Skip to content
Find out how we support MDR.

Sophos NDR

Log collector

You must have the "Sophos Network Detection and Response" integration license pack to use this feature.

Sophos Network Detection and Response (NDR) detects malicious behavior on your network.

You can integrate Sophos NDR with Sophos Central so that its detections are available for investigation in the Threat Analysis Center.

To integrate NDR, you set up an NDR virtual appliance that connects to Sophos Central and sends data to it. The main steps are as follows:

  • Check the requirements.
  • Add an integration.
  • Configure your switches so NDR can see traffic.
  • Download the NDR virtual machine (VM) image.
  • Deploy the new VM.

Restriction

The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

This video takes you through configuring Sophos NDR on VMware ESXi.

Requirements

You need a VMware ESXi server running version 6.7 or later.

When you install the VM, you might need to configure it so that the NDR virtual appliance gives the best performance and least impact on the network. See Sophos NDR VM size guide

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Sophos Network Detection and Response (NDR).

  4. In Integrations, click Add integration.

    NDR integrations

  5. In Integration steps, in Step 1 enter the Alias name and Alias description.

    Integration steps

  6. In Step 2, select the VM that will run the NDR appliance.

    If you need a new VM, click Create new VM.

    If you want to use an existing VM, select it from the drop-down list and skip to step 8.

    Integration step 2

  7. To create a new VM, do as follows:

    1. Enter VM name.

    2. Enter VM description.

    3. Select the virtual platform. (Currently we only support VMware).

    4. Specify the internet-facing network ports.

      • Select DHCP to assign the IP address automatically.

      • Select Manual to specify network settings. For example:

      • IP address: 10.0.252.5

        • Subnet mask: 255.255.255.0
        • Gateway address: 10.0.252.1
        • DNS 1: 8.8.8.8
        • DNS 2: 8.8.4.4

    Integration step 2 VM settings

  8. In Step 3, exclude specific domains and protocols from checking.

    1. Enter Exclusion list name.

    2. To exclude a domain, click Domain exclusions. Enter the domain name, for example sophos.com, and click Add.

    3. To exclude a protocol, click Protocol exclusions. You can enter information in either or both of the fields:

      • In the first field, enter a master protocol. For example, TCP or UDP.
      • In the second field, enter a sub-protocol (website). For example, facebook.

      If you enter information in both fields, we assemble them into one string with a single dot separator.

      The screenshot shows example information.

    4. Click Add.

    You can export your exclusions as a JSON file. You can also upload exclusions to the list from a JSON file you've exported previously.

    Integration step 3 Exclusions

  9. Click Save.

In the Integrations page, you see the new integration.

Next configure your switches so that the NDR appliance will be able to monitor your network traffic.

Configure your switches

Before you download and deploy the Sophos NDR VM, you must set up port mirroring, also known as Switched Port Analyzer (SPAN). This forwards a copy of incoming and outgoing traffic from a switch's ports or VLANs to another switch port for analysis.

You must configure port mirroring for both virtual internal and physical external network traffic.

When you deploy your NDR VM appliance later, you’ll be able to connect it to your SPAN ports so that NDR can monitor network traffic.

Configure virtual switches

To set up port mirroring for virtual, internal switches, do as follows:

  1. In ESXi, go to Networking. On the Virtual switches tab, select a switch to use for port mirroring.

    If you don’t already have a switch to use, click Add standard virtual switch to add a new one and add port groups to it.

    Virtual switches

  2. On the Port groups tab, click Add port group.

    New port group

  3. In the settings for the new port group, do as follows:

    1. Enter a name.
    2. Set the VLAN ID to 4095. This allows all other port groups already on the switch to forward traffic to the new port group.
    3. Click Security and set Promiscuous mode to Accept.
    4. Click Add.

    You've set up forwarding for your virtual internal network traffic. Next do the same for physical external traffic, as described in the steps that follow.

  4. In ESXi, select or create another virtual switch that will handle physical external traffic sent to it by a physical switch on your network.

  5. Configure the switch as follows:

    1. Go to Port groups and click Add port group.
    2. Enter a name.
    3. Set VLAN ID to 4095.
    4. Click Security and set Promiscuous mode to Accept.

    Next you connect your virtual switch to your physical network so that it can receive external traffic.

  6. In the ESXi left menu, go to Networking and select the switch you want to use for external traffic.

    vSwitch selected

  7. In the switch details, look for vSwitch topology. You can see “No physical adapters”.

    vSwitch topology

  8. Click Add uplink.

    Add uplink button

  9. In Uplink 1, select a NIC (Network Interface Card) that's available. This connects the virtual switch to a port on your ESXi server.

    Uplink 1

  10. In Network topology, check that you can see a physical adapter connected.

    Physical adapter

  11. Go to your physical switch and use a cable to connect directly to the port on your ESXi server.

Next you need to set up mirroring on your physical switch.

Configure a physical switch

This section describes setting up port mirroring on a Sophos switch. Setup steps for other switches differ.

To set up mirroring, do as follows:

  1. In Sophos Central go to Switches.

  2. Select the switch you want to configure and click Run commands.

    Switches page in Sophos Central

  3. In the Run switch commands console, enter the commands to mirror all traffic. In this example, the commands will mirror all incoming and outgoing traffic on ports 1-4, and send it out on port 8.

    configure terminal
    monitor session 1 destination interface gigabitethernet 0/8 allow-ingress
    monitor session 1 source interface gigabitethernet 0/1 both
    monitor session 1 source interface gigabitethernet 0/2 both
    monitor session 1 source interface gigabitethernet 0/3 both
    monitor session 1 source interface gigabitethernet 0/4 both
    end
    show monitor session 1
    

    Switch command-line console

  4. Click Execute. The console shows the commands as they run on a green background.

    Switch console running commands

  5. When the last command is run, the console shows the completed configuration. Click Close.

    Switch console running commands

You've finished setting up forwarding of traffic to SPAN ports. Later you'll configure Sophos NDR to monitor that traffic.

Next you download the NDR VM image.

Download the VM image

Now you download the NDR image (the OVA file) you need to deploy and boot the new VM.

  1. Next to the new integration, click Three dots icon in the Actions column, and select Download OVA file.

    You see the download start.

    Download menu

  2. Hover over the icon to the left of the integration name. You now see "Waiting for deployment".

    Integration status

You're ready to deploy the VM.

Deploy the VM

  1. Go into your ESXi host.

Warning

If you're deploying the OVA on an ESXi host running in an Enhanced vMotion Compatibility (EVC) cluster, EVC must be in Skylake (or later) mode. The Sophos NDR VA won't run on a VM in Skylake (or earlier) EVC mode.

  1. Select Virtual Machines and click Create/Register VM.

    Create/Register VM tab

  2. In Select creation type, select Deploy a virtual machine from an OVF or OVA file. Click Next.

    Select creation type

  3. In Select OVF and VMDK files, enter a VM name.

    Click the page to select files. Select the OVA file ndr-sensor.ova. Click Next.

    Select OVA file

  4. In Select storage, select Standard. Click Next.

    Select storage

  5. In Deployment options, select the Network mappings. In our example, all are set to SPAN (the ports you're forwarding traffic to), except MGMT, which is set to VM Network. Click Next.

    Deployment options

  6. Skip the Additional settings step.

  7. Click Finish. Wait for the new VM to appear in the VMs list. This can take a few minutes.

    Ready to complete

  8. Power on the VM and wait for the installation process to complete. This can take up to 10 minutes.

    Warning

    Don't interrupt this process.

  9. In Sophos Central, go to the NDR Integrations page and refresh it. The VM's status is now Connected.

    Integration status

If the status of the VM is Connected but it doesn't appear to be working, check the status of the Dragonfly service in the Sophos NDR VA console. See Sophos VA Console.

If you see in the console that the Dragonfly service is in Pending state, and your VM is in an Enhanced vMotion Compatibility (EVC) cluster, check that the EVC mode is Skylake or later.

The Sophos NDR VA doesn't support running in EVC clusters in Sandy Bridge mode.