Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ai-search

AI Search

You must join the New AI Features Early Access Program to use this feature.

AI Search lets you search for data in the Sophos Data Lake without writing SQL queries.

AI Search can find detections and endpoint data in the Data Lake. You can search for indicators of compromise (IOCs) or other data such as IP addresses, usernames, files, or endpoint activity.

AI Search suggests queries you can run, or builds queries for you based on natural-language questions you enter. You don't need to write SQL queries.

Run queries

You can either use queries we suggest or create your own.

Use a suggested query

To use a suggested query, do as follows:

  1. Go to Threat Analysis Center > AI Search.

  2. In the menu on the left of the page, select the data you want to search:

    • Detections lets you query data in threat detections.
    • Endpoint Data lets you query data about your devices and activity on them.

    Drop-down menu of search types.

  3. If it's the first time you've opened AI Search after signing in to Sophos Central, you see suggested queries under the search bar.

    The suggestions are selected randomly from our list of pre-configured queries.

    You see different suggested queries each time you open the AI Search page. To see more, refresh the page.

    Suggested queries.

  4. Click a query.

    When the query shows in the Search bar, you can modify it if you want to. For example, you could type a time range like "in the last 30 days" at the end of the query.

  5. Click Search.

    The query runs, and the results are shown in a table:

    • The table can show a maximum of 1,000 results.
    • Data is retained for 90 days (or 1 year if you have a Central Data 1-Year Storage Pack add-on license).

Create a query

To create your own query, do as follows:

  1. Go to Threat Analysis Center > AI Search.

  2. In the menu on the left of the page, select the data you want to search:

    • Detections lets you query data in threat detections.
    • Endpoint Data lets you query data about your devices and activity on them.

    Drop-down menu of search types.

  3. Enter a query in your own words in the search bar.

    Query entered by customer.

  4. Click Search.

    The query runs, and the results are shown in a table.

    • The table can show a maximum of 1,000 results.
    • Data is retained for 90 days (or 1 year if you have a Central Data 1-Year Storage Pack add-on license).

If you want to use the query again in future, save it. You can then run it later on the AI Search page or in Live Discover. See Save a query.

To view the SQL syntax for your query, expand the Generated Query section.

Generated Query SQL details.

Set a time range

By default, queries have a time range of 24 hours.

To change the time range, include the time range you want, for example "in the past 7 days", in the query in the Search bar.

You can either add your time range to a suggested query, or include it in the wording of your own query.

Time range recommendations

Endpoint monitoring can generate large volumes of data. So, queries spanning wide time ranges can significantly impact performance. For best results, do as follows:

  • Start narrow: Begin with the shortest time range necessary. This can be a few hours or at most a single day.
  • Expand gradually: Only increase the time range if you don't find what you need.
  • Be specific: Include precise time constraints in your natural-language query wherever possible. Example: "Last 4 hours". Defaults will apply otherwise.
  • Watch for slow queries or timeouts: Queries spanning days or weeks may time out or experience extreme latency, depending on the volume of data.

Save a query

You can save your query so that you can re-use it. Save the query in one of the following ways:

  • Copy the query to your clipboard. Expand the Generated Query section and click the Copy icon Copy icon. on the right of the page.

  • Click Save Query. This saves the query to a new category called AI Search in Live Discover, where you can run it later. See Live Discover

  • Click Export. This exports the query's SQL syntax and the query results in CSV format. The CSV file is automatically downloaded to your default downloads folder.

Query results

You see the query results in the table at the bottom of the page.

Query results.

Get more details

You can get more details of detections or devices shown in query results.

To see more details of a detection, click the link in the Detection Rule column. This shows the same details as the Detections page in the Threat Analysis Center. See Detections.

To see more details of a device, click its name in the Hostname column.