Brett VanWagoner
Getting Started with the XDR AI Assistant

Getting Started

Accessing the AI Assistant

  1. Open Sophos Central and navigate to the Threat Analysis Center

  2. Go to the Cases page and select (or create) a case.

    • Note: AI features aren't available for Sophos-managed MDR cases.

  3. Open the AI Assistant Tab to begin interacting through the chat-like interface.

The Basics

Starting the Investigation

  • When a new thread is created, the AI Assistant automatically collects the relevant case information and detections to establish the current context.

  • You'll notice some prompts in the AI Assistant tab.

  • Click any prompt to populate the chat box and then run it.

  • Examples: "What actions can I perform?" "Show impacted endpoints," "Analyze suspicious command lines."

Custom Prompts

  • Type your own request in plain English—no special syntax needed.

  • Example: "Check for processes communicating with IP 10.0.1.108 on any endpoint in the past 24 hours."

Context-Aware

  • The Assistant remembers your previous queries in the current thread.

  • Ask follow-up questions based on earlier results (e.g., "Is that device online?" or "Who was logged in at that time?").

Core Use Cases

Triage & Investigation

  • Example Prompt: "List all relevant observables (systems, IPs, files) in this case and explain why they're suspicious."

  • The Assistant will identify impacted devices, malicious file hashes, etc.

Threat Intelligence Lookups

  • Example Prompt: "Check the reputation of <https://malicious.url.>"

  • Integrates with SophosLabs Intelix for real-time threat scoring.

Endpoint Status & Queries

  • Example Prompt: "Fetch device management status for endpoint ENDPOINT-01."

  • This reveals the device's health, licensing status, last seen date, and more.

Data Lake Queries

  • Example Prompt: "Show me all processes connecting to 10.0.1.108 from 2 days ago until now."

  • Retrieves historical logs, even if the endpoint is offline.

Case Summaries

  • Example Prompt: "Generate an executive summary of this investigation."

  • Produces a high-level report of detections, correlated events, and recommended actions.

Best Practices & Tips

Keep Queries Simple and Specific

  • The AI Assistant excels when you focus on a single question or task per prompt.

Use Predefined Prompts for Common Tasks

  • If you're unsure where to start, the built-in prompts can guide you—especially for standard queries like listing endpoints or generating a quick case overview.

Combine Queries to Drill Down

  • First, ask for broad context (e.g., "Summarize suspicious activity over the last 24 hours").

  • Then, refine with follow-up prompts (e.g., "Show me processes associated with that suspicious IP.").

Validate Suspicious Findings

  • Though the AI Assistant aggregates multiple threat intel sources, it can occasionally flag false positives.

  • Always cross-verify critical results or run multiple queries to confirm the threat level.

Feedback & Continuous Improvement

  • If the AI Assistant's response seems off, use the built-in feedback mechanism. Your inputs help refine future responses.

Advanced Features

Live Endpoint Queries

  • For urgent cases, you can run "canned queries" that retrieve fresh, real-time data from online endpoints (e.g., process trees, scheduled tasks, or file journaling).

Staleness Check

  • The platform won't run live queries on endpoints not seen in the last 3 days unless you override that setting.

  • Helps avoid delays when querying machines likely to be offline.

Historical Data Lake Investigations

  • If you need older data (e.g., 2 weeks or 2 months ago), rely on the Data Lake queries. They search archived logs for deeper hunts and correlation.

No Results Returned?

  • Check your filters (e.g., IP, username), or expand the time range.

  • The system may be skipping stale endpoints or ignoring invalid parameters.

Large Queries

  • Extremely broad queries might be truncated to avoid overwhelming the Assistant.

  • Narrow the scope by specifying more precise fields or shorter time windows.

Next Steps

Explore Additional Queries

  • Try advanced prompts like searching for suspicious file patterns or analyzing Windows scheduled tasks.

  • Combine threat intel lookups with data lake or live endpoint queries for a holistic view.

Visit the Sophos Community

  • If you hit a snag, the Sophos Community offers discussions, FAQs, and direct community support.

Provide Internal Training

  • Share an internal knowledge base article or run short sessions to teach colleagues how to leverage the AI Assistant.

  • Encourage them to ask natural-language questions for a faster learning curve.

Terms

This section has glossary of key terms and definitions that users might encounter while using the Sophos XDR AI Assistant.

Term Definition
AI Assistant

Sophos’s generative AI-driven feature within the XDR platform designed to accelerate and simplify security investigations, providing real-time insights and natural language recommendations.
Prompt

Prompts are input commands that are provided in natural language.
Prompt Library

A curated repository of prompts for various security-related tasks. To use these predefined prompts, press the / key in the input box to activate the search function, then look up prompts by title.
Response

Based on the natural language input, the AI Assistant interprets the prompt and provides information such as threat analysis or other actionable insights.
Thread

An instance of an AI Assistant conversation. If desired, a new thread can be started for a fresh interaction with the AI Assistant.

Caution: Starting a new thread will remove all history from the current session.
Case

A container in Sophos Central that groups detections, alerts, and investigative notes related to a security incident or potential threat. The AI Assistant interacts with these cases to provide context-aware analysis and recommendations.

XDR AI features are currently available only for self-managed cases.
Observables

Entities or items (e.g., processes, files, registry keys, network endpoints) involved in or affected by a security event. Observables help analysts understand the scope and nature of an incident.
Capabilities

A broad definition to describe the supported functionality of the AI Assistant. See Capabilities for a comprehensive list.
Tools

A specific external system or data source that the AI Assistant can interface with and execute actions in real time or retroactively.
LLM (Large Language Model)

An advanced machine learning model trained on expansive datasets. In this context, it is optimized to understand cybersecurity threats and deliver tailored analysis, particularly around suspicious commands, threat indicators, and alerts.
Guardrails

Mechanisms in place to ensure that the AI Assistant’s responses remain contextually relevant, appropriate, and align with security best practices.
XDR (Extended Detection and Response)

A security solution that aggregates and correlates threat data from multiple sources—endpoints, networks, cloud, and more—to detect advanced attacks and streamline response actions.
Sophos Data Lake

A centralized repository that aggregates endpoint, network, and other security telemetry data for analysis. The AI Assistant queries this data lake to surface relevant information during investigations.
SophosLabs Intelix

A threat intelligence service from Sophos that offers advanced file, URL, and IP reputation checks. It integrates directly with the AI Assistant for on-demand reputation lookups and scoring.
Unfiltered HTML