Sophos Managed Threat Response for Linux

Version 2023.1 New

Updated components

SPL-Managed-Threat-Response-Plugin updated to 1.0.14.

Components Updated

Components and their version numbers by release. The second column contains the latest release.
Sophos Managed Threat Response for Linux	2023.1 January 2023	1.0.13 September 2022	1.0.12 June 2022	1.0.11 February 2022	1.0.10 November 2021	1.0.9 June 2021	1.0.8 April 2021	1.0.7 December 2020	1.0.6 August 2020	1.0.4 June 2020	1.0.2 February 2020	1.0.1 November 2019
SPL-Managed-Threat-Response-Plugin	1.0.14	1.0.13	1.0.12	1.0.11	1.0.10	1.0.9	1.0.8	1.0.7	1.0.6	1.0.4	1.0.2.105	1.0.1

Version 1.0.13

Updated components

We've updated the names of our components.

Sophos Managed Threat Response for Linux is now called SPL-Managed-Threat-Response-Plugin.

SPL-Managed-Threat-Response-Plugin updated to 1.0.13.

Version 1.0.12

New features

We now support Amazon Linux 2022, Ubuntu 22.04 (LTS), Oracle 8, Miracle Linux, Debian 10 and Debian 11. Earlier versions of Sophos Managed Threat Response for Linux don't support these platforms.

Updated components

Sophos Managed Threat Response for Linux updated to 1.0.12.

Version 1.0.11

Updated components

Sophos Managed Threat Response for Linux updated to 1.0.11.

Version 1.0.10

Updated components

Sophos Managed Threat Response for Linux updated to 1.0.10.
We've removed Sophos Live Query as MTR now uses the Sophos XDR equivalent to provide the same functionality.

Version 1.0.9

Updated components

Sophos Managed Threat Response for Linux updated to 1.0.9.

Version 1.0.8

New features

With the XDR release, MTR now supports Sophos Management Communication System (MCS) or proxies. This means it receives endpoint events generated by scheduled query results.

Updated components

Sophos Live Query updated to 4.6.0.
Sophos Managed Threat Response plugin updated to 1.0.8.

Version 1.0.7

New features

This version adds Response Action Framework (RAF). This includes the following features:

The MTR team can define custom response actions.
You can push a file to an endpoint during an investigation.
You can automate conditional execution of response actions.

Updated components

Sophos Live Query updated to 4.5.0.
Sophos Managed Threat Response plugin updated to 1.0.7.

Version 1.0.6

Updated components

Sophos Managed Threat Response plugin updated to 1.0.6.
Sophos Live Query updated to 4.4.0.

Version 1.0.4

Updated components

Sophos Managed Threat Response plugin updated to 1.0.4.

Version 1.0.2

New features

Remotely retrieve a file from a managed device to assist an MTR investigation. The file can be used as case evidence or submitted to Sophos for malware analysis (including static and dynamic malware).
Added ability to turn on and off verbose logging to improve troubleshooting.
Minor bug fixes.

Updated components

Sophos Live Query updated to 4.0.2.1.
Sophos Managed Threat Response plugin updated to 1.0.2.105.

Version 1.0.1

New features

Sophos Managed Threat Response (MTR) provides 24/7 threat hunting, detection, and response. It is delivered by an expert team as a fully-managed service. Beyond simply notifying you of attacks or suspicious behavior, the Sophos MTR team initiates actions on your behalf to neutralize even the most sophisticated and complex threats. Two levels of service are available:

MTR Standard: lead-driven threat hunting, adversarial detections, activity reports, security health check.
MTR Advanced: MTR standard features plus lead-less threat hunting, enhanced telemetry, proactive posture management, dedicated incident response lead, direct call-in support, asset discovery.

Known issues and limitations

MTR Response Actions initiated from the MTR console don't support MCS/proxies. A direct connection between the endpoint and the MTR platform is still required for the MTR Ops team to take Response Actions in the MTR console. The MTR Ops team can use Response Actions when MTR Standard or MTR Advanced customers turn on either "Authorize" or "Collaborate" Threat Response Mode.

Known issues and limitations, listed by ID, affected component and a description of the issue.
Issue ID	Component	Description
LINUXDAR‑281	Sophos Managed Threat Response for Linux	Process monitoring may not work on a system that is already running osquery.
LINUXDAR‑601	Sophos Managed Threat Response for Linux	Process monitoring data is not available on systems with auditd enabled.

System requirements

Free disk space: 2.5 GB
Memory: 2 GB
System type: x64
Systemd supported and running
Kernel that supports glibc 2.17 or later
Bash is installed

Supported platforms

The following platforms and point releases have been tested:

Amazon Linux 2
Amazon Linux 2022
CentOS 7
CentOS Minimal
CentOS Stream
Debian 10
Debian 11
Miracle Linux
Oracle 7
Oracle 8
RHEL 7
RHEL 8
RHEL 9
Ubuntu 18.04 (LTS)
Ubuntu 20.04 (LTS)
Ubuntu 22.04 (LTS)
Ubuntu Minimal

Support

You can find technical support for Sophos products in any of these ways:

Visit Sophos Community at Sophos community and search for other users who are experiencing the same problem.
Visit Sophos support at Sophos support.
Find how-to, configuration and troubleshooting videos at Sophos Techvids video hub.

Legal notices

Copyright © 2023 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.