We are pleased to announce that the early access program (EAP) for Sophos XDR Detections and Investigations is now open to all customers and partners. This new functionality helps admins spend their time more efficiently by focusing on resolving the most important issues quickly.
The EAP introduces the Detections dashboard, which provides a prioritized list of suspicious activity for further investigation. Suspect activities are ranked on a 1-10 risk scale, making it easy for admins to identify and focus on critical areas.
In addition to this ranking, each activity includes a description, how it maps to the MITRE ATT&CK framework, and potential additional details: time of the event, associated processes, executed command lines, file hashes, device, user, and more.
This broad set of information gives admins vital context, making it easy to quickly understand if a suspicious item requires action and then easily take any necessary remedial steps.
As the EAP progresses, further enhancements to the Detections dashboard will be added, including:
- More details on suspect activity to give even greater context
- The ability to pivot, which helps admins to quickly take actions such as blocking threats
- Additional investigative actions available directly from the Detections dashboard
In December, the new Investigations dashboard will be added, which enables admins to collaborate more efficiently and share details on investigations that include multiple, separate detections.
Joining the EAP
Participants need to have an active Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR license (or be trialing one of these products) to see and join the EAP.
From inside Sophos Central, click on the username in the top right of the screen, then select “Early Access Programs” and choose the “XDR – Detection and Investigation” EAP.
To start an in-product trial from inside Sophos Central, choose “Free Trials” on the left-hand column, then select either Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR.
Customers already enrolled in the New Endpoint/Server Protection Feature EAP can also join the XDR – Detection and Investigation EAP.
Enabling Data Lake uploads
Detections are populated based on data observed in the Sophos Data Lake; therefore, this functionality requires that uploading of data to the Data Lake be enabled.
In the Sophos Central console, select “Global Settings” then under Endpoint or Server Protection (or both) select the “Data Lake uploads” setting and toggle “Upload to the Data Lake” on.
Once enabled, we will perform scheduled hydration queries for the organization’s devices. This captures interesting threat hunting data and sends it to the Data Lake, although specific devices can be excluded from Data Lake hydration in this same settings menu.