Sophos are excited to announce that from today we have started the rollout of the new Detections functionality to all Sophos XDR customers.
The rollout is being done in stages with additional functionality being added over time. In this first release customers have access to the new Detections dashboard which provides a prioritized list of suspicious activity for further investigation. Suspect activities are ranked on a 1-10 risk scale (10 being the most serious, 1 the least), making it easy for admins to identify and focus on critical areas.
In addition to this ranking, each activity includes a description, how it maps to the MITRE ATT&CK framework, and additional details (where available). Information such as time of the event, associated processes, executed command lines, file hashes, device, user, and much more.
While digging into the details of a suspicious item it's easy to take further action with a context aware list (aka pivoting) of deeper investigation options and immediate actions that can be performed such as running further search actions, launching a Live Response session, creating a Threat Graph or more.
Do customers need to do anything? The Detections dashboard requires the Sophos Data Lake to be enabled. If you have already enabled Data Lake uploads there is no further action required. To enable the Data Lake, go to Global Settings, go to the Endpoint Protection/Server Protection Category, click on Data Lake uploads, and ensure that Upload to the Data Lake is enabled.
Stay tuned to this blog and we'll continue to update as new functionality is added.
I think these threat detections are be very beneficial and should be added exposed to the official API and the SIEM integration.
Check out the Video: https://vimeo.com/642523557