Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=attack-details-report

Attack Details

Restrictions

This feature is only available for admins or super admins. These admins also need both computer and server access.

This feature is for customers with licenses that include Intercept X Advanced or XDR. MDR customers won't see it.

When we detect an attack in progress, we show a banner in Sophos Central like this. It's only available if we're warning you about a serious attack.

Attack warning banner.

You can't dismiss the banner until you respond. For ways to resolve an attack, see Take action.

We list the warning on the Alerts page. We can also send you warnings by email or mobile, if you're registered for Sophos alerts. See Get email or mobile warnings.

Take action

You can take action in the following ways:

  • View the Attack details report so you can analyze the attack and decide what to do. See View attack details.
  • Contact your Sophos Partner. Your partner can help to resolve the issue.
  • Contact Sophos Incident Response. Contact us and let us take action for you. This is a paid service.

View attack details

To view the attack details, click View attack details in our warning banner or go to Reports > Attack Details.

Attack Details page.

The report shows the number of affected devices and a timeline of events. You can change the time range and the chart type.

The table lists events and threats that indicate attempts to compromise your systems. The list includes all recent events, so some may be unrelated to the attack we warned about.

We keep adding events to the report for up to 30 days. After that, it closes automatically.

If you resolve the attack and dismiss our banner, we stop adding new events.

Dismiss the banner

To dismiss the warning banner, confirm that you've resolved the attack as follows:

  1. In the warning banner, click I have resolved this attack in the upper right.

    "I have resolved" button.

  2. In Tell us what you did, in the Select an option drop-down, select the action you took. Then enter your comments.

    Types of attack resolution.

Dismissing the banner doesn't also dismiss the critical alert shown on the main Alerts page. To dismiss that critical alert, see Alerts.

Get email or mobile warnings

We can send you attack warnings by email or mobile. We send them automatically if you meet the requirements below.

To get warnings by email, you must be a Sophos Central administrator registered for email alerts. See Configure email alerts.

To get warnings to a mobile, you must meet these requirements:

  • You've installed Sophos Intercept X for Mobile on the mobile.
  • You're a Sophos Central user assigned to the mobile. You can be an administrator or non-administrator.
  • User Activity Verification is turned on in Sophos Central. See User Activity Verification.