Event types

These are the event types you can see in Sophos Central.

Depending on the features included in your license, you may see all or some of the following event types:

Events that require you to take action are also shown on the Alerts page, where you can deal with them.

After you have taken an action or ignored the alert, it is no longer displayed on the Alerts page, but the event remains in the Events list.

Runtime Detections

Event type

Severity

Action required?

Description

Running malware detected

Medium

No

A program that was running on a computer and exhibited malicious or suspicious behavior has been detected. Sophos Central will attempt to remove the threat. If it succeeds, no alerts will be displayed on the Alerts page, and a Running malware cleaned up event will be added to the events list.

Running malware not cleaned up

High

Yes

A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. The following events may be displayed for this event type:

Running malware cleaned up

Low

No

Malicious activity detected

High

Yes

Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected.

Running malware locally cleared

Low

No

A running malware alert has been cleared from the alerts list on an endpoint computer.

Ransomware detected

High

No

An unauthorized program attempted to encrypt a protected application.

Ransomware attack resolved

Low

No

Remotely-run ransomware detected

Medium

Yes

An unauthorized program attempted to remotely encrypt a protected application.

Remotely-run ransomware attack resolved

Low

No

Ransomware attacking a remote machine detected

High

Yes

This computer has been detected attempting to remotely encrypt applications on another computer.

Safe Browsing detected compromised browser

Medium

Yes

An attempt to exploit a vulnerability in an internet browser has been blocked.

Exploit prevented

Low

No

An attempt to exploit a vulnerability in an application, on an endpoint computer, has been blocked.

Application hijacking prevented

Low

No

Application hijacking was prevented on an endpoint computer.

Behavioral

Low

Yes

This application has been detected behaving suspiciously.

In some instances a reboot is required to complete the cleanup process. A reboot event is shown if this happens.

This type of detection is only available if you are signed up to the Early Access Program.

Application Control

Event type

Severity

Action required?

Description

Application blocked

Medium

No

Application allowed

Low

No

A controlled application has been detected and then allowed.

Malware

If you have deep learning enabled, you may see malware detections shown as ML/PE-A.

Event type

Severity

Action required?

Description

Malware detected

Medium

No

Malware has been detected on a device monitored by Sophos Central. Sophos Central will attempt to remove the threat. If successful, no alerts will be displayed on the Alerts page, and a "Malware cleaned up" event will appear on the events list.

Malware not cleaned up

High

Yes

The following events may be displayed for this event type:

Malware cleaned up

Low

No

Recurring infection

High

Yes

A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected.

Threat removed

Low

No

Malware locally cleared

Low

No

A malware alert has been cleared from the alerts list on an endpoint computer.

Potentially Unwanted Application (PUA)

Event type

Severity

Action required?

Description

Potentially Unwanted Application (PUA) blocked

Medium

Yes

A potentially unwanted application has been detected and blocked.

Potentially Unwanted Application (PUA) not cleaned up

Medium

Yes

The following events may be displayed for this event type:

Potentially Unwanted Application (PUA) cleaned up

Low

No

Potentially Unwanted Application (PUA) locally cleared

Low

No

A potentially unwanted application alert has been cleared from the alerts list on an endpoint computer.

Policy Violations

Event type

Severity

Action required?

Description

Policy non-compliance

Medium

Yes

An alert will be displayed on the Alerts page if a computer remains non-compliant for more than two hours.

Policy in compliance

Low

No

Real-time protection disabled

High

Yes

An alert will be displayed on the Alerts page if real-time protection has been disabled for a computer for more than 2.5 hours.

Real-time protection re-enabled

Low

No

Web Control

Event type

Severity

Action required?

Description

Web policy events

Low

No

Examine the appropriate reports for detailed information on how users are accessing sites, who is violating policy, and which users have downloaded malware.

Web threat events

Low

No

No

Product Updates

Event type

Severity

Action required?

Computer or server out of date

Medium

Yes

Update succeeded

Low

No

Update failed

Low

No

Reboot recommended

Low

No

Reboot required

Medium

Yes

Protection Issues

Event type

Severity

Action required?

Description

New computer or server registered

Low

No

Computer or server re-protected

Low

No

New computer or server protected

Low

No

Failed to protect computer or server

High

Yes

A computer has started installation of the agent software but has not become protected for one hour.

Error reported

Low

No

Scan completion

Low

No

New logins added

Low

No

New users added automatically

Low

No

Peripherals Control

Event type

Severity

Action required?

Peripheral detected

Medium

Yes

Peripheral allowed

Low

No

Peripheral restricted to read-only

Low

No

Peripheral blocked

Low

No

Duplicate devices

Sophos Central warns you if it detects duplicate devices. If devices have been cloned from an image they have the same ID. Duplicate IDs can cause management issues.

Event type

Severity

Action required?

Description

Duplicate device detection

Medium

No

An alert will appear on the Alerts page if a duplicate device is detected. Duplicated devices are re-registered with a new ID.

Device de-duplicated

Low

Yes

Check that the groups and policies for the de-duplicated devices are correct.

Active Directory Synchronization

Event type

Severity

Action required?

Description

Active Directory synchronization error

High

Yes

An alert will appear on the Alerts page if an Active Directory synchronization error is not resolved automatically for more than one hour.

Active Directory synchronization succeeded

Low

No

Active Directory synchronization warning

Medium

No

Download Reputation

Sophos Central warns end users if a download has a low reputation. This reputation is based on a file's source, how often it is downloaded and other factors.

Event type

Severity

Action required?

Description

User deleted low reputation download

Low

No

A user deleted a download after Sophos Central warned that it had a low reputation.

User trusted low reputation download

Low

No

A user trusted a download after Sophos Central warned that it had a low reputation.

Low reputation download automatically trusted

Low

No

Sophos Central detected a low reputation download and trusted it automatically.

This occurs only if you change your reputation checking settings to "Log only".

Firewall

If you have a Sophos XG Firewall registered with Sophos Central, your computers can send regular reports on their security status or "health" to Sophos XG Firewall. These reports are known as "security heartbeats".

Event type

Severity

Action required?

Description

Missing heartbeat reported

High

Yes

A computer is no longer sending security heartbeat signals to a Sophos XG Firewall but is still sending network traffic. The computer may be compromised. A Sophos XG Firewall may have restricted the computer’s network access (depending on the policy your company set).

Restored heartbeat reported

Low

No

A computer has resumed sending security heartbeat signals to a Sophos XG Firewall.

Device Encryption

Note For most device encryption alerts, you should restart the computer and let it sync with the server.

Event type

Severity

Action required?

Description

Key creation failed

Medium

See Note

A key could not be created (TPM key, TPM+PIN key, USB key, recovery key).

Device Encryption failed

Medium

See Note

A volume could not be encrypted.

Device Encryption information

Low

See Note

Information on various events, for example the user postponed encryption or a PIN/passphrase was reset.

Device not encrypted

Medium

See Note

See Alerts for Device Encryption.

Device Encryption status changed

Low

See Note

The Device Encryption status changed from one status to another status. See Computers.

Device Encryption is suspended

Medium

See Note

See Alerts for Device Encryption.

Recovery key missing

Medium

See Note

See Alerts for Device Encryption.

Received recovery keys

Low

See Note

Sophos Central received a recovery key from an endpoint computer.

Revoked keys

Low

See Note

A recovery key has been viewed in Sophos Central, so it has been revoked and will be replaced.

Data Loss Prevention

Event type

Description

An "allow transfer on acceptance by user" action was taken

A file containing controlled information was transferred after a user acknowledged they were transferring the information.

An "allow file transfer" action was taken

A file containing controlled information was transferred.

A "block transfer" action was taken

A transfer of a file containing controlled information was blocked.

Amazon Web Services (AWS)

Sophos Central reports any AWS connection errors.