I had a look through Detection's and Investigations today
I really do hope this improves as this is one of the big missteps with XDR -- Customers cannot see the benefits -- there needs to be much much more things that can be setup to automatically help customers without any involvement otherwise they will not do anything -- I know a selling point for MTR but still the base product should at least provide an automated benefit.
Sophos really need to work on making it easy for customers to discover useful information from endpoints -- another pass over the whole XDR method of running searches I think is required.
Thank you for using our detections and investigations EAP we appreciate the time you took to put together this feedback for us.
There was an issue our QA flagged with the display of filters showing inconsistent numbers. We are rushing to fix the issues in our backlog so you will definitely notice improvements in the performance and display inconsistencies in the coming weeks.
The total number of detections is a great idea, we at first didn’t want to alarm since these are suggestions to investigate further and anything more severe will get blocked by Sophos already. We will be adding dashboards and trends in the future which will show statistics on total detections and investigations.
We have added data pivots to collect additional information on artifacts you are interested in. We have added parent-child process relationships and in the future, be adding playbooks to automate some of the frequent workflows and chain together multiple live discover queries. I will be passing the feedback to our labs team to see how we could make the data enrichment of processes much more useful from the obvious trusted processes.
As for investigation, we wanted to have the ability to get correlate multiple detections into a single case where it could be tracked and investigated. What you just saw is an early release, there are more features being released these next few days. Our QA testing have spotted the issues you have raised and will be doing fixes with every sprint release. There will be automatic case generation based on the rules our MTR team uses which will automatically group detections that occur on the same devices and using the classification rule. The roll out of this started today so you should be seeing it soon in your instance.
We do have an auto-close rule depending on the status of the investigation where if it hasn’t been started or if it is in closed status, it will be purged from the system after 90 days. If you move the status to archive, it will be stored indefinitely at the moment.
Filtering and sorting is coming to investigations soon. We will be adding additional actions and have made that spot a futureproof placeholder for eventually when we do have more than 1 action.
Rest assured that there will be ongoing improvements to detections and investigations. We want to get features out the door quickly, get feedback from people just like you who help us steer where we should prioritize improvements. Once again, thank you very much for sharing feedback it is great to know how users put into practice using our features and what is important to them. Please keep them coming!