Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=darktrace-cases

Darktrace integration case studies

Here is a case generated by a Darktrace integration alert.

The case

On February 26th, 2024, the Sophos MDR team received a cluster of security alerts from XDR-darktrace-Command-and-Control. The alert type with the highest alert score is 4 mapped under the MITRE ATTACK Technique as Command and Control. We observed the activity category was unactioned by the alerting security control. MDR Team investigation observed that detection was alerted on the source system DarkTrace associated with device redacted due to connection attempts from the IP addresses xxx.xx.xx.xxx with the subject ICS/Rare External from OT Device. When investigating historical open socket connections, there is an open socket connection to IP xxx.xx.xx.xxx from host redacted. Further action is required. Please find our recommendations below.

Recommendations

  1. Confirm if the connection attempt from the mentioned IP was expected.
  2. Block the IP at your network perimeter, if applicable.

Please inform MDR of your actions and findings after reviewing our recommendations. Don't hesitate to contact us with any further questions or concerns.