
• Vendor: Sophos or a third-party vendor.
• Protocol: NDR.
• Port
• Configuration Type: The integration type you configured. Data Ingest or Response Actions.
• Off/On: Shows whether the integration is active.

Actions

Click the three dots in the rightmost column next to the appliance, and click your preferred option.

The options are as follows:

• Edit: Edit the appliance settings.
• Delete: Delete the appliance.
• Download image: Download the appliance image you created.
• Collect logs: Get logs of Sophos appliance activity and send them to Sophos Support for troubleshooting. See Appliance logs.
• Remote Assistant: Allow Sophos Support to access the appliance remotely. See Remote assistance for appliances.
• Open Appliance Manager: Access Appliance Manager. See Sophos Appliance Manager for MDR and NDR: Getting started.

Add an appliance

You can add an integration appliance as part of setting up an NDR or third-party integration. For instructions for each product, see About MDR and XDR integrations.

Alternatively, you can add an appliance from the Integration Appliances tab. This creates an image you can deploy on your virtual network.

1. Go to Threat Analysis Center, and under Integrations, go to Configured.

   

2. Select the Integration Appliances tab.

3. Click Add Appliance.

   

4. Configure the appliance as follows:

   1. Enter a Name and Description.
   2. Select the Virtual platform: VMware, AWS, Hyper-V, Nutanix, or Hardware.

   3. For VMware, Hyper-V, and Nutanix, specify the Internet facing network port settings. This sets up the management interface.

      Note

      For hardware appliances, IP addresses are managed directly on the appliance. For AWS deployments, IP addresses are managed through AWS.

      • Select DHCP to assign the IP address automatically.

        Note

        If you select DHCP, you must reserve the IP address.

      • Select Manual to specify network settings.

   4. Click Save.

   

5. Find the new appliance in the list of appliances. If you hover over the name, you see "Waiting for deployment".

6. Wait for an image to be created. This can take five minutes.

7. In the rightmost column, click the three dots and select Download image.

Now you must deploy the image in your virtual environment. See Deploy appliances.

When you set up an integration later, you can select this appliance to host it.