Minimize time to investigate with the Investigations dashboard
Time is of the essence when investigating an incident. Understanding scope and impact is critical to forming a fast, effective response. The Investigations dashboard is designed to help busy teams work even more effectively.
Save time, see the bigger picture with aggregated detections
Multiple, separate threat detections in the same broader incident are automatically correlated and assigned to the same investigation. For example, detections that trigger the same threat classification rule within 24 hours will be added to a single investigation, eliminating the need for an analyst to add them manually. Detections affecting the same devices will also be automatically added to the same Investigation, saving the SOC team valuable time and helping them quickly understand the broader scope and impact of an incident.
Analysts can also manually add detections to an investigation or create an investigation, with a multi-select checkbox to minimize click time.
Respond faster thanks to automatic email notification
When a new investigation is created, relevant team members are automatically notified to respond as quickly as possible. The email includes a summary of the investigation with crucial information to get the analyst up to speed, such as investigation ID, detections risk score, number of impacted devices and a quick link to the investigation. When a new team member is assigned to an in-progress investigation, they will be automatically notified.
Work as a cohesive team using dynamic notes
The Investigation notes section enables teams to share progress and results quickly. Freeform text can be added making it easy for teams with multiple analysts to collaborate, share intelligence and respond faster to threats.
See the bigger picture –new Microsoft 365 data integration
Many organizations use the Microsoft 365 platform, making it a valuable piece of the cybersecurity puzzle. The new MS 365 connector in Sophos Central enables XDR users to include this rich data source in their threat investigations and IT operations security maintenance. For example, to identify users with suspiciously high numbers of failed login attempts.