Skip to content

Cases, Threat Hunts, and Other Important Terms

Our main objective is to identify and investigate potentially malicious activity in your environment. We do this via two methods: 1) Investigation of MDR detections, and 2) analyst-led threat hunts.

If the MDR Ops team concludes that a detection or activity requires further evaluation, a case is created, and our operators conduct a full investigation (more on this process below).


Only cases that require customer input or action will be escalated via email or over the phone.

Here are definitions for some of these terms:

  • Detections: Technology-generated indicators of activity that are weighted and classified based on their threat potential. In many cases, these data points are purely informational and do not result in the creation of a case on their own. Detections often include items such as command executions, open network sockets, authentication events, and running applications.
  • Threats: Confirmed indicators of attack (IoA) or compromise (IoC) observed within a customer network
  • Cases: Whether detection-driven or manually created, cases are investigated to determine if a detection is a true threat and malicious activity is occurring
  • Escalations: Cases that require customer input or action that cannot be performed by MDR Ops alone
  • Incidents: Confirmed malicious activities that require immediate response

Case Severity Classification Matrix

Severity Definition
Critical A confirmed compromise or unauthorized access of system(s) that poses an imminent threat to Customer/MSP assets, which includes interactive attackers, data encryption or destruction, and exfiltration.
High Detections indicating a targeted attack with the potential to cause a confirmed compromise or unauthorized access of system(s) that will pose an eminent threat to Customer/MSP assets.
Medium Detections that might not be deemed malicious by themselves and are not known to be targeted.
Low Detections that did not indicate poor health, malicious activity, or confirmed compromise or unauthorized access of system(s).
Informational A special severity for the Initial Health Checks.

The Investigative Framework

When we say “analyst investigation,” what do we mean specifically?

Our Investigative Framework provides structure to guide analysts while investigating cases. The framework enables our MDR Ops team to construct an attack narrative which aids them in concluding whether malicious activity is present within a customer environment (provided data coverage and data quality are at their maximum). The process follows the iterative nature of the OODA Loop (Observe, Orient, Decide, Act).

Investigation Framework.

  1. In the Observe phase, analysts select key points of data that help establish a logical narrative of activity where each chosen data point has the potential to indicate malicious activity.
  2. During the Orient phase, analysts validate their observations by applying the data points to the MITRE ATT&CK Matrix, the Cyber Kill Chain, and leverage their own tribal knowledge. If enough observables are validated into indicators, the activity will create an attack narrative.
  3. During the Decide phase, the analyst will iterate through the data points and decide if he or she believes the activity to be malicious.
  4. During the Act phase, the analyst will take the necessary actions based upon the conclusion of the investigation. If the analyst did not accrue enough information to adequately answer the questions in the Decide phase, then a new OODA Loop is initiated with the previously gathered indicators serving as the new basis for the investigation.

Threat Hunting

Threat hunting is one of those terms in security that gets used a lot but many don’t understand what it really means (and at this point are too afraid to ask). So, let’s start with a definition.

  • Threat Hunting

    A human-led investigation of causal and adjacent events (weak signals) to discover new Indicators of Attack (IoA) and Indicators of Compromise (IoC) that cannot be detected or stopped by existing tools.

To put it another way, a threat hunt is when an analyst manually investigates activity for which tools don’t issue an alert and only a human can find. And while threat hunting is often described in absolute terms, there are different ways to threat hunt.

Automated threat hunting uses automation and/or machine learning to identify potentially malicious activity that may require further investigation by human analysts. While this is what many service providers are referencing when they say they do “managed threat hunting,” this is what is programmatically handled by the Sophos MDR platform.

Sophos threat hunting involves manual (human-led) identification and investigation of events and activities (leads) that may not generate an alert but could be indicative of new attacker behavior.

We also combine threat intelligence, data science, and knowledge of attacker behavior with what’s known about the customer’s environment (e.g. company profile, high-value assets, high risk users, etc.) to anticipate new attacker behaviors and validate detection and response capabilities.

Keep in mind that threat hunting requires a great deal of critical and creative thinking. People tend to think about it (or cybersecurity in general) as a purely analytical discipline. But the reality is that security operations is equal parts art and science.