Skip to content

Threat Analysis Center

The Threat Analysis Center dashboard lets you see and analyse detection numbers and trends.

Go to Threat Analysis Center to see the dashboard.

Total detections

This shows the total number of detections and a breakdown of the percentage for each severity level.

Click any figure to open the Detections page pre-filtered to show the severity level you want. The page opens in a new tab.

You can also use filters as described in Set filters.

Total detections.

Total detection count

This shows the number of detections during the time range you select, and the trend based on the average numbers in each hour or day.

The trend line is shown only for time ranges up to 7 days.

You can change this graph to show the numbers broken down according to different aspects of the detection. See Show a breakdown of detection numbers.

You can also use filters as described in Set filters.

Total detection count and trend graph.

Show a breakdown of detection numbers

You can customize the Total detection count graph to show a breakdown of the detection numbers. For example, you can show detection numbers broken down according to their severity: critical, high, medium, or low risk.

To do this, go to the drop-down menu above the chart and select the feature you want to see a breakdown for.

Drop-down menu.

When you do this, the bar charts change to show each bar replaced by a group of bars. If you select severity, separate bars show the detection numbers for critical, high, medium, or low risk. Hover on a bar to see the numbers.

Note

The MITRE tactics view uses a line graph. Separate lines show detections for different tactics.

Bar chart showing a breakdown.

Select graph or heatmap view

You can view the detection numbers as a graph or as a heatmap calendar. The default is graph view. To change it, use the icons in the upper right of the screen. For the heatmap, click the icon on the right.

Heatmap icon.

Top 10 entities

This shows the ten entities (for example, servers) with the most detections. Click the number of detections to see a breakdown by risk level.

You can use the drop-down menu above the list to show detection numbers as follows:

  • By entity: Shows the devices with the most detections.
  • By sensor: Shows the sensors with the most detections. Sensors are products that report detections to the Sophos Data Lake.

You can also use filters as described in Set filters.

Top 10 users

The ten users with the most detections. Click the number of detections to see a breakdown by risk level.

You can also use filters as described in Set filters.

Sensor location of detection

A world map shows the number and breakdown of detections in different geographical regions. You can zoom in to see detection numbers for smaller regions like country, state, or city.

Click the number of detections for a region to see a breakdown by risk level.

You can customize this section as described in Set filters.

Sensor location map.

MITRE TTP (Tactics, Techniques, Procedures)

This heatmap shows the number of detections in each MITRE category. Hover over a tactic to see a breakdown by risk level.

Click on a tactic to zoom in to MITRE techniques detected during the time period. Click again to return to the tactics view.

You can customize this section as described in Set filters.

Heatmap of detections for each MITRE type.

Recent detections

This shows the most recent detections on your network.

You can also use filters as described in Set filters.

Recent detections.

Set the time range

The default time range is the last 24 hours. You can change that to the last hour, last 7 days, or last 30 days.

You can also select Custom and set a custom range.

Set filters

Filters let you select which data you'll see. Click Filter to see the choices.

Filter menu.

You can use the following sets of filters.

  • Entity. Enter the name of a specific device to see detections that occurred there.
  • Severity. Choose to show detections with a specific risk level or levels.
  • Type. Choose to show detections of a specific threat type.
  • Operating system. Choose to show detections that occurred on devices running a specific operating system or systems.
  • MITRE Tactics. Choose to show detections that match specific MITRE tactics.
  • Detection. Enter a detection name to see instances of that detection.
  • Category. Choose to show detections reported by a specific type of sensor. For example, firewall.

You can choose multiple options in each set or click Select All next to a set. You can also choose options in multiple sets.

You can combine filters with a view selected from the drop-down menu (in sections that have one).

Highlight details on a graph

You can highlight specific bars or lines on a graph. Hover on the color swatches shown in the key next to the graph. For example, in a graph showing detections by severity, click the color for a specific risk level to highlight that bar.

Hover over key to highlight bars.