Skip to content

Intercept X with XDR

Sophos Extended Detection and Response (XDR) lets you investigate detected threats (threat graphs) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely.

You can find most XDR features in Overview > Threat Analysis Center.

These features are available if you have an Intercept X license that includes Sophos XDR.

Threat graphs

Threat graphs let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected.

For help, see Threat Graphs.

Live Discover

Live Discover lets you check activity on devices. You can run queries about the software installed, processes running, registry changes, and more. This helps you detect security weaknesses or malicious activity.

You can run queries on devices or on our Data Lake, which stores device data in the cloud. The Data Lake lets you query devices even when they’re not connected, schedule your queries, and query data from multiple Sophos products.

You can send information to the Data Lake from the following products:

  • Sophos Endpoint Protection
  • Server Protection
  • Sophos Email
  • Sophos Firewall
  • Sophos Cloud Optix

For help with creating and running queries, see Live Discover.

Live Response

Live Response lets you connect directly to an individual device to investigate and fix possible security issues.

For help, see Set up and start Live Response.


Detections identify activity that’s unusual or suspicious and might need investigation. They're based on data that devices upload to the Sophos Data Lake.

You can use these detections to examine devices, processes, users, and events for signs of potential threats that other Sophos features haven’t blocked.

You can also use them as the starting-point of searches for security weaknesses or threats already seen elsewhere.

For more information, see Detections.

Threat Searches and Threat Indicators

We've now withdrawn the older Threat Searches and Threat Indicators features.

You can still search for threats and indicators of compromise by using Live Discover queries. See Intercept X Advanced with XDR updates.

Our new Detections feature also helps you identify suspicious activity which might need investigation. See Detections.

Back to top