Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=detection-rules

Detection rules

Detection rules let you specify how we handle threat detections.

You must be a Super Admin to use this feature.

Note

Currently, you can only use detection rules to suppress unwanted detections.

Suppressing detections

You might need to suppress detections that are false positives or recur too frequently. You can create rules to do this.

Rules can prevent detections that match a rule from doing the following:

  • Showing in the list on the Detections page.
  • Raising cases for further investigation.

Rules can suppress XDR cases that customers manage. They can't suppress MDR cases.

Create a detection rule

You can create a rule from an existing detection, as follows:

  1. Go to Threat Analysis Center > Detections.

  2. Click the three dots Three dots icon. next to a detection name in the list and select Add detection rule.

    More menu showing "Add detection rule".

  3. In the detection rule settings, do as follows:

    1. In Rule Details, enter a rule name and description. By default the rule is "enabled".

    2. In Actions, select the action you want to take on detections.

      Currently, you can only select Suppress. This prevents detections from being shown in the detection list and from generating cases.

    Detection rule details and actions.

  4. In Conditions, the characteristics of the threat that was detected, for example severity, are shown. Select characteristics that you want to use as conditions to trigger the rule.

    Conditions that can trigger a rule.

  5. Click Save.

A new detection rule can take 20 minutes to take effect.

A rule only applies to detections that occur after you've created the rule.

Turn detection rules on or off

To turn detection rules on or off, do as follows:

  1. Go to Threat Analysis Center > Detection rules.
  2. Click a detection rule's name to see its details.

  3. In Rule details, click the toggle to turn the rule on or off.

    Detection rule enabled.

Duplicate and edit detection rules

You can't make changes to an existing rule.

You can duplicate a rule and make changes on the duplicate, as follows:

  1. Go to Threat Analysis Center > Detection rules.
  2. Find the rule and click the three dots Three dots icon. in the rightmost column.

  3. Select Duplicate.

    You see a new rule with the same conditions and actions that you selected for the original rule.

  4. Enter a name and description for the new rule.

  5. Select or clear checkboxes next to the conditions to edit the rule.
  6. Click Save.

Delete detection rules

To delete rules, do as follows:

  1. Go to Threat Analysis Center > Detection rules.
  2. Find the rule and click the three dots Three dots icon. in the rightmost column.
  3. Select Delete.

View suppressed detections

By default, detections that you've suppressed aren't shown in the Detections page.

If you want to see the suppressed detections, do as follows:

  1. Go to Threat Analysis Center > Detections.
  2. Click Show filters above the detections list.

  3. Under Detection Visibility, clear the Hide Suppressed Detections checkbox.

    "Hide suppressed detections" filter.

  4. Click Apply.