Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=NDR-Nutanix

Sophos NDR on Nutanix

Log collector Sophos Network Detection and Response

You must have the Sophos Network Detection and Response integration license pack to use this feature.

You can set up Sophos NDR on Nutanix, so that NDR can detect malicious behavior on your network.

The main steps are as follows:

  • Create an NDR appliance image
  • Download the VM image
  • Upload the image files
  • Upload the installation script
  • Run the installation script
  • Start the VM

Create an NDR appliance image

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Find and click Sophos Network Detection and Response (NDR).

  3. On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.

    Integration setup steps appears.

  4. In Step 1, enter a name and description for the integration.

    Integration steps.

  5. In Step 2, click Create new appliance.

  6. To create the new appliance, do as follows:

    1. Enter the appliance name and description. You must enter a unique name.
    2. In Virtual platform, select Nutanix.

    3. Specify the internet-facing network ports.

      • Select DHCP to assign the IP address automatically.

        Note

        If you select DHCP, you must reserve the IP address.

      • Select Manual to specify network settings. For example:

        • IP address: 10.0.252.5
        • Subnet mask: 255.255.255.0
        • Gateway address: 10.0.252.1
        • DNS 1: 8.8.8.8
        • DNS 2: 8.8.4.4

  7. In Step 3, exclude specific domains and protocols from checking. For example, you might do this if you have a domain that causes false positives.

    You can set up your exclusions later, but you must enter an exclusion list name now.

    1. Enter a name in Exclusion list name.
    2. To exclude a domain, click Domain exclusions. Enter the domain name, for example sophos.com, and click Add.

    3. To exclude a protocol, click Protocol exclusions. You can enter information in either or both of the fields:

      • In the first field, enter a top-level protocol. For example, TCP or UDP.
      • In the second field, enter a sub-protocol (website). For example, Facebook.

      If you enter information in both fields, we assemble them into one string with a single dot separator.

      We don't recommend excluding a top-level protocol completely. Only do this if a high-traffic protocol that isn't usually risky, like a routing protocol, generates too much data.

      The screenshot shows example information.

    4. Click Add.

    You can export your exclusions as a JSON file. You can also upload exclusions to the list from a JSON file you've exported previously.

    Integration step 3 Exclusions.

  8. Click Save.

On the NDR page, you see the new integration in the list of configured integrations.

Download the VM image

Now, you download the NDR image you need to deploy and power on the new VM.

  1. Next to the new integration, click Three dots icon. in the Actions column, and select Download image.

  2. Hover over the icon to the left of the integration name. You now see "Waiting for deployment".

    Integration status.

The Nutanix deployment file is a zip file that contains disk image files, a seed ISO containing the authorization key, and an installation script. You must unzip the file so the contents can be used.

Upload image files

To upload the disk image files and seed ISO to the Nutanix system, do as follows:

  1. From a web browser, sign in to the Nutanix web console on port 9440.

  2. Go to Home > Settings.

    Nutanix web console.

  3. Select Image Configuration.

    Nutanix configuration.

Upload root image file

  1. Click Upload Image
  2. Enter a name. We recommend that you include the word "root" in the name.
  3. (Optional) Add an Annotation.

  4. Select Upload a file, click Browse, and select your file.

    When you select your file, Image type is automatically selected.

    Upload a file.

  5. Click Save.

    The file upload starts. Wait for the upload to finish before you continue the setup.

Upload seed ISO image file

  1. Click Upload Image.
  2. Enter a name. We recommend that you include the word "ISO" in the name.
  3. (Optional) Add an Annotation.

  4. Select Upload a file, click Browse, and select your file.

    When you select your file, Image type is automatically selected.

  5. Click Save.

    The file upload starts. Wait for the upload to finish before you continue the setup.

The three uploaded files will appear in the Image Configuration page.

Uploaded images.

Upload the installation script

A script named ndr-sensor.sh is also included in the zip file. To upload to the Nutanix AHV VM controller, use secure file transfer protocol (SCP), as follows:

  1. For Windows, open a command prompt, or on MacOS or Linux, open a terminal.
  2. Change to the directory where the unzipped files are located.

  3. Run the following command: scp ndr-sensor.sh admin@<ip-address>:~/.

    Command prompt.

  4. Enter the admin password.

Run the installation script

  1. Open the Nutanix AHV VM.
  2. Use the following command to sign in and connect via SSH: ssh admin@<ip-address>.
  3. To run the installation script, run the following command: bash ndr-sensor.sh.

  4. Enter a name for the appliance VM. The default name is ndr-sensor.

    Enter appliance name.

    Note

    For items that list a default value, you can press Enter to accept the default value.

  5. Enter the number of CPU cores to assign to the VM. The default is 4.

  6. Enter the amount of memory to assign to the VM. The default is 16(GB).

You'll see the following message: Created vm <name> UUID <UUID>.

Select the VM disk image files

Note

For all the disk selection steps, you can enter 'L' to list the images stored on the system.

To select the VM disk image files, do as follows:

  1. Enter the image name for the seed ISO you uploaded.

    Enter seed ISO name.

  2. Enter the image name for the root disk image file you uploaded.

  3. Enter the image name for the data disk image file you uploaded.

Network Configuration

The script creates the following network interfaces for the VM:

  • Management network
  • Syslog network
  • ERSPAN for tunneled capture data
  • SPAN for mirrored network to receive capture data from other VM on this VM server

The script will list the available virtual subnets that can be used by the management, syslog, and tunneled Remote Switched Port Analyzer (RSPAN) capture data.

A single subnet can be used for all three networks.

To assign subnets to the networks, do as follows:

  1. Enter the number corresponding to the subnet to use for the management network.

    Enter network number.

  2. Enter the number corresponding to the virtual subnet to use for the syslog reception network.

  3. The configuration for the SPAN network is automatically created using the configuration parameters. It's set as type=kSpanDestinationNic.
  4. Enter the number corresponding to the virtual subnet to use for the tunneled RSPAN capture network.

When the script has completed, it provides some example acli commands to enable a Nutanix SPAN session. The MAC address listed in the example commands is the MAC address of the SPAN interface created by the script.

The example commands can be used for the following types of SPAN session:

  • SPAN data from all VMs on the VM host.
  • SPAN data from a single VM on the VM host.

For more information, see Traffic Mirroring on AHV Hosts.

Start the VM

After completing the script, return to the Nutanix web console and go to the VM page, then power your VM on.

VM shows in Nutanix web console.

Note

When you power the VM on, it goes through its first boot process, which can take up to ten minutes.

In Sophos Central, go to the Integrations page for the product you're integrating and refresh it. The VM's status is now Connected.