SophosLabs Intelix analyzes suspicious files submitted to Sophos automatically by endpoint anti-malware. You can access reports on these files from detections shown in Sophos Central.
There are two Intelix report types based on different methods of analysis:
- Static analysis uses machine learning, file scanning, and reputation to assess suspicious files.
- Dynamic analysis runs suspicious files in a sandboxed environment to observe their behavior.
You can only see these reports if an endpoint has submitted the file or if an admin has clicked Request latest intelligence for the file on the Threat Graphs page.
To see reports on a specific detected file, do as follows:
- Go to Threat Analysis Center.
Alternatively, go to Live Discover and run a query to detect threats. You can access reports from these detections too.
In the Detections list, click a detection to open its details.
Go to the detection's process_sha256 hash and click the pivot icon (three dots) beside it.
Currently you can only pivot to Intelix reports from the SHA-256 hash.
In Enrichments, select SophosLabs Intelix Report.
By default, the Static Analysis report opens. This shows a verdict on the threat risk, as measured by different analyses.
In the left menu, click Dynamic Analysis Report. If you don't see this link, no dynamic analysis report is available for this file.
The report shows the following:
- MITRE attack tactics and techniques used by the threat.
- Processes that were run.
- Network activity.