Threat Analysis Center

The Dashboard lets you see the most important information at a glance.

Go to Overview and then click Threat Analysis Center to see the dashboard.

It consists of these areas.

Most recent threat cases

Threat cases let you investigate malware attacks. Click on a case to find out where an attack started, how it spread, and which processes or files it has affected.

Click See all threat cases to see all threat cases.

Threat cases are available only for Windows devices.

Only threat cases with a new status are shown in this area. If a threat case is closed or in progress, even if it has a newer date than an older one with a new status, it won't show.

If you have an MTR license, the area is split into tabs for threat cases that have been generated as follows:

  • Automatically generated by Sophos
  • Generated by a Sophos Central admin
  • Generated by the Sophos Managed Threat Response (MTR) team (unused at present)

Threat search

This option is available if you have Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server.

Search for potential threats on your network.

You can search for SHA-256 file hashes, file names, IP addresses or domains (either complete or partial), or command lines. Typically, you get this search information from other security products or threat notification services.

Threat searches find the following:

  • Portable executable files (like applications, libraries, system files) with an uncertain or bad reputation.
  • IP addresses or domains that those files have connected to.
  • Admin tools that have been run. These tools can be misused.
Note You can also run a threat search from within a threat case. That finds more examples of the potential threats identified in that case.
Note Searches for command lines and admin tools may not be available for all customers yet.

Recent threat searches

This option is available if you have Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server.

This shows threat searches that you have run and saved recently. Click on a search to re-run it, find affected devices and take action.

Click See all searches to see all the searches.

Top threat indicators

Threat indicators are suspicious files that Sophos Central hasn’t blocked but that you may want to investigate.

The top threat indicators list shows you the most prevalent threat indicators, with these details:

  • Suspicion level. This is the probability that the file is malicious.
  • The number of devices affected.

To see the full list and do further analysis, click See all threat indicators.