Skip to content

Intelix reports

SophosLabs Intelix analyzes suspicious files submitted to Sophos automatically by endpoint anti-malware. You can access reports on these files from detections shown in Sophos Central.

There are two Intelix report types based on different methods of analysis:

  • Static analysis uses machine learning, file scanning, and reputation to assess suspicious files.
  • Dynamic analysis runs suspicious files in a sandboxed environment to observe their behavior.


You can only see these reports if an endpoint has submitted the file or if an admin has clicked Request latest intelligence for the file on the Threat Graphs page.

To see reports on a specific detected file, do as follows:

  1. Go to Threat Analysis Center.
  2. Click Detections.

    Alternatively, go to Live Discover and run a query to detect threats. You can access reports from these detections too.

  3. In the Detections list, click a detection to open its details.

    Detections list.

  4. Go to the detection's process_sha256 hash and click the pivot icon (three dots) beside it.

    Currently you can only pivot to Intelix reports from the SHA-256 hash.

    Detection details.

  5. In Enrichments, select SophosLabs Intelix Report.

    Enrichments menu.

  6. By default, the Static Analysis report opens. This shows a verdict on the threat risk, as measured by different analyses.

    Static Analysis Report.

  7. In the left menu, click Dynamic Analysis Report. If you don't see this link, no dynamic analysis report is available for this file.

    Intelix reports menu.

    The report shows the following:

    • MITRE attack tactics and techniques used by the threat.
    • Processes that were run.
    • Network activity.