Threat Cases

Threat cases let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.

This feature is available only to customers with an Intercept X or Intercept X Advanced with EDR license. If you have an Intercept X Advanced with EDR or Intercept X Advanced for Server with EDR license, you can also do the following:

  • Isolate affected devices.
  • Search for more examples of the threat on your network.
  • Clean up and block the threat.
  • Obtain further advanced threat intelligence.

We create a threat case for you whenever we detect malware that you need to investigate further.

Note This is currently only available for Windows devices.

How to investigate and clean up threats

This is an overview of how you might typically investigate a case. For details of all options, see Threat case analysis page.

Some options are only available if you have an Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server license.

  1. Click Threat Cases in the main menu and then click on a case.

    This displays the case details page.

  2. Look at Summary to see where the attack started and which files might be affected.
  3. Look at Suggested next steps. You can change the priority for the case and see which processes to investigate.

    If this is a high priority case, and you have Intercept X Advanced with EDR, you can click Isolate this device. This isolates the affected device from the network. You can still manage the device from Sophos Central.

    Note You don't see this option if the device has isolated itself automatically.
  4. On the Analyze tab, you can see a diagram showing the progress of the attack. Clicking items shows more details.
  5. Click the root cause or another process to show its details.
  6. To make sure you have the latest analysis from Sophos, click Request latest intelligence.

    This sends files to Sophos for analysis. If we have new information about the file's reputation and prevalence, you’ll see it here in a few minutes.

    Restriction If you have Intercept X Advanced with EDR or Intercept X Advanced for Server with EDR, you'll see more advanced analysis, see Process details. You can also do further detection and cleanup, as shown in the steps that follow.
  7. Click Search for item to search for more examples of the file on your network.

    If the Item Search Results page shows any more examples of the file, you can click Isolate device there to isolate affected devices.

  8. Return to the threat case details page and look at the latest threat intelligence.
  9. If you're confident that the file is malicious, you can click Clean and block.

    This cleans up the item on devices where it’s been found and blocks it on all devices.

  10. If you're confident that you've dealt with the threat, you can remove the device from isolation (if necessary). Go to Suggested next steps and click Remove from isolation.

    If you isolated multiple devices, go to Settings > Admin Isolated Devices and remove them from isolation.

  11. Go back to the Detected Threat Cases list, select the case and click Close.

About the threat cases list

The Detected Threat Cases page lists all threat cases for the past 90 days.

If you have an MTR license, the page is split into tabs for threat cases that have been generated as follows:

  • Automatically generated by Sophos
  • Generated by a Sophos Central admin
  • Generated by the Sophos Managed Threat Response (MTR) team (unused at present)

If you do not have an MTR license, the page is not split into tabs.

You can filter the cases by Device, Status, or Priority.

You can use Search to view the cases for a certain user, device, or threat name (for example, "Troj/Agent-AJWL").

For each case, the list shows most of the following information. Which columns are shown depends on whether the page is split into tabs:

  • Status: The status is New by default. You can change it when you view the case.
  • Time created: Time and date when the case was created.
  • Priority: A priority is set when the case is created. You can change it when you view the case.
  • Name: Click the threat name to view the details of the case.
  • Generated by: The Sophos Central admin who generated the threat case.
  • User: The user that caused the infection. Click the username to view the user's details.
  • Device: The device that caused the infection. Click the device name to see its details.
  • Device type: The type of the device, for example Computer or Server.

You can click any column to sort the cases.