Skip to content

Generate detections (NDR)

You can generate test detections to check that Sophos NDR is correctly set up and working.

The test isn't malicious. It triggers a detection by simulating an event with features typical of an attack. The event is a client downloading a file from a server with suspicious domain and certificate details.

You can run the test from Appliance Manager.


Make sure Appliance Manager can access our test server. Configure your firewall to allow TCP traffic to this domain and IP address:

  • Domain:
  • IP address:
  • Port: 2222

Make sure you've included your network traffic in the current port mirroring setup. For help, see the NDR setup pages in Sophos integrations.

Generate a detection


You must access Appliance Manager from a device on the same network as Sophos NDR.

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.
  2. Go to the Integration Appliances tab.

    Integration appliances list.

  3. Find the appliance. In the rightmost column, click the three dots and select Open Appliance Manager.

    Actions menu showing "Open Appliance Manager".

  4. In the confirmation dialog, click Open.

    Confirmation dialog for opening Appliance Manager.

  5. On the sign-in screen, enter the username zadmin and your password.

    Appliance Manager sign-in screen.

  6. In Appliance Manager, select Generate Detections.

  7. On the Generate NDR Detections page, click Generate Detections.

    Generate NDR Detections page.

  8. When you see a message confirming that a detection is being generated, click OK and wait for ten minutes.

  9. Go back to Sophos Central.
  10. Go to Threat Analysis Center > Detections.

  11. On the Detections page, you should see a recent high-risk detection named NDR-DET-TEST-IDS-SCORE in the list.

    Detections page.

  12. Click NDR-DET-TEST-IDS-SCORE to open its details.

    The Description shows a source and destination IP communicating over TCP and TLS on port 2222. It also shows IDS (Intrusion Detection System) as the main contributor to the detection. IDS is a list of blocked certificates.

    Detections details.

  13. Click the Raw Data tab. The flow_risk section shows the following details:

    • Known protocol on a non-standard port
    • Self-signed certificate
    • Uncommon Application-Layer Protocol Negotiation (ALPN)
    • Blocklisted certificate
    • High probability that the server domain is generated by algorithm (DGA)
    • Indications of a threat belonging to the Friendly Chameleon family.

    Detection raw data.

For information about generating an NDR detection from the command-line interface, see Generate NDR detections from the command-line interface.