For those enrolled in the XDR & EDR Data Lake early access program (EAP), this week we will be launching new pivoting capabilities which allow administrators to rapidly navigate from the result of one query to an available Action, Query, or Enrichment.

Currently we are just beginning to enable pivots in the EAP, and support pivoting to a single device Action - Scan Device.  Additional actions like 'Isolate Device', 'Launch Live Discover' and 'Generate a threat case for a given process/pathname' will be added over time.

As for how to Pivot to another query, we support pivoting to another query from a SophosPID, IP-Address or SHA256. The list of available queries is determined by the variable types of queries already in the system, both queries provided by Sophos and those created by the administrators. Simply change the Variable 'Type' to match that of the PIVOT type you want to use.  When pivoting the contents of the cell being pivoted from is filled into the variable of the matching pivot type and a new browser tab is opened. 

PIVOTING FEATURE

Known Issues:

Admins will have to select the devices that the query will be sent to when pivoting to a device query and they will need to select RUN to execute the pivot and view results.

Check out this video which gives a great overview of the new feature:

See this blog post for more details on the XDR & EDR Data Lake early access program

If you haven't already and are looking to enroll in the early access program check out this blog post which has all the instructions you need to get up and running.

The dedicated XDR EAP community contains all relevant blog posts, a discussion forum to help answer any of your questions, a query forum for sharing example queries and getting assistance with queries and lots of other great material that you'll find useful for testing this new functionality.

Anonymous