AI assistant

You must be an Admin or Super Admin to use this feature.

The Sophos AI assistant is a generative AI-powered tool that lets you investigate security issues using natural-language prompts.

The assistant uses data from the Sophos Data Lake and AI-driven analytics to make security analysis more effective.

You can use it to investigate cases as follows:

Select predefined prompts. These can generate a case summary, get details of activity on devices, show actions you can take, and more.
Enter your own prompts.

You can add the AI assistant's responses to your case notebook.

Start AI assistant

In Sophos Central, click AI.
Select Assistant
On the Sophos AI page, click New and then click the assistant type you want.

The assistants currently available are Security Analyst and Threat Hunter.

Continue to the next section for step-by-step instructions for using the assistant you want.

Click the tab below for instructions for your assistant type.

Security AnalystThreat Hunter

A Security Analyst chat focuses on a specific Sophos Case generated by a threat detection.

Click Security Analyst.

A list of cases is shown. Cases are based on threat detections.
Click the Case ID to start your Security Analyst chat.

The AI assistant automatically collects the case and detection details so that it knows the context of the chat.
On the chat page, enter a prompt in one of the following ways:
- Click a predefined prompt to add it to the text box at the bottom of the page. For example, "What actions can I perform?".
  
  You can edit the prompt in the text box if you want to.
  
  To see more predefined prompts, enter a forward slash / in the text box.
- Enter your own prompt in the text box. For example, "Check for processes communicating with IP address 10.0.1.108 on any endpoint in the past 24 hours."
Click Send.
When the response is ready, the AI assistant shows it.

Your chat is added to a list in the left panel.
(Optional) Run further prompts in the same chat to refine your investigation. For example, "Is that device online?" or "Who was logged in at that time?"

The AI assistant remembers your previous prompts in the current chat, so it has the context it needs to understand your follow-up prompts.
To finish the chat, close the Sophos AI page or click New to start another chat.

The chat is cleared from the page, but remains available in the left pane.

A Threat Hunter chat lets you hunt for malicious actors or indicators of compromise in the Data Lake data.

Click Threat Hunter.
On the chat page, enter a prompt in one of the following ways:
- Click a predefined prompt to add it to the text box at the bottom of the page. For example, "What actions can I perform?".
  
  You can edit the prompt in the text box if you want to.
  
  To see more predefined prompts, enter a forward slash '/' in the search bar.
- Enter your own prompt in the text box. For example, "Check for processes communicating with IP address 10.0.1.108 on any endpoint in the past 24 hours."
Click Send.
When the response is ready, the AI assistant shows it.

Your chat is also added to a list in the left panel.
Run further prompts in the same chat to refine your investigation. For example, "Is that device online?" or "Who was logged in at that time?"

The AI assistant remembers your previous prompts in the current chat, so it has the necessary context to understand your follow-up prompts.
To finish the chat, close the Sophos AI page or click New to start another chat.

The chat is cleared from the page, but remains available in the left pane.

For a guide to writing effective AI prompts, see How to write AI prompts.

You can save the AI assistant's responses to a case's Notebook tab.

To add a single response, do as follows:

Go to the end of the response you want to add.

You see a set of icons under the response that let you take actions.
Click the plus sign icon.
If you're saving a response from a Threat Hunter chat, select a case from the Cases list when prompted.

If you're saving a response from a Security Analyst chat, the assistant automatically saves to the case you're investigating.
Confirm that you want to add the response.

To add multiple responses, do as follows:

At the bottom of the chat page, next to the Send button, click the three dots and select Select responses.
Checkboxes are now shown beside each response in the left panel, and a message prompts you to select the responses you want.

Select the checkboxes and click Add to case in the message.
If you're saving responses from a Threat Hunter chat, select a case from the Cases list when prompted.

If you're saving responses from a Security Analyst chat, the assistant automatically saves to the case you're investigating.

The responses are added to the case's Notebook tab.

You can reopen and resume an earlier chat.

In the left panel, find the chat you want and click it. The earlier chat opens in the chat page and you can enter further prompts.

You can delete all the AI Assistant's responses in the current thread or any past thread as follows:

In the left panel, click the three dots next to the chat title and select Delete.
Confirm that you want to delete all the history.

Other Sophos Central admins can use the AI assistant to investigate the same case, but only you can see the chat you started.

However, if you add responses to the case's Notebook tab, other admins with access to this case can see them.