Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/mdr/help/en-us/index.html?contextId=threatAdvisor-monthly

Understanding Your Monthly Report

Overview

Your Sophos MDR Protection Rating is an aggregate analysis of the security posture improvement recommendations that have been implemented versus those that have not been implemented.

The Sophos Account Health Check recommendations can include things like enabling anti-exploitation features to protect against credential theft protection or privilege escalation or enabling malicious traffic detection to hinder communication to command and control servers. Account Health Checks serve to proactively improve your security posture and remedy weaknesses that can adversely affect your security capabilities.

Your Overall Protection Rating will be one of the following:

  • Green is Optimal (you are in full compliance with recommended best practices)
  • Yellow means Degraded (some of your configurations increase risk, but they will not affect the efficacy of the MDR service)
  • Red means Needs Attention (you have several high-risk configurations that prohibit the MDR service from functioning at an optimal level)

Total Licenses Deployed provides license usage information with a link that will take you to your Licensing page in Central.

Event Pipeline provides visualization of the overall landscape of your data flowing through Sophos and how MDR service managed and processed the data.

Protection Rating.

Cases

The monthly report includes 3-months (90 days) of case metrics for the trend lines that help you visualize the type of cases and from which detection source they came from over time.

Cases.

There’s also a breakdown of Case by Status metric for the current month.

Monthly Cases by Status.

The Case Activity lists current open cases and recently Resolved cases with their case number, case type, a short description and summary, and the case status.

Case status.

Total Detections

The MDR Ops team is constantly improving our detection capabilities which could naturally cause fluctuations in the volume of detections seen in the report. These adjustments could be for tuning out detections that have provided limited value in identifying threats or adding to our scope and visibility to identify new and emergent threats.

Are the total number of threat detections in your environment increasing, decreasing, or staying the same? This section provides insight into total detection volume observed throughout the course of a month and helps the MDR Ops team identify inflection points in potential adversary activity.

Total Detections are broken down by month and by severity. The report includes 3 months of data for month-to-month comparisons.

Monthly Total Detections.

Detection Classification Summary

MDR detections are classified into high-level categories to aid in understanding the overall types of detections observed in your network. Examples include common attack tools, PowerShell execution, and persistence. As with all detections, they are not inherently indicative of suspicious or malicious activity and could be related to benign data that was collected.

DetectionClasssificationSummary.

MITRE ATT&CK Framework

MDR detections are mapped to specific techniques in the MITRE ATT&CK framework, a widely used knowledge base of adversary behaviors based on real-world observations. You will see the breakdown of detections, by percentage, in this section of the monthly report.

As with all detections, these are not necessarily malicious and benign behavior may align to adversarial tactics and techniques. It is also important to note that the total number of MDR Cases may not be equal to the total number of adversarial tactics observed. Multiple adversarial tactics can be observed in one MDR Case, resulting in the number of tactics being greater than the total number of MDR cases. Conversely, MDR Cases may be created that are not associated with adversarial tactics (health check cases, for example), resulting in the total number of MDR Cases being greater than the total number of adversarial tactics.

MITRE ATT&CK Framework.

Detections by Integrations

MDR integrations provide MDR operators with the most crucial data at their fingertips, ensuring attackers have fewer places to hide. The Detections by Integrations indicates which integrations generated a detection.

Dectections by Integrations.

Additional Sophos MDR Efforts have lists of the most recent response action taken and communications with your account contact(s). 

Recent response actions.

Recent communications.