Improving threat detection and response in AWS with Sophos XDR

Chasing attacks through cloud environments can be tough if you don’t know what to look out for – and sometimes, even if you do.

That’s why Sophos Cloud Workload Protection with XDR (Extended Detection and Response) now includes new AWS cloud environment data sources, with easy-to-follow queries – which map to key elements of the MITRE ATTA&K IaaS matrix – to help while investigating incidents in AWS.

And it’s all thanks to our latest XDR integration, this time with Cloud Optix: the Sophos Cloud Security Posture Management service.

Enhanced cloud workload protection with XDR

Intercept X Advanced for Server with XDR and Cloud Optix are the backbone of Sophos Cloud Workload Protection.

Sophos Intercept X provides active protections to block the latest advanced threats from compromising hosts, data, and systems, while Sophos Cloud Optix ensures proper configuration of cloud resources and environments to proactively prevent attacks in the first place.

This connected approach is crucial for security controls as organizations deploy more cloud resources and leverage new cloud-native services such as containers and serverless technologies.

Breaking down Sophos XDR for cloud workloads

Extending data sources

Data sources are critical to an effective XDR strategy.
Sophos XDR goes beyond the endpoint, pulling in rich virtual network, SaaS email, and cloud workload data. This is now further enhanced with AWS cloud environment data sources from Cloud Optix to provide greater visibility of attacker tactics within cloud environments.

Use extended telemetry to detect activity

Sophos XDR enhanced with Cloud Optix data places security teams closer to the occurrences of security events, with cross-platform detection capabilities that can provide deeper insight and context to issues.
Using Cloud Optix data from AWS CloudTrial in Sophos XDR, teams can investigate AWS cloud environment API, CLI, and management console activities, using fully customizable and pre-written SQL queries associated with the MITRE ATT&CK matrix, including Initial Access, Persistence, Privilege Escalation, and Exfiltration tactics.

Investigate and respond to incidents with greater accuracy

One central console helps teams see the bigger picture during investigations, making it easy to quickly identify risk and possible compromise.
Cloud Optix data in Sophos XDR unlocks more value from AWS CloudTrail alerts and helps analysts more efficiently query the paths an attacker may take once gaining access to an AWS environment.
Teams can now pivot in the same console from detections such as multi-factor authentication (MFA) being disabled for an AWS IAM User; changes to AWS EC2 instance snapshot attributes that could allow resources to be copied, moved, or made publicly available; or data exfiltration from AWS EC2 instances. Additional queries can be run that enrich investigations such as IP address activity, ATP detection, and third-party threat intelligence lookups to take action where needed.

Getting started

To get started, you will need Intercept X Advanced for Server or Endpoint with XDR, and Sophos Cloud Optix with AWS CloudTrail enabled.

You can find out more about how Cloud Optix enables IT teams to proactively protect cloud environments at From there, you can try it for free, buy it in AWS Marketplace, and learn more about Sophos XDR for cloud workloads.

Latest Posts