Live Response

Live Response in Secureworks® Taegis™ XDR lets you connect directly to Sophos Endpoint Agent devices to examine and remediate potential security issues. With Live Response, you can:

• Stop suspicious processes.
• Restart devices with pending updates.
• Browse folders and delete files.
• Run custom commands for investigation and remediation.

You can turn on Live Response for computers and servers, specify which devices can be accessed, and audit all activity and sessions.

Turn On Live Response

You must enable Live Response separately for computers and servers from Sophos Central. Only XDR Tenant Administrators can change these settings.

Access Sophos Central from various links throughout your XDR tenant. The easiest way is to use the Taegis Menu to navigate to Endpoint Agents → Summary, then select the Sophos Central link next to the page title.

Open Sophos Central from Endpoint Agents Summary

Note

When you access Sophos Central via SSO from your Secureworks® Taegis™ XDR tenant, your user account role maps to specific permissions in Sophos Central. For details, see the user role mappings documentation.

Live Response for ComputersLive Response for Servers

1. Go to My Products → Endpoint → Policies.

   

   Locating Policy Settings

2. Navigate to the Data Collection and Investigation feature and select a policy to open its details.

   

   Data Collection and Investigation Policy

   Note

   The base policy applies to all computers by default. You might also have custom policies for groups of computers that you specify.

3. Select the Settings tab.

4. Turn on Allow Live Response connections to computers.

   

   Enable Live Response

   Note

   Live Response can connect to all computers by default when selected.

5. Press Save.

1. Go to My Products → Server → Policies.

   

   Locating Live Response Settings

2. Navigate to the Data Collection and Investigation feature and select a policy to open its details.

   

   Data Collection and Investigation Policy

   Note

   The base policy applies to all servers by default. You might also have custom policies for groups of servers that you specify.

3. Select the Settings tab.

4. Turn on Allow Live Response connections to servers.

   

   Enable Live Response

   Note

   Live Response can connect to all servers by default when selected

5. Press Save.

Start a Live Response Session

Start a Live Response session on a Sophos Agent device by following the steps below:

Note

To start a session, you must have Tenant Administrator permissions in your XDR tenant. For information on roles, see User Roles.

1. Select Endpoint Agents → Summary from the Taegis Menu.
2. Select an agent entry to view the side drawer summary, or view all agent information in a new tab.

3. Under Agent Details, select Sophos Live Response.

   

   Initiate Sophos Live Response Session

   Note

   The cog icon initiates a connection to your Sophos Central tenant to view Policies in Sophos Central. Navigate to the Data Collection and Investigation feature to configure Live Response settings.

   

   Data Collection and Investigation Policy

4. A new browser tab opens with a terminal window. If the tab does not open, configure your browser to allow pop-ups.

5. When prompted, record your reason for starting the Live Response session to meet audit requirements.

   

   Live Response Session Prompt

   Note

   The Settings button initiates a connection to your Sophos Central tenant to view Policies in Sophos Central. Navigate to the Data Collection and Investigation feature to configure Live Response settings.

   

   Data Collection and Investigation Policy

6. At the command prompt, enter triage or remediation commands.

   Tip

   Use DOS, UNIX, or Linux commands based on the connected device's operating system.

7. Select End Session, when complete.

   Note

   The session also ends if:

   • You close the tab.
   • You refresh the tab.
   • You browse elsewhere in XDR from the session tab.
   • There is no activity for 30 minutes.

Audit Live Response Activity

You can review general Live Response activity in Sophos Central and view details for specific sessions.

View General Live Response Activity

1. Go to Reports → Logs.
2. Under General Logs, select Audit Logs.
3. Review session start and end times, the admin who started each session, the accessed device, and the "Purpose" entered when starting the session.
4. For full session details, click See session audit logs next to a log entry.

Audit a Specific Live Response Session

To access session audit logs, you must have Tenant Administrator permissions in your XDR tenant.

1. Go to Reports → Logs.
2. Under Endpoint & Server Protection Logs, select Live Response session audit.
3. Find the session you want to review and select Download session log.
4. The session log downloads as a gzip-compressed file.
5. Extract the file to view it.

The audit log shows all commands entered during the Live Response session.