Skip to content

AI assistant

You must be an Admin or Super Admin to use this feature.

The Sophos AI assistant is a generative AI-powered tool that lets you investigate security issues using natural-language prompts.

The assistant uses data from the Sophos Data Lake and AI-driven analytics to make security analysis more effective.

You can use it to investigate cases as follows:

  • Select predefined prompts. These can generate a case summary, get details of activity on devices, show actions you can take, and more.
  • Enter your own prompts.

You can add the AI assistant's responses to your case notebook.

Start AI assistant

  1. In Sophos Central, click AI.

    Sophos Central taskbar showing the AI menu.

  2. Select Assistant

    The AI menu with "Assistant" selected.

  3. On the Sophos AI page, click New and then click the assistant type you want.

    The assistants currently available are Security Analyst and Threat Hunter.

    Sophos AI page.

Continue to the next section for step-by-step instructions for using the assistant you want.

Chat with an assistant

Click the tab below for instructions for your assistant type.

A Security Analyst chat focuses on a specific Sophos Case generated by a threat detection.

  1. Click Security Analyst.

    A list of cases is shown. Cases are based on threat detections.

  2. Click the Case ID to start your Security Analyst chat.

    The AI assistant automatically collects the case and detection details so that it knows the context of the chat.

    List of cases showing a Case ID selected.

  3. On the chat page, enter a prompt in one of the following ways:

    • Click a predefined prompt to add it to the text box at the bottom of the page. For example, "What actions can I perform?".

      You can edit the prompt in the text box if you want to.

      To see more predefined prompts, enter a forward slash / in the text box.

    • Enter your own prompt in the text box. For example, "Check for processes communicating with IP address 10.0.1.108 on any endpoint in the past 24 hours."

    Click Send.

    The Security Analyst chat page.

  4. When the response is ready, the AI assistant shows it.

    Your chat is added to a list in the left panel.

    The Security Analyst response.

  5. (Optional) Run further prompts in the same chat to refine your investigation. For example, "Is that device online?" or "Who was logged in at that time?"

    The AI assistant remembers your previous prompts in the current chat, so it has the context it needs to understand your follow-up prompts.

  6. To finish the chat, close the Sophos AI page or click New to start another chat.

    The chat is cleared from the page, but remains available in the left pane.

A Threat Hunter chat lets you hunt for malicious actors or indicators of compromise in the Data Lake data.

  1. Click Threat Hunter.
  2. On the chat page, enter a prompt in one of the following ways:

    • Click a predefined prompt to add it to the text box at the bottom of the page. For example, "What actions can I perform?".

      You can edit the prompt in the text box if you want to.

      To see more predefined prompts, enter a forward slash '/' in the search bar.

    • Enter your own prompt in the text box. For example, "Check for processes communicating with IP address 10.0.1.108 on any endpoint in the past 24 hours."

    Click Send.

    The Threat Hunter chat page.

  3. When the response is ready, the AI assistant shows it.

    Your chat is also added to a list in the left panel.

    The Threat Hunter response.

  4. Run further prompts in the same chat to refine your investigation. For example, "Is that device online?" or "Who was logged in at that time?"

    The AI assistant remembers your previous prompts in the current chat, so it has the necessary context to understand your follow-up prompts.

  5. To finish the chat, close the Sophos AI page or click New to start another chat.

    The chat is cleared from the page, but remains available in the left pane.

For a guide to writing effective AI prompts, see How to write AI prompts.

Add AI responses to your notebook

You can save the AI assistant's responses to a case's Notebook tab.

Add a single response

To add a single response, do as follows:

  1. Go to the end of the response you want to add.

    You see a set of icons under the response that let you take actions.

    AI assistant response showing action icons.

  2. Click the plus sign icon.

    Plus sign icon for adding content to case.

  3. If you're saving a response from a Threat Hunter chat, select a case from the Cases list when prompted.

    If you're saving a response from a Security Analyst chat, the assistant automatically saves to the case you're investigating.

  4. Confirm that you want to add the response.

Add multiple responses

To add multiple responses, do as follows:

  1. At the bottom of the chat page, next to the Send button, click the three dots Three dots icon. and select Select responses.

    Select responses.

  2. Checkboxes are now shown beside each response in the left panel, and a message prompts you to select the responses you want.

    Select the checkboxes and click Add to case in the message.

    "Add to case" button.

  3. If you're saving responses from a Threat Hunter chat, select a case from the Cases list when prompted.

    If you're saving responses from a Security Analyst chat, the assistant automatically saves to the case you're investigating.

The responses are added to the case's Notebook tab.

Reopen an earlier chat

You can reopen and resume an earlier chat.

In the left panel, find the chat you want and click it. The earlier chat opens in the chat page and you can enter further prompts.

Delete chat

You can delete all the AI Assistant's responses in the current thread or any past thread as follows:

  1. In the left panel, click the three dots next to the chat title and select Delete.

    More menu next to chat with "Delete" selected.

  2. Confirm that you want to delete all the history.

Who can see the responses?

Other Sophos Central admins can use the AI assistant to investigate the same case, but only you can see the chat you started.

However, if you add responses to the case's Notebook tab, other admins with access to this case can see them.