Sophos XDR: Detections and Investigations Early Access Program Now Open

ProductsEarly Access ProgramIntercept XIntercept X for ServerSophos XDR

The early access program for Sophos XDR Detections and Investigations is now open to all customers and partners. This new functionality helps admins spend their time more efficiently by focusing on resolving the most important issues quickly.

We are pleased to announce that the early access program (EAP) for Sophos XDR Detections and Investigations is now open to all customers and partners. This new functionality helps admins spend their time more efficiently by focusing on resolving the most important issues quickly.

The EAP introduces the Detections dashboard, which provides a prioritized list of suspicious activity for further investigation. Suspect activities are ranked on a 1-10 risk scale, making it easy for admins to identify and focus on critical areas.

In addition to this ranking, each activity includes a description, how it maps to the MITRE ATT&CK framework, and potential additional details: time of the event, associated processes, executed command lines, file hashes, device, user, and more.

This broad set of information gives admins vital context, making it easy to quickly understand if a suspicious item requires action and then easily take any necessary remedial steps.

As the EAP progresses, further enhancements to the Detections dashboard will be added, including:

  • More details on suspect activity to give even greater context
  • The ability to pivot, which helps admins to quickly take actions such as blocking threats
  • Additional investigative actions available directly from the Detections dashboard

In December, the new Investigations dashboard will be added, which enables admins to collaborate more efficiently and share details on investigations that include multiple, separate detections.

Later in the EAP, we also plan to release an Office 365 connector which will enable access to O365/Azure audit logs, giving admins the ability to query this incredibly rich data and incorporate it into their threat hunting and IT operations activities.

Joining the EAP

Participants need to have an active Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR license (or be trialing one of these products) to see and join the EAP.

From inside Sophos Central, click on the username in the top right of the screen, then select “Early Access Programs” and choose the “XDR – Detection and Investigation” EAP.

To start an in-product trial from inside Sophos Central, choose “Free Trials” on the left-hand column, then select either Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR.

Customers already enrolled in the New Endpoint/Server Protection Feature EAP can also join the XDR – Detection and Investigation EAP.

Enabling Data Lake Uploads

Detections are populated based on data observed in the Sophos Data Lake, therefore this functionality requires that you turn on the uploading of data to the Data Lake. In your Sophos Central console select ‘Global Settings’ then under Endpoint or Server Protection (or both) select the ‘Data Lake uploads’ setting and turn on the ‘Upload to the Data Lake’ toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake. From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.

Watch SophSkills Session for Further Details

Recently, we invited all our partners to join a SophSkills session about the EAP. In case you have missed it, check out the recording in the Sophos Partner Portal (login required). Karl Ackerman and Kevin Kingston from our product management team will introduce the EAP and its features in a 45 minute session.