Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=TACDetections

Detections

Detections show you activity that you might need to investigate.

To see detections, go to Threat Analysis Center > Detections.

Detections identify activity on your devices that's unusual or suspicious but hasn't been blocked. They're different from events where we detect and block activity that we already know to be malicious.

We generate detections based on data that devices upload to the Sophos Data Lake.

We check that data against threat classification rules. When there’s a match, we show a detection.

This page tells you how to use detections to look for potential threats.

Note

Investigations can automatically group related detections together for more advanced analysis. See Investigations.

Set up detections

If you don't have detections yet, you need to allow your devices to upload data to the Sophos Data Lake, so that we can use it. Do this as follows.

  1. Go to Global Settings.

  2. Under Endpoint Protection or Server Protection, click Data Lake uploads. Turn on uploads.

    You need to turn on uploads for computers and servers separately.

We'll now start showing detections.

For more information on data uploads, see Data Lake uploads.

View detection details

To see detections, go to Threat Analysis Center > Detections.

We group detections according to the rule they matched and the date. The detection list shows the following:

  • Risk. Risk is on a scale of 1 (lowest) to 10 (highest). With the default settings, we only show detections with a score of 7 or more. Use the score to prioritize investigations.
  • Classification rule. The name of the rule that was matched.
  • Count. Number of times the classification rule has been matched on a certain day.
  • Device list. The device where the rule was last matched and the number of other devices with the same detection that day.
  • First seen and Last seen. The first and last detections based on the classification rule that day.
  • Description. What the rule identifies.
  • Mitre ATT&CK. The corresponding Mitre ATT&CK Tactic and Technique.

For full details of a detection, such as the device, users, and processes involved, click the arrow on the right.

Detections list

Look for potential threats

You can use detections to examine devices, processes, users, and events for signs of potential threats that other Sophos features haven’t blocked. For example:

  • Unusual commands that indicate attempts to inspect your systems and stay on them, avoid security, or steal credentials.
  • Sophos malware alerts,such as dynamic shellcode prevention events, that indicate an attacker might have penetrated a device.
  • Linux runtime detections, such as container escapes, that indicate an attacker is escalating privileges from container access to move across to the container host.

Most detections are linked to the MITRE ATT&CK framework, where you can find more information on the specific tactic and technique. See https://attack.mitre.org/

You can also search for signs of a suspected or known threat that Sophos has found elsewhere, or for out-of-date software or insecure browsers.

Use pivot queries, enrichments, and actions

You can find out more about detections by using pivot queries.

A pivot query lets you select a significant piece of data in a detection and use it as the basis for further investigation.

If you open the full details of a detection, you’ll see an ellipsis icon next to some items. Screenshot of ellipsis icon

Click the icon to see actions you can take. These depend on the type of data.

  • Queries. You can run a query based on the data selected. Live Discover queries look at data on your devices. Data Lake queries look at the data that devices upload to the Sophos Data Lake.
  • Enrichments. These open websites like VirusTotal to look up a potential threat you've found. They can also open SophosLabs Intelix reports if those are available. See Intelix reports.
  • Actions. These offer further detection or remediation. For example, you can scan a device, or start Sophos Live Response to access and investigate a device.

In the example shown, clicking the icon beside the IP address lets you run queries based on that IP address or look up third-party information about risks associated with it.

Detections pivot menu

Get help

Sophos Support can't help you to investigate detections.

If you purchase the Managed Detection and Response (MDR) service, our analysts monitor your environment for malicious activity and contact you or respond on your behalf 24/7. See Managed Detection and Response.

Note

If you believe your security has been breached and you need immediate help, contact our rapid-response team. This is a paid service. See Sophos Rapid Response.