AI Assistant Available Now
Cyber threats are growing more sophisticated every day, leveraging automation, AI-driven phishing, and zero-day exploits. Security teams grapple with massive alert volumes, inconsistent tools, and a shortage of skilled professionals. Traditional investigations take too long, and businesses are at risk when security analysts suffer from alert fatigue. A new, more efficient approach is paramount to keep up with modern cyber threats.
Introducing the XDR AI Assistant—a game-changing way to investigate and respond to threats. Powered by large language models (LLMs) tailored for cybersecurity, it streamlines investigation processes by:
-
Providing real-time insights
-
Contextualizing threat data
-
Offering natural language-driven recommendations
This feature is available to customers who have joined the New AI Features Early Access Program (EAP) in Sophos Central. By assigning tasks to specialized tools within the Sophos XDR platform—ranging from Live Discover queries to SophosLabs Intelix threat lookups—the AI Assistant executes these actions on behalf of the user simultaneously.
Core Use Cases
-
Context-Aware Case Investigations: Receive detailed triage and response insights.
-
Command Line Analysis: Get natural language breakdowns of suspicious PowerShell commands or scripts.
-
Data Queries: Retrieve information across endpoints, servers, or network activity simply by asking in plain English.
-
Case Reporting: Generate reports summarizing key findings, threat details, and recommended actions.
Key Features
-
Automatic Observable Extraction: Identifies Indicators of Compromise (IoCs) such as impacted entities, URLs, IP addresses, and malicious file metadata.
-
Contextual Investigations: The assistant retains memory of previous interactions in the thread, including updated case details.
-
Integrated Threat Intelligence: Taps directly into SophosLabs Intelix for threat scoring, classification, and analysis.
-
Case Notebook Integration: Adds findings to the case notebook.
Capabilities
Capability | Description |
Threat Intelligence & Reputation |
Provides real-time lookups of IPs, URLs, domains, and file hashes. Delivers risk scoring from multiple intelligence sources for context-rich investigations.
|
Case Summaries & Investigations |
Retrieves detection details, associated events, and threat context. Summaries help analysts rapidly assess case status. |
Endpoint Management & Device Status |
Enables real-time endpoint oversight. Tracks device health, licensing, and connectivity for single or bulk endpoints. |
Command Line Analysis |
Interprets and classifies suspicious command lines (e.g., PowerShell or Bash). Identifies obfuscated or malicious behaviors quickly. |
Live Endpoint Query |
Allows scriptable queries that run on live endpoints for real-time investigations (e.g., listing active processes or enumerating services). |
Data Lake Query |
Executes queries against the Sophos Data Lake, which stores historical telemetry for threat hunting and audit purposes. |
CVE Data Retrieval |
Fetches vulnerability data (severity, references, etc.) from the National Vulnerability Database. Assists in correlating alerts with known CVEs. |
Getting Started
For more information about how to begin using the XDR AI Assistant, see Getting Started with the XDR AI Assistant.
If you'd like tips for how to create better prompts, see How to Craft Effective Prompts.
Frequently Asked Questions
General
What is the Sophos XDR AI Assistant?
It is a generative AI-driven feature within the Sophos Extended Detection and Response (XDR) platform. The AI Assistant uses natural language processing (NLP) to help identify, correlate, and prioritize cyber threats more efficiently than conventional methods.
Who is the intended audience for this feature?
The feature is intended for IT and security professionals, including SOC analysts, security engineers, and IT administrators seeking to enhance and streamline their investigative workflows.
How does the AI Assistant improve security investigations?
Upskilling Analysts: Offers immediate insights, lowering the barrier of entry for less-experienced users.
Contextual Analysis: Interprets and correlates historical case data, threat intelligence, and logs.
Task Workflows: Task API sequentially executes a series of tasks—from endpoint queries to threat intel lookups—maximizing speed and accuracy.
How can I find some helpful terminology for this feature?
The Terms section has glossary of key terms and definitions that users might encounter while using the Sophos XDR AI Assistant.
How do I license AI features in Sophos XDR?
The following licenses grant access to AI features:
-
Sophos Intercept X Advanced with XDR
-
Sophos MDR Essentials
- Sophos MDR Complete
How do I join the New AI Features EAP?
-
When logged into Central, click on the profile button in the top right corner of the screen and select Early Access Program.
-
On the Early Access Program page, click the Join button for the New AI Features EAP.
-
On the next New AI Features screen, click Continue.
-
Next, check the I accept the Sophos End User Terms of Use checkbox and click the Accept
-
You are now enrolled in the EAP.
This program does not currently have an expiry date. If you have any questions about AI features or encounter any problems, please visit the New AI Features EAP Discussions Community.
We also encourage you to enroll in the New Endpoint/Server Protection Features Early Access Program. Doing so will enable endpoints to hydrate the Sophos Data Lake using our enhanced endpoint data schema, unlocking new potential for upcoming AI features, including AI Search.
Product & Technical
How does the AI Assistant ensure accuracy in threat analysis?
Uses state of the art large language models (LLMs). Feedback is continuously collected through the interface, which is regularly evaluated and incorporated into the product. Additionally, the MDR Operations team and a committee of valued customers and partners help to assess feature performance, ensuring ongoing accuracy and relevance.
What data sources does the AI Assistant analyze?
The AI Assistant can retrieve and analyze data from the following XDR-integrated sources:
-
Sophos Endpoint Protection (Windows)
- Sophos Server Protection (Windows)
As the feature matures, data from other sources will be accessible using the AI Assistant.
Are XDR AI features available for Sophos-managed cases?
No. At the moment, the AI Assistant is available only for self-managed cases, not for those handled by the Sophos MDR Operations team.
Can the AI Assistant perform response actions?
Currently, its focus is on investigative guidance rather than direct remediation. Using this insight, analysts can use the Sophos XDR platform to perform fast human-initiated actions.
How do XDR AI features use my data?
For full details on how Sophos processes and secures data, refer to the official XDR AI features FAQs on Sophos Central Admin.
What languages are supported?
Currently, English is the only supported language for XDR AI features.
Who can see my conversation with the XDR AI Assistant?
- Each user has access to an AI Assistant thread for each case.
- Only one thread can be active at a time for each user.
- Users can only see their own conversation history.
What roles are needed to use AI features?
Super Admin and Admin roles are required in Sophos Central to fully access XDR AI features.
How does the AI Assistant work?
It leverages LLMs adapted to cybersecurity. By retaining context from prior user interactions, it refines the investigative process—transforming raw data into actionable recommendations. Additionally, it integrates with multiple plugins (e.g., threat intel, data lake queries) to deliver real-time, threat-specific insights.