Skip to content

Sophos XDR Integration

You can use Sophos Cloud Optix data with Live Discover in Sophos Central.

Sophos can upload activity logs, for example AWS CloudTrail logs, from Sophos Cloud Optix to the Sophos Data Lake. In Sophos Central, you can then run Live Discover queries in the Threat Analysis Center to detect suspicious activity in your cloud environments.

To use Sophos Cloud Optix data in Sophos XDR, you need a Sophos Cloud Optix Advanced license in Sophos Central. You also need an Intercept X license that includes Sophos XDR.

You need to turn on Data Lake uploads in Sophos Cloud Optix advanced settings. You must be a Super Admin Sophos Cloud Optix Advanced to do this. You can upload activity log data for specific cloud environments in Sophos Cloud Optix or all your environments.

We provide a set of pre-prepared Sophos Cloud Optix queries in Live Discover in the Threat Analysis Center. You can run these queries, edit them, or create your own. See Live Discover.

For information on how to send data from your cloud environments to the Data Lake, see Sophos Cloud Optix storage limits.

Environment Access Controls

Environment Access Control settings in Sophos Cloud Optix aren't recognized in Sophos XDR. You can use Environment Access Controls to restrict an admin's access to specific environments in Sophos Cloud Optix. However if they have permission to use Sophos XDR, they can query data for other environments using Live Discover.

If you use Environment Access Controls in Sophos Cloud Optix, you must take this into consideration when choosing the environments that upload data to the Data Lake.