Custom pivot options

You can customize the pivot options in Live Discover.

Restriction You must be Super Admin, Admin, or have full admin rights to Endpoint or Server Protection.

Live Discover lets you select data items in your query results and use them as the basis for further, "pivot" queries, actions, or enrichments.

Enrichments open third-party websites to look up information about a potential threat you've found.

We provide predefined pivot queries and enrichments. However, you can customize the options that are shown and add your own.

Note Currently, you can only add custom enrichments.

Add a custom enrichment

You can add an enrichment as follows:
  1. Go to Overview > Threat Analysis Center > Live Discover.

    Live Discover menu
  2. In Live Discover Preferences, click Customize Live Discover.

    Live Discover Preferences menu
  3. On the Enrichments tab, you see all enrichments, whether created by Sophos or by an administrator. ClickAdd enrichment.

    Enrichments tab
  4. In the Add enrichment dialog, do as follows:
    1. Enter the Data Type . This is the data in your query results that you want to look up. For example, IP Address.
    2. Enter a Display Name . This shows in the menu when you click the ellipsis icon Ellipsis icon next to the data in your result.
    3. Enter a Description.
    4. Enter the URL of the web page you want to open.

      In our example, the URL is$$ipAddress$$. is the website.

      gui/ip-address/ is the page where you can look up IP addresses.

      $$ipAddress$$ is the SQL variable that will be replaced with the IP you want to look up. We show you this variable in a note above the URL field.

    5. Click Test link.
    6. Click Save.

    Add enrichment dialog

Your enrichment now shows on the Enrichments tab.

Edit or delete a custom enrichment

You can only edit or delete enrichments that you (or another administrator) created. You can't change the predefined enrichments that we provide.

To edit an enrichment, do as follows:

  1. Go to Overview > Threat Analysis Center > Live Discover and click Customize Live Discover.

    Live Discover Preferences menu
  2. On the Enrichments tab, look for the enrichment you want. In the Actions column, click the three dots icon and select Edit enrichment or Delete enrichment.

    Enrichments page with actions menu
  3. If you selected Edit enrichment, you can enter settings as descibed in Add a custom enrichment.