Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=mdr-threat-hunt-report

MDR threat hunting report

Each month, the Sophos MDR Threat Hunting team provides a report on their threat hunting activity and results.

The report details activity across all our customers.

If you're an MDR authorized contact for your organization, you'll automatically receive an email from which you can view or download the report.

Any Sophos Central administrator can also get the report as follows:

  1. Go to MDR > Notifications.

  2. Look for a broadcasted email with the subject "[ Intelligence Report ] Threat Hunting Monthly Report". The date of the report is also shown in the subject line.

    If you have a lot of notifications, use the Broadcasted email filter to help you find the one you want.

  3. Click the notification and then view the attached file or download it.

    MDR threat hunting report notification.

The information in the report is described below.

Threat hunts in the last month

The table shows the following statistics:

  • Hunts that were completed during the previous month
  • Hunts that are still in progress
  • Hunts that are in monitoring mode

Threat hunts are typically put into monitoring mode for a brief period until SophosLabs completes an endpoint threat detection. This keeps you protected because our threat hunters can review any matching activity for possible escalation.

Threat hunts in the last month widget.

Threat hunt outcomes

The table shows the outcomes of the Threat Hunting team's activities:

  • Total detections submitted
  • Case work to support our MDR Operations and Intel Teams
  • Cases created for customers impacted
  • Total unique systems impacted

Our MDR Operations and Intel teams provide data about active incidents, emerging threats, or threat actor activity.

Threat hunt outputs.

MITRE ATT&CK heatmap

The MITRE ATT&CK framework is closely integrated into Sophos operations. Our threat hunts track threats aligned to its tactics and techniques.

The heatmap shows which MITRE tactics we hunted for most over the reporting period.

MITRE ATT&CK tactics heatmap.

Threat hunts completed

This section of the report provides additional details of hunts completed during the last month, including the MITRE technique or subtechnique, the behavior observed, and the general approach or hypothesis that was used to conduct the hunt.

Threat hunt details.