Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=NDR-aws

Sophos NDR on AWS

You must have the Sophos Network Detection and Response integration license pack to use this feature.

Sophos Network Detection and Response (NDR) detects malicious behavior on your network.

You can integrate Sophos NDR with Sophos Central so that its detections are available for investigation in the Threat Analysis Center.

The integration uses an appliance that receives data and forwards it to the Sophos Data Lake.

The main steps are as follows:

  • Check the requirements.
  • Create a Sophos appliance. This is based on a CloudFormation template.
  • Subscribe to Sophos NDR in AWS.
  • Create a stack. You specify the VPC and subnets for NDR here.
  • Create a traffic mirror session. This sends traffic to NDR for analysis.
  • Edit security groups to allow syslog traffic and give access to Sophos Appliance Manager.
  • Set a password for Sophos Appliance Manager.

Appliance Manager lets you monitor and manage the Sophos NDR appliance.

Requirements

To set up Sophos NDR on AWS, you need the following accounts and infrastructure:

  • An AWS account.
  • A Sophos Central account.
  • EC2 instances.
  • VPCs, subnets, and availability zones. You can use the ones you already have.
  • At least one allocated Elastic IP Address to be used by the NDR management interface.

We support these EC2 instance types:

  • c5n.2xlarge
  • c6i.4xlarge
  • c7i.16xlarge (nitro virtualization)

You must create and save your SSH private key for the AWS account.

You must have a VPC created in any of the regions of your choice. Here’s an example of a VPC resource map:

Example VPC resource map.

Create an appliance

To create and configure a Sophos appliance, create and download a CloudFormation template.

Create the CloudFormation template

To create a CloudFormation template, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Find and click Sophos Network Detection and Response (NDR).

  3. On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.

    Integration setup steps appears.

  4. In Step 1, enter a name and description for the integration.

    Integration steps.

  5. In Step 2, create a CloudFormation template (CFT). In Virtual platform, select AWS.

    Select the virtual platform.

  6. Click Save.

A CloudFormation (CF) json file aws_ndr_cf_latest.json is created.

Download the CloudFormation template

To download the CloudFormation template, do as follows:

  1. In Sophos Central, go to Integrations > Configured.
  2. Select the Integration Appliances tab and find the Sophos NDR appliance.

  3. In the rightmost column, click the three dots, and select Download image.

    The configured integrations list showing the download options.

The aws_ndr_cf_latest.json file is downloaded to your Downloads folder.

Subscribe to Sophos NDR

You must subscribe to NDR in the AWS Marketplace console. To do this, do as follows:

  1. Go to the AWS Marketplace page and find Sophos NDR.

  2. On the Product Overview page, click Continue to Subscribe.

    NDR "Product Overview" page.

  3. On the Subscribe to this software page, accept the terms and conditions and click Continue to Configuration.

    "Subscribe to this software" page.

  4. On the Configure this software page, check the version and region, and click Continue to Launch.

    "Configure this software" page.

  5. On the Launch this software page, click Usage instructions to see how to access Sophos Appliance Manager.

    "Launch this software" page.

  6. Click Launch.

AWS opens the Create stack page.

Create stack

Now you use the downloaded CloudFormation template to create an NDR Sensor for your AWS Account. To do this, you create a stack.

  1. On the Create stack page, do as follows:

    1. Leave Template is ready selected.
    2. In Specify template, select Upload a template file.
    3. Click Choose file and select aws_ndr_cf_latest.json.
    4. Click Next.

    "Create stack" page showing choice of template file.

  2. On the Specify stack details page, enter a name and the following Network Configuration details:

    1. An existing VPC that you want to use for NDR.
    2. A subnet for the NDR Management Interface. This is a public subnet.
    3. A subnet for the NDR syslog interface. This lets NDR attach an interface which can be used later if you add another, third-party log collector.
    4. A subnet for the NDR SPAN interface. The SPAN interface takes a mirrored copy of network traffic and sends it to NDR for analysis.
    5. The security group that gives admins SSH access to the NDR instance.

    The completed network configuration details look like this example:

    "Specify stack details" page.

  3. Under EC2 Instance Configuration, enter the SSH key needed to access the NDR EC2 instance, and click Next.

    Note

    You created and saved this SSH key pair earlier.

    "EC2 Instance Configuration" field.

  4. On the Configure Stack options page, accept the default AWS settings or make changes if you want to. Click Submit.

The CloudFormation template automatically chooses the right regions and AMIs based on the AWS region of the account you used to upload the template.

Wait for the NDR Sensor to be created. This can take five or six minutes.

Create a traffic mirror session

Create target mirror sessions to mirror network traffic and forward it to NDR. To do this, do as follows:

  1. In AWS, go to VPC > Traffic mirror sessions > Create traffic mirror session.

  2. In Session settings, do as follows:

    1. Enter a Name Tag and Description.
    2. In Mirror Source, enter the network interface you want to mirror network traffic from.
    3. In Mirror Target, enter the SPAN interface to mirror network traffic to. Select the NDR SPAN Target that the CloudFormation template created for you.

    Traffic mirror session settings.

  3. In Additional settings, do as follows:

    1. Enter a session number. The number decides the order in which to evaluate sessions from the same source.
    2. Set VNI (Virtual Network Interface) to 1.
    3. In Filter, select the NDR Traffic Mirror Filter that the CloudFormation template has already created.
    4. Click Create.

    Traffic mirror additional settings.

Edit the security groups

You need to edit the AWS security groups. This lets you make these changes:

  • Allow syslog traffic to go to the appliance.
  • Give access to Appliance Manager.

To edit security groups, do as follows:

  1. In AWS, go to the Sophos NDR appliance's security details.

    To do this, enter the appliance name in the AWS console search bar. When you find it, select the EC2 tab, and click the Sophos Appliance instance.

  2. On the Instance Summary page, scroll down to the tabbed pages, and select the Security tab.

  3. Find the InternalSyslogSG group and enter the source from which you want to allow traffic for log collection.

  4. Find the InternalMgmtSG security group. The CloudFormation template created this for you. Add your admins to the group and give them access to port 8443 in Inbound rule.

    Security groups inbound rules.

Before you can use Appliance Manager, you also need to set a password.

Set password for Appliance Manager

The username for Appliance Manager is zadmin. To set the password, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

  2. Go to the Integration Appliances tab.

  3. Find your appliance. In the rightmost column, click the three dots and select Open Appliance Manager.

    Appliance actions menu.

  4. In the confirmation dialog, click reset it.

    Confirmation dialog.

Any other admins who want to use Appliance Manager must also set a password.