We’re excited to announce that our new search experience that makes it easier to investigate and hunt threats on the endpoint is now available to all Sophos XDR customers. This feature has been running in our Early Access Program (EAP) for the last 8 weeks. Thank you to everyone who joined the EAP and provided feedback 

What’s Included?

The feature includes a new Search functionality that leverages the Apache Lucene query language, which is more straight forward and less verbose than SQL.  Notably, we’ve also begun to standardize field names on a common taxonomy, starting with Sophos Endpoint data stored in the Sophos Data Lake. The available fields are listed in the search page itself so that you don’t have to cross-reference documentation before using it. 

How to Access and Use the New Search

The feature is available as a new option in the Threat Analysis Center menu:

Once you open up the new Search feature you can use the query builder to create your query.

Endpoint Data – In this first release the data available to search will be Endpoint Data that has been hydrated into the Data Lake. In future releases, we intend to make additional data searchable through this experience as well.

You can continue to extend your query using Operators to search across different categories and fields. Once you have run your query you will see the results in the table view; here you can then expand the results to either further refine your search, or export your results. 

You can find more information about this feature in the Sophos Central Help documentation: https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/Search/index.html