Announcing Sophos XDR and EDR 4.0

ProductsSophos EDRSophos XDR

This upcoming release brings both powerful XDR capabilities as well as significant enhancements to EDR functionality

On May 5, we are announcing some exciting product updates including the launch of Sophos XDR (Extended Detection and Response) and significant enhancements to Sophos EDR (Endpoint Detection and Response). General availability is planned for May 19.

What’s new?

Introducing Sophos XDR
Sophos XDR goes beyond endpoints and servers, also pulling in rich Sophos Firewall and Sophos Email data (Sophos Mobile and Cloud Optix XDR-integration is coming soon) with 30 days of storage in the Sophos Data Lake. Which means organizations get even more detailed insight into their environments when performing threat hunting or IT operations tasks.

Users get both the broad, big picture view of their cybersecurity environment with the ability to deep dive into areas of interest for granular detail. It’s the best of both worlds.

Here are just a few Sophos XDR use cases:

IT Operations Threat Hunting
  • Identify unmanaged, guest and IoT devices
  • Why is the office network connection slow? Which application is causing it?
  • Look back 30 days for unusual activity on a missing or destroyed device
  • Extend investigations to 30 days without bringing a device back online
  • Use ATP and IPS detections from the firewall to investigate suspect hosts
  • Compare email header information, SHAs and other IoCs to identify malicious traffic to a domain

You can see more examples in the EDR/XDR use cases PDF.

Sophos XDR includes a data lake retention period of 30 days (7 days with EDR). Sophos XDR and the Sophos Data Lake will be available for Windows and Linux at launch (May 19). macOS support is planned for H2CY21. MSP Flex availability is scheduled for late June.

How do I sell Sophos XDR?
Sophos XDR (CXDR) is an overlay license that enables 30 days of data collection from any Sophos XDR-ready product.

XDR-ready products feed data to the Sophos Data Lake and require their own separate license, for example Intercept X Advanced with EDR (CIXAEDR), Intercept X Advanced for Server with EDR (SVRCIXAEDR), Sophos Firewall (XG/XGS) with Xstream Protection or Sophos Email Advanced (CEMA).

For further details on requirements, exclusions, and example licensing scenarios, please read the Sophos XDR Licensing Guide.

For sales tools and additional resources, visit the Sophos Partner Portal.

Note that only Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR can use Sophos XDR without having another XDR-ready product. See the license guide for further details.

Offline Access with the Sophos Data Lake
A key component of both XDR and EDR, the Sophos Data Lake stores critical data from XDR and EDR enabled devices, enabling access to that data even when devices are offline. For example, look back for unusual activity on a device that has been destroyed or taken without authorization. It’s an important part of cybersecurity visibility giving organizations the ability to see their entire environment and quickly drill down to granular areas of interest. Data retention periods are 7 days (EDR) and 30 days (XDR). That’s in addition to the up-to 90 days of on-disk data stored on devices.

EDR gets even better – again!
This latest version of EDR (4.0) brings some incredible enhancements, which will (at GA) be available to existing EDR users.

Sophos Data Lake
EDR customers will have the ability to get data up to 7 days in the past from their endpoints and servers, even if those devices aren’t currently online, in addition to the up-to 90 days of on-disk data they have currently. Note that customers have to enable the Sophos Data Lake.

Scheduled queries
Users can schedule queries to run overnight so key data is ready and waiting for assessment in the morning and they have the information needed to perform critical threat hunting and IT operations tasks. Initially scheduled queries are available for the Sophos Data Lake with on-device Live Query following.

Enhanced usability
Users can work even faster with enhancements to workflows and pivoting that help them get to key information faster and enable them to take actions and respond even faster.


Tools to help

Web content




Email campaigns will be available at product GA.

Feedback has been great
These new features have been extensively tested in the early access program and feedback has been fantastic.

“Just ran a test query and I must say it’s super fast.”

“Pivoting is beautiful!”

I am absolutely loving the data lake queries.”