I am trying to determine what Sopho's take is on Threat Cases. There are some inconsistencies with the definition, thus could leave an analyst confused as to if action is required on part of threat cases.
From my understanding, unless I have IXA w/ EDR licensing, I cannot elevate an alert to a threat case. However, I do notice several instances in which threat cases do not have an alert that preceded it. With that and definition one (1) in mind, why do we not get alerts e-mailed to us for new threat cases?
------- Definition 1 -------
From the Sophos Central Admin Help:
“Threat cases let you investigate and clean up malware attacks.
You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.
If you have an Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server license, you can also do the following:
- Isolate affected devices.
- Search for more examples of the threat on your network.
- Clean up and block the threat.
We create a threat case for you whenever we detect malware that you need to investigate further.”
Source: hxxps://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ThreatAnalysis.html
------- Definition 2 -------
From Threat Cases overview knowledge base article (29 May 2019)
"The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security."
Source: hxxps://community.sophos.com/kb/en-us/125011
Thanks
This thread was automatically locked due to age.