Feedback - on Detection's and Investigations


I had a look through Detection's and Investigations today


  • There seems to be an issue with the filters - I see it show "4 filters" applied when first opening page BUT then when showing the filters 5 filters are shown as selected (risk 6 - 10 = 5) -- applying immediately applies 5 filters. minor issue but there in our instance.
  • Perhaps some indication of how many detection's there are as for many customers - where there are no issues (good thing) - they will just see a blank page and have no idea what this feature does at first glance. There are many risk level 5 detection's that could help show customers immediately what this is doing.
  • The machine learning engine needs to take into account other processes that are being called and or referenced by any given process and provide information on all of these .. this is usually the actual crux of the issue and is blindingly obvious..
    eg -- What is the point in running ML type checks against the "reg.exe" process - ie well known trusted windows process -- WHEN it is blindingly obvious when looking at the command line parameters that this command is being used to load another executable - I would like Sophos to assess the other executable NOT the super common one -- same thing with msiexec and rundll etc -- this is the actual thing that needs to be assessed not "reg.exe"
    The Pa
  • Other than this this is an improvement over the previous system. And this is certainly essential to "automatically" - not manual like other XDR tasks - discover threats in the environment  - So pretty good except where it comes to Investigations....


  • This looks half finished in the instance I am seeing.
  • I get an error when trying to add detection to an investigation - Failed to add detection - please try again -- I have not been able to get this to work
  • Why do I need to create an investigation first and then add detection to this? from the detection page I should be able to kick off an investigation on what I am seeing. as above even if this could work that workflow seems bonkers.
  • Why is this essentially a re-write of the existing "investigations" tech in threat graphs? How will the now possibly two investigation systems work?
  • After creating an Investigation and closing and/or archiving it It still sits there -- why?? this is the same as the threat graphs "investigations" -- why is "Show All" the default view .. it should be "Show New" -- if Ive closed/archived a case I don't want to ever see it again only if I need to look for it .. How would this possibly scale to more than 20 investigations? We have seen zero customers uptake using this system to undertake investigations because it just does not make sense.
  • There needs to be a way for me to make a rule as part of an investigation to detect similar type investigations and auto-close them as such.. This system is prone to massive noise reporting all the same things over and over again - If a technician goes through the process to investigation.. and more often than not discovers a false positive (99% of cases) they need a way to have the time they spend on this not wasted -- if tomorrow the same detection happens again then what is the point. Creating a quick rule or automated if required to ensure the detection's they are working on are filed away and dont create alerts.
  • Where is the search and/or column sorting options for any Investigations? .. with 1-5 investigations it might not be a problem but if this was to be used for 5 or more it would become a massive annoyance.
  • Whats the point of an "Actions" button that only has one action in it .. again It look like this is half finished which is fine - its early access - although in any of the early access programs I have not seen any significant changes occur during the release .. But still I would say that there should be at least one button for the main action admins need to do (create investigation perhaps)  and then an actions button for other actions (you need some other actions.

I really do hope this improves as this is one of the big missteps with XDR -- Customers cannot see the benefits -- there needs to be much much more things that can be setup to automatically help customers without any involvement otherwise they will not do anything -- I know a selling point for MTR but still the base product should at least provide an automated benefit.

Sophos really need to work on making it easy for customers to discover useful information from endpoints -- another pass over the whole XDR method of running searches I think is required.

  • Hi AlexBruce, 

    Thank you for using our detections and investigations EAP we appreciate the time you took to put together this feedback for us. 

    There was an issue our QA flagged with the display of filters showing inconsistent numbers. We are rushing to fix the issues in our backlog so you will definitely notice improvements in the performance and display inconsistencies in the coming weeks. 

    The total number of detections is a great idea, we at first didn’t want to alarm since these are suggestions to investigate further and anything more severe will get blocked by Sophos already. We will be adding dashboards and trends in the future which will show statistics on total detections and investigations.

    We have added data pivots to collect additional information on artifacts you are interested in. We have added parent-child process relationships and in the future, be adding playbooks to automate some of the frequent workflows and chain together multiple live discover queries. I will be passing the feedback to our labs team to see how we could make the data enrichment of processes much more useful from the obvious trusted processes. 

    As for investigation, we wanted to have the ability to get correlate multiple detections into a single case where it could be tracked and investigated. What you just saw is an early release, there are more features being released these next few days. Our QA testing have spotted the issues you have raised and will be doing fixes with every sprint release. There will be automatic case generation based on the rules our MTR team uses which will automatically group detections that occur on the same devices and using the classification rule. The roll out of this started today so you should be seeing it soon in your instance.

    We do have an auto-close rule depending on the status of the investigation where if it hasn’t been started or if it is in closed status, it will be purged from the system after 90 days. If you move the status to archive, it will be stored indefinitely at the moment. 

    Filtering and sorting is coming to investigations soon. We will be adding additional actions and have made that spot a futureproof placeholder for eventually when we do have more than 1 action. 

    Rest assured that there will be ongoing improvements to detections and investigations. We want to get features out the door quickly, get feedback from people just like you who help us steer where we should prioritize improvements. Once again, thank you very much for sharing feedback it is great to know how users put into practice using our features and what is important to them. Please keep them coming!