Server Protection agent integration

Use Sophos Intercept X for Server with Sophos Cloud Optix to enhance protection for your cloud workloads.

In Sophos Central, Sophos Cloud Optix provides Cloud Security Posture Management (CPSM), and Intercept X for Server provides Cloud Workload Protection (CWP), including anti-malware using deep learning technology, anti-ransomware, workload lockdown, and Endpoint Detection and Response (EDR).

To find out more about server protection in Sophos Central, see Server Protection: Intercept X Advanced.

Sophos Cloud Optix continually monitors your cloud environments. When you use the agent with Sophos Cloud Optix, you get improved protection for your workloads and more efficient security agent management.

Find out more about cloud workload protection features at Secure Your Cloud Native Workloads.

To use Sophos Cloud Optix with Sophos Intercept X for Server, you need the following:

  • An active Sophos Central account.
  • Intercept X Advanced for Server in your Sophos Central account.
  • Sophos Cloud Optix, in the same Sophos Central account, with your AWS and Microsoft Azure environments added.
  • Installation of the Sophos Server Protection agent on your servers.

This gives you the following integrations:

  • Agent discovery and security health status in Sophos Cloud Optix, including alerts to identify unprotected and unhealthy servers.
  • Automatic removal of terminated instances from server lists in Sophos Central.

These integrations work automatically.

Agent discovery and security health status

Sophos Cloud Optix identifies AWS EC2 instances and Microsoft Azure VMs with agents installed on them and those that don't. Sophos Cloud Optix also reports the security health status from the agent. You can see whether you have cloud workloads without workload protection agents installed, or cloud workloads with bad or suspicious security health.

Information about installed agents appears in Sophos Cloud Optix in the inventory, network visualization, and the AWS EC2 instances map in Activity Logs. You can also include agent information in Sophos Cloud Optix search queries.

Security monitoring rules are included in the best practice policies in Sophos Cloud Optix. Sophos Cloud Optix raises alerts when it detects AWS EC2 instances and Microsoft Azure VMs with no agents installed. It also raises alerts when it finds AWS EC2 instances and Microsoft Azure VMs with bad or suspicious security health.

Automatic agent removal for terminated instances

Note This feature may not be available to all users yet.
Note Sophos Cloud Optix doesn't request the removal of agents for terminated instances that existed in your Sophos Central account before we introduced this feature. You need to remove them manually.

Workloads are often short-lived in public cloud environments, for example when auto-scaling. Sophos Cloud Optix requests the automatic removal of agents when the associated AWS EC2 instances and Microsoft Azure VMs are terminated in your cloud environments. This frees up licenses and removes instances like this that no longer exist.

At each scheduled API sync between Sophos Cloud Optix and your cloud environments, Sophos Cloud Optix notes any terminated AWS EC2 instances and terminated Microsoft Azure VMs. A daily batch job run by Sophos Cloud Optix removes the associated server and agent information from your Sophos Central account.