Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/enterprise/help/en-us/index.html?contextId=mdr-weekly-and-monthly-report

MDR weekly and monthly reports

Understand your weekly and monthly sub-estate reports on MDR activity.

Sub-Estates Summary

The Sub-Estates Summary section provides information on the total sub-estates, repsonse modes taken, sub-estates that are using integrations, and account health score.

Response Modes

Response Modes shows the number of sub-estates for each response mode.

Sub-Estate Count Using Integrations

Sub-Estate Count Using Integrations shows the number of sub-estates with enabled integrations that are actively sending data. If the integration isn't enabled, the sub-estate isn't counted in this section.

Account Health Score

Your Account Health Score shows the number of sub-estates with their overall health score in a specific score range. It reflects whether your devices or policies are using recommended, secure settings. It also reflects the lowest score out of all your different types of health checks.

The Sophos Account Health Check recommendations can include settings like enabling anti-exploitation features to protect against credential theft protection or privilege escalation or enabling malicious traffic detection to hinder communication to command and control servers. Account Health Checks serve to proactively improve your security posture and remedy weaknesses that can adversely affect your security capabilities.

Sub-Estates Summary section.

Detections

Indicates the percentage change in detections. Detections are technology-generated indicators of activity that are weighted and classified based on their threat potential. In many cases, these data points are purely informational and don't result in the creation of a case on their own. Detections often include items such as command executions, open network sockets, authentication events, and running applications.

Cases

Indicates the percentage change in cases. Whether detection-driven or manually created, cases are investigated to determine if a detection is a true threat and malicious activity is occurring.

Escalations

Indicates the percentage change in cases that require sub-estate input or action that can't be performed by MDR Ops alone.

Active Threats

Indicates the percentage change of active threats. Active Threats are confirmed indicators of attack (IoA) or compromise (IoC) observed within a sub-estate's network.

Data on detections, cases, escalations, and active threats.

The MDR Ops team is constantly improving our detection capabilities, which could naturally cause fluctuations in the volume of detections seen in the report. These adjustments could be for tuning out detections that have provided limited value in identifying threats or adding to our scope and visibility to identify new and emergent threats.

This section provides insight into the top sub-estate detection volume observed throughout the course of a month or a week. This helps the MDR Ops team identify inflection points in potential adversary activity.

Monthly Top Sub-estate by Threat-Related Detections.

Detection Classification Summary

MDR detections are classified into high-level categories to aid in understanding the overall types of detections observed in your network. Examples include common attack tools, PowerShell execution, and persistence. Not all detections indicate suspicious or malicious activity. Some may be associated with benign data that was collected.

Detection Classification Summary.

MITRE ATT&CK Framework

MDR detections are mapped to specific techniques in the MITRE ATT&CK framework, a widely used knowledge base of adversary behaviors based on real-world observations. You'll see the breakdown of detections, by percentage, in this section of the weekly or monthly report.

Not all detections represent malicious activity, and benign behaviors may align with known adversarial tactics and techniques. Additionally, the total number of MDR cases may not match the total number of adversarial tactics observed. This can happen for two main reasons:

  • A single MDR case may involve multiple adversarial tactics, making the total number of tactics greater than the number of cases.
  • Some MDR cases, such as health check cases, may not involve any adversarial tactics, resulting in more cases than tactics observed.

MITRE ATT&CK framework.

Sub-Estates Status

The Sub-Estates Status section provides a statistical summary of weekly or monthly MDR activity reports for each sub-estate.

Sub-Estate status section.