Skip to content

MDR dashboard

The Managed Detection and Response (MDR) dashboard shows a summary of threats we've recently detected and investigated.

To see the MDR dashboard, sign in to Sophos Central and go to My Products > MDR.

You can also go to the MDR dashboard from the main Sophos Central dashboard (the first page you see when you sign in). Look for the MDR summary pane and click the link in the upper right.

Action required banner

If you see an Action required banner on the dashboard, we've notified you about an incident or incidents. Now we're waiting for your response.

To see the case we've opened for each incident, click Go to cases and review the details. Then respond to the notification we've sent you or your contacts. Currently you can only respond using email.

Action required banner.


The panels at the top of the page show statistics for the following:

  • Detections: Potential threats that we’ve detected.
  • Cases: Cases we open to investigate incidents further.
  • Escalations: Incidents we notify you about.
  • Threats: Confirmed threats.

By default, you see statistics for the last 7 days. To change this, click the menu in the upper right of the page, and select a different time period.

Alternatively, select Live in the menu. This automatically refreshes the "Last 7 days" data every thirty seconds. You can also refresh the page by clicking Refresh.

The statistics panels show the figures for the current period and the percentage change compared with the last period.

You can see the same statistics for detections in the graph.

Screenshot of MDR dashboard.

Detections by time, by OS, and by technique

The Detections by time of day (UTC) heat map shows the level of detections each hour. All times are in Coordinated Universal Time (UTC). Hover over any cell in the table to see the number of detections in that hour.

Screenshot of detections by time heat map.

Total detections by operating system shows the number of detections for each OS.

The MITRE ATT&CK techniques chart shows a breakdown of attacks according to the classifications used in the MITRE knowledge base. For more information, see

MITRE ATT@CK techniques chart.

Connector status report

MDR connectors allow MDR to use data from other Sophos products to investigate potential threats.

If you have licenses for other products, we set up the connector for you. You don't have to do anything.

The connector status report does as follows:

  • Shows whether products are connected (green tick) or not connected (cross).
  • Shows products that can be connected if you buy a license. These are shown as Optional.
  • Shows the number of detections by each product.

Screenshot of MDR connector status report.

Detections classification summary

The dashboard lists the five most frequently-detected types of malicious behavior, along with the number of each.

Detections by classification pie chart.

Most investigated devices

The dashboard shows the devices we've investigated most frequently.

Click a device name for more details.

Active cases

The dashboard lists MDR cases (investigations into potential threats) that are currently active.

You can see more details of MDR cases on the Cases page.