This feature is only available for admins or super admins. These admins also need both computer and server access.
This feature is for customers with licenses that include Intercept X Advanced or XDR. MDR customers won't see it.
When we detect an attack in progress, we show a banner in Sophos Central like this. It's only available if we're warning you about a serious attack.
You can't dismiss the banner until you respond. For ways to resolve an attack, see Take action.
We also list the warning on the Alerts page and send you an email alert (if you're registered for Sophos email alerts).
You can take action in the following ways:
- View the Attack details report so you can analyze the attack and decide what to do. See View attack details.
- Contact your Sophos Partner. Your partner can help to resolve the issue.
- Contact Sophos Incident Response. Contact us and let us take action for you. This is a paid service.
View attack details
To view the attack details, click View attack details in our warning banner or go to Logs & Reports > Attack Details.
The report shows the number of affected devices and a timeline of events. You can change the time range and the chart type.
The table lists events and threats that indicate attempts to compromise your systems. The list includes all recent events, so some may be unrelated to the attack we warned about.
We keep adding events to the report for up to 30 days. After that, it closes automatically.
If you resolve the attack and dismiss our banner, we stop adding new events.
Dismiss the banner
To dismiss the warning banner, confirm that you've resolved the attack, as follows:
In the warning banner, click I have resolved this attack in the upper right.
In Tell us what you did, in the Select an option drop-down, select the action you took. Then enter your comments.
Dismissing the banner doesn't also dismiss the critical alert shown on the main Alerts page. To dismiss that critical alert, see Alerts.