Skip to content

XDR AI features FAQs

Frequently asked questions about the AI-powered features in Sophos XDR.

Overview

Over the next few months, we're adding many new AI-powered features to the Sophos XDR platform ("AI features"). These features will deliver a superior and more intuitive experience for analysts investigating and responding to threats.

What is Sophos XDR?

Sophos XDR is an offering where critical information from endpoint, server, firewall, email, and other Sophos XDR-enabled products is stored, accessible, and can be queried by customers to streamline threat detection and response workflows. XDR is underpinned by the Sophos Data Lake, where the device and log information is stored. Device and log information is retrieved from the different products at frequent intervals, allowing the Sophos Data Lake to be queried to identify suspect events in historical data.

How do I get access to AI features?

Currently, you need to opt in to the New AI Features Early Access Program to access these features. Anyone with a license that includes XDR can join the Early Access Program. This applies to both Term and MSP Flex customers.

This program doesn't currently have an expiry date. For more information about how to enroll, see New AI Features EAP.

Which Sophos products include XDR AI features?

Customers with licenses for the following Sophos products can access XDR AI Features:

  • Sophos Intercept X Advanced with XDR
  • Sophos Network Detection and Response
  • Sophos MDR Essentials
  • Sophos MDR Complete

What XDR AI features are currently available?

The following features are available in the New AI Features EAP:

AI Case Summary: Leveraging GenAI, this feature analyzes detections associated with a case to provide a summary of what has happened, the entities involved and possible next steps for investigation. The AI Case Summary will also determine which MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) were observed within the case, if any.

AI Command Analysis: This feature uses GenAI to analyze the command line executed by endpoint detections and to explain their intent and possible security impact on the environment. If necessary, AI Command Analysis de-obfuscates code, minimizing the complexity and time needed to assess a detection.

Note

XDR AI features are available for self-managed cases. When Sophos manages a case on behalf of an MDR Essentials or MDR Complete customer, only the MDR Ops team can modify case information.

Currently, English is the only supported language for Sophos XDR AI features. For more information about features available in the EAP and how they work, see New AI Features EAP.

How do XDR AI features use my data?

In addition to our own technology, we leverage the large language models (LLMs) developed by OpenAI to provide a simple, contextual natural language interaction natively in the platform.

When a user activates an AI feature in Sophos XDR, the system does as follows:

  1. Evaluates the request.
  2. Coordinates tasks between relevant components and data sources.
  3. Uses a secure API to determine which resources are needed.

For tasks requiring OpenAI, all data transferred is encrypted in transit, ensuring its integrity and security.

To learn more about data handling practices regarding XDR, see the following documentation:

Will OpenAI use inputs or outputs from Sophos XDR AI to train its model?

No. OpenAI won't use any inputs or outputs to train models, or to improve their services.

Does the Sophos Group Privacy Notice apply to Sophos XDR AI features?

Yes. Our Privacy Notice covers all our product and service offerings, including the Sophos XDR AI features. See Sophos Group Privacy Notice.

How does Sophos prevent unauthorized access to data using AI features?

XDR AI features adhere to the existing roles-based access (RBAC) policies of Sophos Central. Users of these features can only operate strictly within the boundaries of their designated roles.

How do you address AI hallucinations?

When using large language models (LLMs), there's always a risk of the model generating false, misleading, or nonsensical information. To mitigate this risk, we use several approaches, including these:

  • Restricting interactions with OpenAI to topics related to Sophos products and the security domain.
  • Implementing a testing and validation process aimed at minimizing errors and enhancing the relevance of responses.
  • Gathering user feedback about the accuracy of responses, and using it to improve response quality and AI feature performance.
  • Monitoring and assessing AI responses to evaluate and improve model performance.

Responsible usage

As with all generative AI powered tools, use these tools responsibly. While these tools can enhance productivity, it's important to understand their limitations. AI-generated outputs aren't always perfect. Always check for accuracy, appropriateness, and relevance before using the generated content.