Sophos XDR: Enhanced Investigations and Office 365 Integration

Credit to Author: Alex Gardner| Date: Fri, 04 Feb 2022 09:00:38 +0000

We are pleased to announce exciting enhancements to the Investigations dashboard and integration of Microsoft 365 data into Sophos XDR.

Minimize time to investigate with the Investigations dashboard

Time is of the essence when investigating an incident. Understanding scope and impact is critical to forming a fast, effective response. The Investigations dashboard is designed to help busy teams work even more effectively.

Save time, see the bigger picture with aggregated detections

Multiple, separate threat detections in the same broader incident are automatically correlated and assigned to the same investigation. For example, detections that trigger the same threat classification rule within 24 hours will be added to a single investigation, eliminating the need for an analyst to add them manually. Detections affecting the same devices will also be automatically added to the same Investigation, saving the SOC team valuable time and helping them quickly understand the broader scope and impact of an incident.

Analysts can also manually add detections to an investigation or create an investigation, with a multi-select checkbox to minimize click time.

Respond faster thanks to automatic email notification

When a new investigation is created, relevant team members are automatically notified to respond as quickly as possible. The email includes a summary of the investigation with crucial information to get the analyst up to speed, such as investigation ID, detections risk score, number of impacted devices and a quick link to the investigation. When a new team member is assigned to an in-progress investigation, they will be automatically notified.

Work as a cohesive team using dynamic notes

The Investigation notes section enables teams to share progress and results quickly. Freeform text can be added making it easy for teams with multiple analysts to collaborate, share intelligence and respond faster to threats.

 

See the bigger picture –new Microsoft 365 data integration

Many organizations use the Microsoft 365 platform, making it a valuable piece of the cybersecurity puzzle. The new MS 365 connector in Sophos Central enables XDR users to include this rich data source in their threat investigations and IT operations security maintenance. For example, to identify users with suspiciously high numbers of failed login attempts.

Getting started

All Sophos XDR customers can access the Investigations dashboard from Sophos Central. Most of these powerful features are already available to Sophos XDR customers, with the last few arriving by February 7, 2022. To access MS 365 data, the connector needs to be enabled: log into Sophos Central -> Third-party integrations -> Microsoft 365 user activity logs.

If you’d like to try out Sophos XDR, you can either start an in-product trial (if you have a Sophos Central account) or take a trial of Intercept X, which includes XDR.

http://feeds.feedburner.com/sophos/dgdY