Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=threat-lineage

Threat lineage

This feature is available as follows:

  • MDR customers can use this feature now.
  • XDR customers must join the New XDR Features Early Access Program (EAP) to use this feature. Click your profile and then click Early Access Programs to get started.

Note

If you only have MDR Essentials for Server or MDR Complete for Server, join the New Server Protection Features EAP to use the new feature now. Otherwise, you can't use it until April 2025.

About threat lineage

The threat lineage shows in graphic form the processes that led up to and triggered a detection. It helps you understand how the threat developed, where it impacted your environment, and what the results were.

View a threat lineage

You can access a threat lineage graph from a detection's details page.

  1. Go to Threat Analysis Center > Detections.

    Alternatively, go to Threat Analysis Center > Cases and select the Detections tab.

  2. Find the detection you want and click anywhere in its row in the table.

    The detection details pane slides out on the right of the screen.

  3. Select the Lineage tab in the details pane.

    If you don't see a Lineage tab, this detection doesn't support the new feature.

    Detection details pane with Lineage tab.

  4. Click Open Lineage Graph.

    The Lineage tabbed page.

  5. If there's no graph available yet, click Generate.

    Note

    If a detection generates a "case", a graph is generated automatically and will be available here already. For information on cases, see Cases.

    Lineage page with "Generate" button.

A graph of the processes that triggered the detection and the processes that led up to them is shown.

Lineage graph.

The lineage graph remains available for 7 days. You can regenerate it any time during the period that Sophos XDR Data Lake keeps the data, which is typically 90 days.

Key to the threat lineage

The threat lineage graph uses the icons below to represent processes and activity.

Icon Process Description
Clear hexagon. Process A process that led up to the detection
Red hexagon. Impacted process Suspicious or potentially malicious process
Red lightning bolt. Detection Triggered A process that triggered a detection
Red warning sign. Key activity Pivotal actions that influence the progress or outcome of later events

To see this list of icons and the number of each process type in the graph, click the Legend icon in the upper right of the page.

Legend icon.

The graph can also show processes and activities that aren't in the direct lineage but were launched by a process in the lineage. These branch off the main graph, as shown here. To find out more about these, see Show more processes in the lineage.

Graph showing additional processes started by a process in the lineage.

See more details of a process

You can see more details as follows:

  • Hover over a process. This shows basic details and the command line.

    Process with hover-over details displayed.

  • Use the pivot options. Click the Three dots icon. three dots next to the process. You can then select queries to run in Live Discover.

    Process with the pivot menu displayed.

  • Click a process. This opens the Info and Activities tabs below the graph.

    The Info tab shows process details and the command line. Click the Three dots icon. three dots beside a detail to use the same pivot options available in the graph.

    If you have Sophos AI features, click the AI icon AI icon. to generate an analysis of the command line.

    For details of the Activities tab, see See activities associated with a process.

    Info tab.

See activities associated with a process

You can see all the activities associated with a process. These activities include other, related processes that aren't in the lineage graph.

To see activities, do as follows:

  1. Click a process in the graph to open its details.

  2. Select the Activities tab.

    • If the lineage was generated automatically, and you're looking at an impacted process, the tab already shows activities.
    • If you generated the lineage manually, the tab is initially empty. You must load data as described in the next step.

    The "Activities" tab.

  3. Click Enrich on the right of the tab to load data.

    The first time you click Enrich, it shows the first three days of data, starting when the process started. Each time you click Enrich, another three days of data are added, and more activities are listed.

    A pop-up at the start of the Enrich timeline shows the date and time of the Initial Detection.

You can change the information shown as follows:

  • Expand a row to show the raw data.
  • Filter activities by the type, the action, and more.

You can also add processes from this list to the lineage graph. See Show more processes in the lineage.

Show more processes in the lineage

The Activities tab in process details shows additional, related processes that aren't in the direct threat lineage.

You can add these processes to the lineage graph to help investigate threats.

  1. Click a process and open its Activities tab.
  2. In the list of activities, look for a related process that you want to show.

  3. Click the Eye icon beside the process to show it. Click the icon again to hide the process.

    The Eye icon.

Export the lineage

To export the lineage data to a CSV file, click the Export icon.

Export icon.

If an error occurs during export, select one of the processes in the graph and attempt the export from there.

Search the lineage

To search the lineage, enter a term in the search bar in the upper left of the page.

The matching results are shown in the Info, Activities, and Matching Results tabs at the bottom of the page.