Sophos Server Protection agent integration

You can use Sophos Intercept X for Server with Sophos Cloud Optix to enhance protection for your cloud workloads.

In Sophos Central, Sophos Cloud Optix provides Cloud Security Posture Management (CPSM), and Intercept X for Server provides Cloud Workload Protection (CWP), including antimalware using deep learning technology, anti-ransomware, workload lockdown, and Endpoint Detection and Response (EDR).

To find out more about server protection in Sophos Central, see Server Protection: Intercept X Advanced.

Sophos Cloud Optix continually monitors your cloud environments. When you use the agent with Sophos Cloud Optix, you get improved protection for your workloads and more efficient security agent management.

Find out more about cloud workload protection features at Secure Your Cloud Native Workloads.

To use Sophos Cloud Optix with Sophos Intercept X for Server, you need the following:

  • An active Sophos Central account.
  • Intercept X Advanced for Server in your Sophos Central account.
  • Sophos Cloud Optix, in the same Sophos Central account, with your AWS and Azure environments added.
  • Installation of the Sophos Server Protection agent on your servers.

This gives you the following integrations:

  • Agent discovery and security health status in Sophos Cloud Optix, including alerts to identify unprotected and unhealthy servers. This feature works automatically.
  • Automatic removal of terminated instances from server lists in Sophos Central. This feature is off by default and can only be turned on by a Super Admin.

Agent discovery and security health status

Sophos Cloud Optix identifies AWS EC2 instances and Azure VMs with agents installed on them and those that don't. Sophos Cloud Optix also reports the security health status from the agent. You can see whether you have cloud workloads without workload protection agents installed, or cloud workloads with bad or suspicious security health.

Information about installed agents appears in Sophos Cloud Optix in the inventory, network visualization, and the AWS EC2 instances map in Activity Logs. You can also include agent information in Sophos Cloud Optix search queries.

Security monitoring rules are included in the best practice policies in Sophos Cloud Optix. Sophos Cloud Optix raises alerts when it detects AWS EC2 instances and Azure VMs with no agents installed. It also raises alerts when it finds AWS EC2 instances and Microsoft Azure VMs with bad or suspicious security health.

Automatic agent removal for terminated instances

Note This feature may not be available to all users yet.
Note Sophos Cloud Optix doesn't request the removal of agents from Sophos Central for instances terminated before you turned this feature on. You need to remove them manually.

Workloads are often short-lived in public cloud environments, for example when auto-scaling. Sophos Cloud Optix requests the automatic removal of agents when the associated AWS EC2 instances and Microsoft Azure VMs are terminated in your cloud environments. This frees up licenses and removes instances like this that no longer exist.

Sophos Cloud Optix records any terminated servers by frequently checking your cloud environments for AWS EC2 instance terminate events and Microsoft Azure VM delete events. A scheduled batch job run several times a day by Sophos Cloud Optix removes the associated server and agent information from your Sophos Central account.

You can see details of server agents that have been requested for removal. In Sophos Cloud Optix, go to Settings > Audit logs. You can see the EC2 instance or Azure VM ID, the server agent ID, and the processing time of the deletion request.

To turn on automatic agent removal, do as follows:

  1. Sign in to Sophos Central as Super Admin.
  2. Go to Sophos Cloud Optix.
  3. Go to Settings > Advanced.
  4. Click Automatic Agent Removal.
  5. Read the information and click the confirmation box.
  6. Turn on Automatically remove agents for terminated instances and click Save.