Skip to content

Threat Analysis Center

The Threat Analysis Center dashboard lets you see and analyse detection numbers and trends.

Go to Threat Analysis Center to see the dashboard.

We've updated the dashboard with new features. If you want to go back to the old dashboard, select Original dashboard in the upper right of the dashboard.

Dashboard toggle.

For help with using the dashboard, select the relevant tab below.

The new dashboard gives you more detection data and better ways to visualize it.

You can now do as follows:

  • Select the time range to show detection data for.
  • See detection figures broken down by different aspects of the detection.
  • Use filters to focus on detections of a particular type, severity, and more. See Set filters.
  • See detections mapped by geographical location.
  • Click detection figures in each section to go direct to pre-filtered data.

Total detections

This shows the total number of detections and a breakdown of the percentage for each severity level.

Click any figure to open the Detections page pre-filtered to show the severity level you want. The page opens in a new tab.

You can also use filters as described in Set filters.

Total detections.

Total detection count

This shows the number of detections during the time range you select, and the trend based on the average numbers in each hour or day.

The trend line is shown only for time ranges up to 7 days.

You can change this graph to show the numbers broken down according to different aspects of the detection. See Select a breakdown view.

You can also use filters as described in Set filters.

Total detection count and trend graph.

Select a breakdown view

You can customize the Total detection count graph to show a breakdown of the detection numbers. For example, you can show detection numbers broken down according to their severity: critical, high, medium, or low risk.

To do this, go to the drop-down menu above the chart and select the feature you want to see a breakdown for.

Drop-down menu.

When you do this, the bar charts change to show each bar replaced by a group of bars. If you select severity, separate bars show the detection numbers for critical, high, medium, or low risk. Hover on a bar to see the numbers.

Note

The MITRE tactics view uses a line graph. Separate lines show detections for different tactics.

Bar chart showing a breakdown.

Select graph or heatmap view

You can view the detection numbers as a graph or as a heatmap calendar. The default is graph view. To change it, use the icons in the upper right of the screen. For the heatmap, click the icon on the right.

Heatmap icon.

Top 10 entities

This shows the ten entities (for example, servers) with the most detections. Click the number of detections to see a breakdown by risk level.

You can use the drop-down menu above the list to show detection numbers as follows:

  • By entity: Shows the devices with the most detections.
  • By sensor: Shows the sensors with the most detections. Sensors are products that report detections to the Sophos Data Lake.

You can also use filters as described in Set filters.

Top 10 users

The ten users with the most detections. Click the number of detections to see a breakdown by risk level.

You can also use filters as described in Set filters.

Sensor location of detection

A world map shows the number and breakdown of detections in different geographical regions. You can zoom in to see detection numbers for smaller regions like country, state, or city.

Click the number of detections for a region to see a breakdown by risk level.

You can customize this section as described in Set filters.

Sensor location map.

MITRE TTP (Tactics, Techniques, Procedures)

This heatmap shows the number of detections in each MITRE category. Hover over a tactic to see a breakdown by risk level.

Click on a tactic to zoom in to MITRE techniques detected during the time period. Click again to return to the tactics view.

You can customize this section as described in Set filters.

Heatmap of detections for each MITRE type.

Recent detections

This shows the most recent detections on your network.

You can also use filters as described in Set filters.

Recent detections.

Set the time range

The default time range is the last 24 hours. You can change that to the last hour, last 7 days, or last 30 days.

You can also select Custom and set a custom range.

Set filters

Filters let you select which data you'll see. Click Filter to see the choices.

Filter menu.

You can use the following sets of filters.

  • Entity. Enter the name of a specific device to see detections that occurred there.
  • Severity. Choose to show detections with a specific risk level or levels.
  • Type. Choose to show detections of a specific threat type.
  • Operating system. Choose to show detections that occurred on devices running a specific operating system or systems.
  • MITRE Tactics. Choose to show detections that match specific MITRE tactics.
  • Detection. Enter a detection name to see instances of that detection.
  • Category. Choose to show detections reported by a specific type of sensor. For example, firewall.

You can choose multiple options in each set or click Select All next to a set. You can also choose options in multiple sets.

You can combine filters with a view selected from the drop-down menu (in sections that have one).

Highlight details on a graph

You can highlight specific bars or lines on a graph. Hover on the color swatches shown in the key next to the graph. For example, in a graph showing detections by severity, click the color for a specific risk level to highlight that bar.

Hover over key to highlight bars.

The original dashboard consists of tables showing recent threat detection and investigation activities.

Recent cases

Cases let you analyze potential threats. They group together suspicious events we've detected and help you do forensic work on them.

We create a case automatically when there's a detection, and add related detections later. Alternatively, you can create your own investigation and add detections to it. See Cases.

The dashboard lists recent cases and shows their current status.

To see all your cases, click See all.

Recent detections

Detections identify activity on your devices that's unusual or suspicious but hasn't been blocked. They're different from events where we detect and block activity that we already know to be malicious.

We generate detections based on data that devices upload to the Sophos Data Lake.

The dashboard lists recent detections, with details of their risk level, where they occurred, and which product or integration detected them.

To see all detections, click See all.

Recent threat graphs

Threat graphs let you investigate malware attacks. Click a graph to find out where an attack started, how it spread, and which processes or files it has affected.

Threat graphs are available only for Windows devices.

The dashboard shows threat graphs on different tabs, depending on who generated them, as follows:

  • Graphs automatically generated by Sophos.
  • Graphs generated by a Sophos Central admin.

We only show threat graphs with the status "new" in this area. If a threat graph is closed or in progress, even if it has a newer date than one with "new" status, we don't show it.

To see all your graphs, click See all threat graphs.

Recent Live Discover queries

Live Discover lets you run queries on your devices as follows:

  • Search for signs of threats that haven't been detected by other Sophos features.
  • Search for signs of a suspected or known threat if Sophos Central has found the threat elsewhere.
  • Check for compliance with security standards.

The dashboard shows the most recent queries that you've run.

To see full details of a query and its results, click its name in the list.

To see all your recent queries, click See all.

To run a new query, click New session.

Recently scheduled queries

You can schedule Live Discover queries.

The dashboard shows your most recent scheduled queries and their frequency.

To see full details of a scheduled query and to access its results, click its name in the list.

To see all your scheduled queries, click See all.