Skip to content

Threat Graphs

Threat graphs let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.

This feature is available only to customers with an Intercept X or Intercept X Advanced with XDR license. If you have an Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR license, you can also do the following:

  • Isolate affected devices.
  • Search for more examples of the threat on your network.
  • Clean up and block the threat.
  • Obtain further advanced threat intelligence.

We create a threat graph for you whenever we detect malware that you need to investigate further.


This is currently only available for Windows and Mac devices.

How to investigate and clean up threats

This is an overview of how you might typically investigate a graph. For details of all options, see Threat Graph analysis.

Some options are only available if you have an Intercept X Advanced with XDR or Intercept X Advanced with XDR for Server license.

  1. Go to Threat Analysis Center and click Threat Graphs and then click on a graph.

    This displays the graph details page.

  2. Look at Summary to see where the attack started and which files might be affected.

  3. Look at Suggested next steps. You can change the priority for the graph and see which processes to investigate.

    If this is a high priority graph, and you have Intercept X Advanced with XDR, you can click Isolate this device. This isolates the affected device from the network. You can still manage the device from Sophos Central.


    You don't see this option if the device has isolated itself automatically.

  4. On the Analyze tab, you can see a diagram showing the progress of the attack. Clicking items shows more details.

  5. Click the root cause or another process to show its details.
  6. To make sure you have the latest analysis from Sophos, click Request latest intelligence.

    This sends files to Sophos for analysis. If we have new information about the file's reputation and prevalence, you’ll see it here in a few minutes.


    If you have Intercept X Advanced with XDR or Intercept X Advanced for Server with XDR, you'll see more advanced analysis, see Process details. You can also do further detection and cleanup, as shown in the steps that follow.

  7. Click Search for item to search for more examples of the file on your network.

    If the Item Search Results page shows any more examples of the file, you can click Isolate device there to isolate affected devices.

  8. Return to the threat graph details page and look at the latest threat intelligence.

  9. If you're confident that the file is malicious, you can click Clean and block.

    This cleans up the item on Windows devices where it’s been found and blocks it on all Windows devices. See Blocked items.

  10. If you're confident that you've dealt with the threat, you can remove the device from isolation (if necessary). Go to Suggested next steps and click Remove from isolation.

    If you isolated multiple devices, go to Settings > Admin Isolated Devices and remove them from isolation. See Admin Isolated Devices.

  11. Go back to the Threat Graphs list, select the graph and click Close.

About the threat graphs list

Threat Graphs lists all threat graphs for the past 90 days.

If you have an MDR license, the page is split into tabs for threat graphs that have been generated as follows:

  • Automatically generated by Sophos
  • Generated by a Sophos Central admin
  • Generated by the Sophos Managed Detection and Response (MDR) team (unused at present)

If you do not have an MDR license, the page is not split into tabs.

You can filter the graphs by Device, Status, or Priority.

You can use Search to view the graphs for a certain user, device, or threat name (for example, "Troj/Agent-AJWL").

For each graph, the list shows most of the following information. Which columns are shown depends on whether the page is split into tabs:

  • Status: The status is New by default. You can change it when you view the graph.
  • Time created: Time and date when the graph was created.
  • Priority: A priority is set when the graph is created. You can change it when you view the graph.
  • Name: Click the threat name to view the details of the graph.
  • Generated by: The Sophos Central admin who generated the threat graph.
  • User: The user that caused the infection.
  • Device: The device that caused the infection.
  • Device type: The type of the device, for example Computer orServer.

You can click any column to sort the graphs.