AI features FAQs
Frequently asked questions about the AI-powered features in Sophos XDR.
Sophos XDR is a platform that stores information from Sophos and other, third-party security products in a Data Lake and lets you query it for threat detection and analysis. New AI features can now assist you with that analysis.
AI features and how they work
Find out about our AI features and how they work.
What AI features are available?
The following features are available in an Early Access Program:
-
AI Assistant: This feature lets you investigate threat cases by using queries and prompts in a natural-language, chat format. See AI Assistant.
-
AI Case Summary: This feature analyses detections in a case to summarize what’s happened, devices and users involved, the MITRE ATT&CK tactics detected, and possible next steps.
-
AI Command Analysis: This feature analyzes the command line run by threats to discover their intention and possible impact. If necessary, it de-obfuscates code, minimizing the effort needed to assess a detection.
-
AI Search for Endpoints: This feature enables analysts to query the Sophos Data Lake for detection or endpoint data using natural language. See AI Search.
How does the AI Assistant work?
The AI Assistant lets you enter predefined natural-language queries or your own queries to investigate threats. The AI responds with information and insights from various plug-ins, such as Data Lake queries or threat look-up websites.
You can use follow-up prompts or queries to refine the investigation and produce recommendations for action. For more information, see AI Assistant.
What data sources does the AI Assistant analyze?
The AI Assistant can retrieve and analyze data from the following XDR-integrated sources:
- Sophos Endpoint Protection (Windows)
- Sophos Server Protection (Windows)
As the feature matures, data from other sources will be accessible using the AI Assistant.
Are AI features available for all threat cases?
No. At the moment, the AI Assistant is available only for cases that you create and manage yourself. It isn’t available for “Sophos managed” cases, which are handled by the Sophos MDR Operations team.
How does the AI Assistant improve investigations?
The AI Assistant improves investigations as follows:
- Enables less experienced admins to investigate threats. It doesn't need knowledge of complex SQL syntax.
- Interprets and correlates historical case data, threat intelligence, and logs.
- Speeds up analysis by doing a series of tasks, from endpoint queries to threat lookups, in a single workflow.
Can the AI Assistant respond to threats?
No. Currently, the AI Assistant focuses on investigation rather than taking direct remediation actions. Analysts can use its insights as the basis for fast human-initiated actions.
Access to AI features
Find out how to access our AI features.
Which license do I need?
Any of the licenses below give you access to AI features. This applies to both Term and MSP Flex customers.
Currently, you also need to join the New AI Features Early Access Program (EAP). See How do I join the EAP?.
- Sophos Intercept X Advanced with XDR
- Sophos MDR Essentials
- Sophos MDR Complete
- Sophos Network Detection and Response
How do I join the EAP?
To join the AI features EAP, do as follows:
- Sign in to Sophos Central.
- Click your Profile icon
in the upper right of the page.
- Select Early Access Programs.
- Under New AI Features EAP, click Join.
- Continue and accept the terms of use.
You're now enrolled. The program doesn't currently have an expiry date.
For any issues or queries, visit the New AI Features EAP Discussions Community.
Who can use AI features?
You must be a Sophos Central Super Admin or Admin to fully access AI features.
Which languages are supported?
Currently, English is the only supported language for AI features.
Data security and privacy
Find out how we ensure your data is secure.
How do AI features use my data?
When you activate an AI feature, the system does as follows:
- Evaluates the request.
- Coordinates tasks between relevant components and data sources.
- Uses a secure API to decide which resources are needed.
For tasks requiring OpenAI services, all data transferred is encrypted in transit, ensuring its integrity.
To learn more about data handling practices in XDR, see these documents:
Sophos XDR Privacy Data Sheet Sophos Group Privacy Notice
Will OpenAI train its model on the inputs or outputs?
No. OpenAI won't use any inputs or outputs from our AI features to train models, or to improve their services.
Who can see my chat with the AI Assistant?
Only you can see your chat with the AI Assistant.
You have access to an AI Assistant thread for each case but only one thread is active at a time.
How does Sophos prevent unauthorized access to data?
The AI features adhere to the existing roles-based access (RBAC) policies of Sophos Central. Users of these features can only operate strictly within the boundaries of their designated roles.
How does Sophos ensure accuracy?
AI can generate false or misleading information. To avoid this, we do as follows:
- Restrict interactions with OpenAI to topics related to Sophos products and security.
- Use testing and validation to minimize errors and improve relevance.
- Monitor AI responses to evaluate their accuracy.
- Gather user feedback about the accuracy of responses and use it to improve response quality.
Responsible usage
Use these features responsibly. AI-generated outputs aren't always perfect. Always check for accuracy and relevance before you use the generated content.