Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=XDR

EDR and XDR

Sophos EDR, XDR, and XDR Sensor enhance your threat detection and response capabilities.

EDR and XDR features

Sophos EDR and XDR both let you do as follows:

  • Investigate detected threats.
  • Search for new threats or security weaknesses.
  • Monitor devices and fix issues remotely.

Sophos XDR offers additional features:

  • Integrations let your third-party products send data for analysis.
  • The Sophos AI assistant simplifies and speeds up threat hunting or investigation.

You can find the EDR and XDR features in Threat Analysis Center.

XDR Sensor

Sophos XDR Sensor offers an alternative way to get the XDR features. You don't get threat protection, but you do get some of the detection, investigation, and response functions. You can run Sophos XDR Sensor alongside existing anti-malware to try out XDR.

If you use Sophos XDR Sensor, make sure you have third-party protection installed to protect your devices.

Sophos XDR Sensor doesn't support Sophos Security Heartbeat, the feature that lets devices regularly report their security status to Sophos Firewall.

Both Sophos XDR and Sophos XDR Sensor are available with an XDR license.

Threat graphs

Threat graphs let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected.

For help, see Threat Graphs.

Live Discover

Live Discover lets you check activity on devices. You can run queries about the software installed, processes running, registry changes, and more. This helps you detect security weaknesses or malicious activity.

You can run queries on devices or on our Data Lake, which stores device data in the cloud. The Data Lake lets you query devices even when they’re not connected, schedule your queries, and query data from multiple Sophos products.

You can send information to the Data Lake from the following products:

  • Sophos Endpoint
  • Sophos Mobile
  • Sophos Email
  • Sophos Firewall
  • Sophos Cloud Optix

For help with creating and running queries, see Live Discover.

Live Response

Live Response lets you connect directly to an individual device to investigate and fix possible security issues.

For help, see Set up and start Live Response.

Detections

Detections identify activity that’s unusual or suspicious and might need investigation. They're based on data that devices upload to the Sophos Data Lake.

You can use these detections to examine devices, processes, users, and events for signs of potential threats that other Sophos features haven’t blocked.

You can also use them as the starting-point of searches for security weaknesses or threats already seen elsewhere.

For more information, see Detections.

Cases

Cases let you analyze potential threats in depth.

Cases group together suspicious events reported by our Detections feature and help you or the MDR team do forensic work on them. We create cases for you automatically, but you can also create your own.

For more information, see Cases.

Integrations

Integrations let third-party security products send data to the Sophos Data Lake, where you can query and analyze it. See About MDR and XDR integrations.

Sophos AI assistant

The Sophos AI assistant is a generative AI-powered tool that lets you investigate security issues using natural-language prompts. See AI assistant.