Detections show you activity that you might need to investigate.

To see detections, go to Overview > Threat Analysis Center > Detections.

Detections identify activity on your devices that's unusual or suspicious but hasn't been blocked. They're different from events where we detect and block activity that we know to be malicious.

The detections are based on data that devices upload to the Sophos Data Lake. To find out how to set up uploads, see Data Lake uploads.

We check the data against threat classification rules. When there’s a match, we show a detection.

We give the detections a risk score from 1 (lowest) to 10 (highest). The score shows how confident we are that the detection relates to malicious activity.

What the detection details mean

We group detections according to the rule they matched and the date. The detection details show the following:

  • Risk. Risk is on a scale of 1 (lowest) to 10 (highest). A score of 0 means we haven't decided the risk level. With the default settings, we only show detections with a score of 7 or more. Use the score to prioritize investigations.
  • Classification rule. The name of the rule that was matched.
  • Count. Number of times the classification rule has been matched on a certain day.
  • Device list. The device where the rule was last matched and the number of other devices with the same detection that day.
  • First/last seen. The first and last detections based on the classification rule that day.
  • Description. What the rule identifies.
  • Mitre ATT&CK. The corresponding Mitre ATT&CK Tactic and Technique.

How to use detections

You can use detections to examine devices, processes, users, and events for signs of potential threats that other Sophos features haven’t blocked. For example:

  • Unusual commands that indicate attempts to inspect your systems and stay on them, avoid security, or steal credentials.
  • Sophos malware alerts,such as dynamic shellcode prevention events, that indicate an attacker might have penetrated a device.

Most detections are linked to the MITRE ATT&CK framework, where you can find more information on the specific tactic and technique. See

You can also take additional actions based on the detection. For example:

  • Search devices for signs of a suspected or known threat if Sophos Central has found it elsewhere or if a user reports suspicious behavior.
  • Search for out-of-date software or browsers with insecure settings.

How to get help

We offer a Managed Threat Response service which can monitor your environment for malicious activity and respond on your behalf 24/7.


Note If you believe your security has been breached and you need immediate help, contact our rapid-response team. This is a paid service.