Sophos MDR onboarding

Welcome to Sophos

We've created this getting started guide to help you get up and running with Sophos MDR (Managed Detection and Response).

Whether you're new to Sophos or just adding MDR to your Sophos account, this guide takes you through activating your license, setting up the MDR service, and adding the endpoint software you need.

Tip

Our Professional Services offer several solutions to speed up and streamline the deployment. More information.

About Sophos MDR

Managed Detection and Response is a fully-managed, 24/7 threat hunting, threat detection, and incident response service.

Our MDR Ops team responds to attacks on your computers, servers, networks, cloud workloads, and email accounts. The team also assesses your system security and helps you strengthen it.

To learn more about MDR, watch this video.

Checklist

[ ] Check the requirements
[ ] Activate your MDR license
[ ] Set up the MDR service
- [ ] Add your MDR authorized contacts
- [ ] Select the threat response mode
- [ ] Optional - Tell us your industry type, location, and more
- [ ] Optional - Add telemetry settings
[ ] Install or upgrade endpoint software
- [ ] New customer
- [ ] Existing customer
[ ] Integrate third-party products

Check the requirements

Check that you meet all the requirements:

A Sophos Central account.

If you don't have a Sophos Central account, see Create an account and Activate your account and get software.
MDR licenses

Your MDR license includes the Sophos XDR features and the Sophos agent you need on endpoints and servers.

For details, see "Managed Detection and Response" in Licensing Guidelines.

Onboarding timeline

Here's a timeline to help you plan your MDR onboarding.

Day 0-2

Day 2-30

Day 30-60

Day 60+

Set up

Activate license.
Set up MDR service.
If you're ready, start installing Sophos endpoint software.

Deploy and integrate

Get Sophos endpoint software installed on 50% of devices.
Integrate MDR with your Microsoft environment.

Extend coverage

Increase Sophos endpoint software coverage to 90%.
Integrate MDR with third-party products.

Monitor and optimize

Review MDR cases to see how we protect you.
Read reports to get our security recommendations.
Have regular contact with our MDR Ops team.

Activate your MDR license

First, you need to activate your MDR license, unless your Sophos Partner handles this for you.

You can find your license key on the license schedule that we sent you. To use the key, go to your Profile in Sophos Central, which looks like this:

Profile icon.

Then select Licensing, and apply the key.

See Activate your license.

Set up the MDR service

The first time you sign in to Sophos Central after activating your license, we’ll prompt you to set up the service.

You should do the setup as soon as you can so we can protect you. If you want to change your settings later, you can go to My Products > MDR > MDR Settings at any time.

In-product workflow

Watch this video or follow the links in the rest of this section.

Add authorized contacts

Add authorized contacts in your organization so that we know who to contact if there’s an incident. Contacts must be Sophos Central administrators.

Warning

You must add at least one contact. If you don't, we won't be able to provide the service.

See Set authorized contacts.

Make sure that our email notifications and messages can reach your contacts. If you filter email, add these sender addresses to your allow list.

do-not-reply@central.sophos.com
mdr-ops@sophos.com
mdr-ops@mdr.sophos.com
do-not-reply@mdr.sophos.com
customersuccess@sophos.com
no-reply@churnzero.net

Set the threat response mode

You must set a threat response mode. This tells us whether you want us to take action against threats as soon as they’re detected, or to consult your contacts before taking action.

For customers, the default setting is Collaborate. We work to resolve threats only after consulting your contacts. You can change this setting at any time.

For customer accounts created by a Sophos partner, the default setting is inherited from the partner's settings.

Warning

We strongly recommend that you select "Authorize" or "Collaborate". If you don't, we won't be able to resolve threats for you.

Note

If you have MDR Complete, we contain threats for you and do full cleanup and remediation. If you have MDR Essentials, you must do the cleanup and remediation.

See Set the threat response.

Optional - Add your location and industry type

Help us to understand your organization and its needs better. On the Additional Settings tab, enter more details about your industry, location, and networks.

See Additional settings.

Optional - Add telemetry settings

You can send us data and logs or submit suspicious files for analysis. This helps us improve your protection.

To turn on these options, see MDR telemetry settings.

Install or upgrade endpoint software

You need Sophos endpoint software that supports MDR on each of your computers or servers. If you don't already have it, or you're not sure, follow the appropriate steps below.

Existing customer

If you already have the Sophos endpoint agent on your devices but have now bought an MDR license, go to My Environment > Computers & Servers and use Manage software to update endpoints.

See Existing customer.

New customer

Make sure your devices meet the minimum system requirements for Sophos Endpoint. See Sophos Central Windows Endpoint: System Requirements and Sophos Endpoint for MacOS: System Requirements.

macOS devices

If you have macOS devices, make sure to read the documentation page Security permissions on macOS.

You can install endpoint software manually or by using a scripted deployment. Click the relevant tab below.

Manual installationDeployment to WindowsDeployment to macOSDeployment to Linux

If you have a small number of devices or want to test the product before deploying it to the rest of your environment, you can manually download and run the installer.

Installation on Windows and macOS

See Endpoint.

Installation on Linux

See Install Sophos agent on Linux.

You can create a scripted deployment for your Windows devices for a more automated deployment method.

See Sophos Central Endpoint: Automate the software deployment to Windows devices.

You can also create a gold image for use with Citrix or VDI environments where you wish to set up one template image to replicate out to your end users. See Create gold images and clone new devices.

Sophos provides documented steps on automating deployment to macOS devices using Jamf Pro. See Installing Endpoint using Jamf Pro.

Note

The script and configuration files we provide to deploy onto macOS devices are product-agnostic. Although we only have documentation for Jamf Pro, these files will work with any deployment.

For instructions for manual or scripted deployment to Linux devices, see Download and run the Linux Server installer.

If you have virtual machines, an auto-scaling or load-balancing environment, or many Linux devices to install Sophos on, consider using the gold image process. See Create a Linux gold image.

Integrate third-party products

As an MDR customer, you can integrate your third-party security products with Sophos Central. These products can then send alerts to the Sophos Data Lake, where you or our MDR Ops team can analyze them.

To learn more about integrations, see About MDR and XDR integrations.

Your MDR license lets you integrate some popular third-party products free of charge.

Microsoft 365 integrations

Integrate Sophos MDR with your Microsoft 365 environment to provide advanced threat detection. See Microsoft 365 integrations.
Third-party product integrations

Integrate third-party security products with Sophos MDR so they can send us data for analysis and threat detection. See Get started.

What happens next?

You'll receive an initial health check. The MDR Ops team evaluates your MDR settings and recommends configuration and policy changes to optimize your service.

You'll also receive an email about the Sophos Success Factors webinar. This session gives you an overview of the service, describes how to get the best out of it, and introduces the MDR dashboard. It also covers support for integration with Sophos and third-party products.

Get help

Whether you need to get MDR set up, discuss your account, troubleshoot the product, deal with an active incident, or anything else, we're here to help.

To find out who to contact and how to contact them, see Get help with MDR.

Resources

Community resources

Sophos has an active community with numerous self-help articles that can include guidance not typically provided by Sophos Support.
- Blogs: Product Managers publish information and guidance to our customers regarding new and upcoming product and feature releases. We recommend that customers subscribe to blogs about the products they're most interested in.
- Recommended Reads: Self-help articles.
- Discussion threads: Sophos Community members looking for assistance may find Developers, Product Managers, Sophos Staff, and Sophos Community members commenting and interacting to find solutions.
- Events and webinars: Join us live and ask us questions about relevant event topics.
Additional resources
- Sign up to the Sophos Status page and community forum RSS feeds
  
  To stay up to date with the latest news or service impact, such as planned maintenance, subscribe to the Sophos Status page for SMS and email alerts for your region.
  
  Sign up for maintenance or incidents
- Opening a technical support ticket
  
  To help facilitate and ensure a smooth support experience, refer to the following guidelines:
  
  Best Practices when opening a case with Sophos Support