Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=NDR-Essentials

NDR Essentials

Network Detection and Response (NDR) is a category of network security products designed to detect abnormal traffic patterns to help identify active adversaries operating on your network. Even skilled attackers need to move across or communicate out of your network to carry out an attack. NDR uses sensors to monitor and analyze your network traffic to identify suspicious activity.

NDR Essentials is a cloud-hosted NDR solution that integrates directly with your firewall. It uses advanced machine learning to detect threats in real-time without impacting your firewall's performance. This provides an additional layer of security in addition to your existing firewall protection.

How NDR Essentials works

Sophos Firewall captures metadata from your TLS-encrypted traffic and DNS queries, and sends that information to the NDR Essentials service in the Sophos Cloud. There, the data is analyzed using multiple AI engines to detect threats.

This allows NDR Essentials to identify malicious encrypted payloads without needing to perform full TLS decryption. It can also detect new and unusual domain names generated by algorithms, which is often an indicator of compromised systems on your network.

The metadata extraction is performed by a lightweight engine integrated into the FastPath architecture of your Sophos XGS Series firewall. This ensures the NDR Essentials analysis can be done without impacting the performance of your firewall.

How NDR works.

Sophos NDR Essentials provides risk scores for detections, ranging from six, which is the lowest risk, to ten, which is the highest risk. You can customize the risk score threshold for triggering alerts based on your specific environment. The default, recommended setting is High risk (Score 9 and 10) - Recommended.

The firewall keeps a record of Indicators of Compromise (IoC) for scores of 6 and above. IoCs that are clean or are false positives typically fall below a score of six, so NDR Essentials doesn't keep records of those IoCs.

The firewall sends the first request to NDR Essentials in the cloud for analysis. After NDR Essentials identifies the destination as an IoC, the firewall adds it to its threat feed. It logs subsequent requests related to these IoCs and does as follows:

  • Generates logs
  • Sends email notifications
  • Creates local and Sophos Central reports (Central Firewall Reporting)

Time to Live

Every IoC has a Time To Live (TTL) associated with it. The firewall runs a daily job to clean up IoC entries with expired TTLs.

You can see the number of IoCs in the NDR summary widget. See Summary. The number is updated daily based on the expired TTLs. Expired IoCs are removed.

Note

If the firewall receives a threat score for an IoC and subsequently receives a lower score, the threat score remains unchanged, but the TTL is updated. If the firewall receives a threat score for an IoC and subsequently receives a higher score, the threat score is updated to the higher score.

Configure NDR Essentials

For information about configuration, logging, and how to block IoCs using firewall rules, see Configure NDR Essentials.

Generate test detections

You can generate test detections to check that Sophos NDR is correctly set up and working.

The test isn't malicious. It triggers a detection by simulating an event with features typical of an attack. The event is a client downloading a file from a server with suspicious domain and certificate details.

In the following example, we'll show you how to generate a detection using the Windows command prompt.

To generate a test detection, do as follows:

  1. Go to Sophos Test.
  2. Click Network Security > Network Detection and Response.
  3. Click Download File.
  4. Extract the file contents to your preferred location.
  5. Run Command Prompt as administrator.

  6. In Command Prompt, go to your file location, and run the following command: NdrEicarClient.exe -- all.

    Note

    You must run the command on a device located behind the firewall, where its traffic passes through the firewall.

    Running the executable simulates communication with a suspicious domain with expired certificate details.

    Wait for few minutes for the detection to complete.

  7. Run the command again.

    The firewall detects the communication and classifies it under a specific threat category. NDR analyzes the flow, assigns a threat score, and flags the IoC. The firewall adds the detected IoC to the threat indicator list.

Select your NDR Essentials region

When you first turn on NDR Essentials, it contacts the regional (API) endpoint, which returns the region with the lowest latency. This value doesn't change when you turn NDR Essentials off, or when you restart the firewall.

To change the region, do as follows:

  1. From the firewall's web admin console, turn off NDR Essentials.
  2. Connect to your firewall's backend using SSH, with its IP address.
  3. Type 5 then 3 to access the advanced shell.
  4. Type cd /content/ndr to go to the NDR folder.
  5. Type vi ndr_info.json to open the configuration file.
  6. Type i to enter "insert mode".

  7. Find the line that contains service_url and update it with the region of your choice.

    Select one of the following regions:

    • UK: uk.analysis.sophos.com
    • Germany: de.analysis.sophos.com
    • US: us.analysis.sophos.com
    • Australia: au.analysis.sophos.com
    • APAC: apac.analysis.sophos.com

  8. Press "Esc" to exit "insert mode".

  9. Type :wq and press "Enter" to save and close the file.