Review Threat Cases

The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security.

The purpose of a threat case is to help admins understand what happened on the affected computer before the detection occurred. Using this information can help you understand ongoing infections, as well as how to further improve your security against similar attacks in the future.

Threat Hunting

Behind every cyberthreat is a cybercriminal, and today’s advanced attacks often combine the latest technology with hands-on live hacking. Protecting against these human-led attacks requires human-led threat hunting.

1. Review the links below for practical information on Threat Detection and Response practices and specific resources to be an effective threat hunter using Sophos XDR

• CYBERSECURITY: THE HUMAN CHALLENGE - Findings from an independent survey of 5,000 IT managers across 26 countries
• A real-world guide to Threat Detection and Response
• Sophos Threat Hunting Academy
• Getting Started In Live Discover - From Beginner to Advanced Query Creation
• "MTR" tagged articles on the Sophos Blog, expert insight from our Managed Threat Response team
• "Sophos Endpoint Detection & Response (XDR)" on Sophos Techvids

Check machines showing as unprotected in Computers and Servers reports

This identifies machines which have not had a successful installation of the agent and are therefore unprotected. Unprotected machines are an easy entry point for attackers to pivot to other areas of your network.

1. From the "Overview", click “Logs & Reports”
2. Click “Computers” under “Reports" > "Endpoint Protection”
3. Change to the “Not protected” tab
4. Attempt to reinstall the Sophos Central agent on the identified machines, check the documentation link below for detail on troubleshooting the installer logs
5. Once remediated go to the "Status" page for the endpoint or server
6. Scroll down to the "Alerts" section
7. Mark as Acknowledged / Resolved any outstanding alerts for the services status of the machine(s)
8. Repeat steps 1 to 7 for “Servers” under “Reports”

• Sophos Central Endpoint: Details on the thin installer logs

Check high severity alerts

High severity (Red) alerts are the highest priority warnings in Sophos Central. These typically indicate the need for admin intervention and should be addressed as soon as possible to ensure good security posture. This can include detections that will require manual intervention or further investigation, API tokens expiring, and, real-time protection being disabled on an endpoint.

High events will remain in the list until they are remediated or acknowledged by an administrator. By checking these daily, you ensure no high severity incidents are overlooked.

1. From the "Overview", click "Alerts"
2. Click the "High Alerts" tab
3. Follow the instructions in the links below to triage High alerts

• High severity alerts for Threat Protection
• High severity alerts for Installation, Updating and Compliance
• Sophos Central Admin: Alerts page and settings FAQ

If you believe the detection to be a false positive, we recommend carrying out an investigation using the detected Threat Case (see Threat Case section). Legitimate applications can be made to carry out malicious tasks, especially scripting or command interfaces like PowerShell. If you have carried out an investigation and are comfortable that the detection is a false positive, we recommend following these steps:

1. Create the appropriate exclusion for the file or behavior detection to mitigate the detection and cause no further impact to the end user
2. Contact Sophos Support via a support case to make them aware of the false positive and share the details of the detection with Sophos Labs - this will help the Labs team refine the detection capabilities and reduce future unwanted detections

• Best Practices when opening a case with Sophos Support
• Deal with false positives
• How to investigate and resolve a potential false positive or incorrect detection
• How to investigate Exploit Detections

Check machines with a bad / red health state

Similar to High Severity alerts, machines in a bad/red health state indicate action needs to be taken by an admin. Machines will have a bad / red health state for one of the following reasons:

• Active malware is detected
• Running malware is detected
• Malicious network traffic is detected. This traffic might lead to a command-and-control server involved in a botnet or other malware attack
• Communications sent to a known bad host is detected
• Malware was not removed
• Sophos security software is not working correctly
• Check alerts related to malware / PUA cleanup

(See steps below to create the custom query for its first execution)

1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
2. Expand the Query selection area and search for your custom query name
3. Check the devices you want to query and click "Update selected devices list"
4. Select the query and click "Run query"
5. Follow the instructions in the links below to triage the machine

You can also view the overall health status from the machine list:

1. From the "Overview", click “Devices” (the default view Is Computers)
2. Change the “All Health Status” filter to “Computers with a bad status”
3. Click on the machine name then click on the “Status” tab to see the detailed reasons for the bad health state and follow the Instructions in the links below to triage the machine - the Sophos Endpoint Self Help tool, available on each device, can run rules to identify problems with the device
4. Once triaged, clear any outstanding alerts for the device
5. Repeat for Servers by clicking "Dashboard", "Devices", Change to the "Servers" tab, change the “All Health Status” filter to “Servers with a bad status”

• Sophos Endpoint Self Help: Known Issues tab
• Sophos Endpoint: How to remediate a Red health status
• macOS 10.15+ Security Permissions Required

Follow these steps to prepare the query for its first execution:

1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
2. Check the devices you want to query and click "Update selected devices list"
3. Expand the Query selection area and click "Create new query"
4. Enter a name and category for the query and select the operating systems (Windows & Windows Server)
5. In the "SQL" section paste the query from the URL below
6. Click "Save" and "Run query" then follow steps 5-9 from above to triage the results

• Sophos Community post - Add context to the Sophos Endpoint Health Status report with XDR

Check alerts related to malware / PUA cleanup

You should investigate cleanup failures because they can indicate more serious issues. For example, many threats have multiple components, if one is active and undetected, it can lock other items. This prevents them from being removed if they're detected causing a cleanup failure on the other component.

1. From the "Overview", click "Alerts"
2. Change the "All categories" filter to "Malware"
3. Check for any new Threat Cases for the device as this could indicate the clean up failure is a symptom of a wider problem
4. Follow the instructions in the links below to triage any alerts with the following descriptions
   1. "Manual malware cleanup required"
   2. "Manual PUA cleanup required"
   3. "Malware not cleaned up"
   4. "Computer scan required to complete cleanup"

• "How to deal with threats" (Windows Operating Systems)
• Sophos Anti-Virus for Mac: How to remove malware
• Resolve PUA alerts
• Sophos Central Dashboard: How to Clear Alerts Section reports one or more 'Malware not cleaned up' alerts

Check machines have all appropriate modules deployed

This is especially important if you have recently upgraded your license to include Intercept X or Managed Threat Response functionality. Machines (servers and endpoints) not assigned the desired modules will not have the appropriate functionality and additional layers of security for which you are licensed.

1. From the "Overview", click “Devices”
2. Change the "All Products" filter to "Computers without all protection"
3. Click the "+" button to deploy all protection capabilities to individual machines or select multiple machines and click the "Manage Endpoint Software" to modify the installed Protection capabilities
4. Repeat steps 2 and 3 for Device Encryption by changing the "All Products" filter to "Computers without Device Encryption"
5. Repeat steps 2 and 3 for Servers by clicking on the "Servers" tab and changing the "All products" filter to "Servers without all protection"

• Sophos Central Admin: How to assign and unassign software to Devices

If many endpoints are regularly missing desired components, consider updating the installation script to be sure that the correct components are configured. Details are in the links below.

• Installer command-line options for Windows
• Installer command-line options for Mac

Check global Tamper Protection status Is set to enabled

Keeping Tamper Protection enabled across your entire estate is vital to ensure an unauthorized administrator or adversary cannot perform any of the following actions on a device:

• Change settings for on-access scanning, suspicious behavior detection (HIPS), web protection, or Sophos Live Protection
• Uninstall the Sophos agent software

1. From the "Overview" click "Global Settings"
2. Click “Tamper Protection” under “General"
3. Ensure "Tamper Protection" is enabled

Customers using the Sophos Central Enterprise Dashboard should check the Global Tamper Protection status in all subestates.

• Sophos Endpoint: Tamper Protection Frequently Asked Questions

Check audit logs for any of the following:

• Changes to Policy or Global Settings, confirm if changes are desired or should be reverted
• Unexpected logins from Sophos Central administrators, Audit Logs also include the IP address of the connection

Review and examination of administrator activities is essential to assessing the adequacy of system controls, to ensure compliance with established policies and operational procedures.

1. From the "Overview", click “Logs & Reports”
2. Click “Audit Logs” under “Logs" > "General Logs”
3. Click "Export" then "CSV of current view" to export the default view of 7 days of audit logs
4. Open the CSV file in a spreadsheet application and filter "Item Type" to include the following types
   1. Policies
   2. Global Settings
   3. Global exclusions
5. Review each of the Policy, Global Settings and Global Exclusions changes to ensure they are wanted in the environment and revert any changes if unwanted

If many unwanted changes are being made, consider changing the role of the administrator(s) responsible to limit unauthorized policy or global changes. Details are in the documentation site below.

• Administration Roles

Check medium severity alerts

Medium severity events are reported where actions are required, such as for computers out of compliance with policy, or that require a reboot. Malware detections that can automatically be remediated are also reported as medium, but they will only be displayed until they have been cleaned up.

1. From the "Overview", click "Alerts"
2. Click the "Medium Alerts" tab
3. Follow the instructions in the links below to triage Medium alerts

• Medium severity alerts for Threat Protection
• Medium severity alerts for Installation, Updating and Compliance
• Sophos Central Admin: Alerts page and settings FAQ

Check machines with medium / orange health state

Machines will have a medium / orange health state for one of the following reasons:

• Inactive malware is detected
• A Potentially Unwanted Application is detected

1. From the "Overview", click “Devices” (the default view Is Computers)
2. Change the “All Health Status” filter to “Computers with a medium or bad status”
3. Click on the machine name then click on the “Status” tab to see the detailed reasons for the bad health state and follow the Instructions in the link below to triage the machine
4. Clear any outstanding alerts for the device
5. Repeat for Servers by clicking "Dashboard", "Devices", Change to the "Servers" tab, change the “All Health Status” filter to “Servers with a medium or bad status”

• How to deal with threats

Identify unprotected machines in the environment

You can’t secure what you can’t see. It is imperative to identify and manage all assets that have the potential to access corporate information. Unprotected machines increase your overall attack surface and are a typical entry point for attackers.

If synchronizing Active Directory with Sophos Central

Sophos Central Active Directory synchronization can import machine objects from your AD and consolidate machines which are present in the AD but not protected by Sophos Central, follow the process below to see a list of these machines. You might need to update your AD sync settings to include machine objects.

1. From the "Overview", click "Devices"
2. Click the "Unmanaged devices" tab
3. You will see a list of computer objects from AD which are not protected
4. You can export a list of the machines for ingestion into a script or 3rd party software deployment application by clicking the "Export to CSV" link at the top right of the list

• Set up synchronization with Active Directory

If using a Sophos Firewall managed in Sophos Central with Cloud Reporting Enabled

The Sophos Firewall can upload connection data to the Sophos XDR data lake and a Live Discover query can extract data for devices which are not managed in Sophos Central.

1. From the "Overview" click "Threat Analysis Center"
2. Then click "Live Discover" and search for a Data Lake query called "Firewall: Devices without Sophos Endpoint installed"
3. Click the "Run Query" button to generate the report from the Sophos Data Lake
4. The results will display the MAC address and IP address of any devices which have been seen to send traffic through the Firewall, but are not known to be protected by Sophos Central
5. You can export the results by clicking on the "Export" link at the top right of the results section

• Turn on firewall reporting

If using neither of the technologies above

You can export a list of computers and servers to compare to your 3rd party asset management system.

1. From the "Overview", click "Devices"
2. On the "Computers" tab, click the "Export to CSV" link at the top right of the list
3. Repeat step 2 for Servers by clicking on the "Servers" tab

Check the Controlled Updates status for new endpoint or server agent updates

Checking that updates are not paused or controlled when not required ensures your endpoints and servers are receiving the latest feature updates as they are released by Sophos automatically.

1. From the "Overview", click “Global Settings”
2. Click “Controlled Updates” under “Endpoint Protection"
   1. If updates have been paused for 90 days
      1. Ensure the pause is still required, and if not, click "Resume Automatic Updating" (see note below about 90 day limit)
   2. If updates have been paused to a specific date
      1. The "Pause" and "Restart" dates can be edited (see note below about 90 day limit)
      2. If the pause is no longer required click "Resume Automatic Updating" (see note below about 90 day limit)
   3. If updates are being controlled manually
      1. Ensure test computers are defined, use the "Manage Computers" link to add or remove machines
      2. When ready you can click "Update test computers to newest version" to update specified test machines to the latest version
      3. When ready you can click "Update to match test computers" for non-test computers to update all remaining machines to the same version as test machines
3. Repeat for Servers by clicking “Global Settings” then “Controlled Updates” under “Server Protection"

Full details of the Controlled Updates options are in the documentation site below.

• Controlled updates

NOTE: Paused versions expire after 90 days and will be automatically upgraded if no action is taken.

Check Directory service sync status

Checking the status of your Active Directory synchronization to Sophos Central ensures you have a clean list of users and groups without stale/deleted accounts filling up your console and with newly created users populated automatically. This makes setting up user/group-based policies more efficient, as only relevant data is available for assignment.

1. From the "Overview", click “Global Settings”
2. Click “Directory service” under “Administration"
3. Ensure the AD sync completed successfully according to the schedule
4. If the synchronization has not occurred as expected review the links below for troubleshooting information

• Active Directory Sync Status
• Azure AD Sync Status
• Sophos Central: How to troubleshoot connections to Microsoft Azure
• Sophos Central Admin: AD Sync Utility FAQs

Check low severity alerts

1. From the "Overview", click "Alerts"
2. Click the "Low Alerts" tab
3. Review the details of the alert and take any action required
4. Click "Mark As Acknowledged" to clear the alert from the Sophos Central Dashboard

Check Windows machines with a pending reboot, a long uptime or a long time since the last installation of a Microsoft update

Outside of the obvious benefits of regular reboots (e.g. flushing memory, halting memory leaks, installing security updates, etc.), there are instances in which the Sophos Endpoint Protection also requires a reboot to ensure the latest feature updates can be successfully applied.

(See steps below to create the custom query for its first execution)

1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
2. Expand the Query selection area and search for your custom query name
3. Check the devices you want to query and click "Update selected devices list"
4. Select the query and click "Run query"
5. From the query results area click "Export" (a CSV file will be downloaded)
6. Open the CSV file in a spreadsheet application and filter devices reporting results in "Reboot pending evidence" column
7. Then sort by "Uptime (decimal days)", descending.
8. Reboot the longest running machines first.
9. Then sort by "Latest MS patch install data", ascending and check for updates on the machines which have not had an update applied for the longest time.

Follow these steps to prepare the query for its first execution:

1. From the "Overview", click “Threat Analysis Center” Then "Live Discover"
2. Check the devices you want to query and click "Update selected devices list"
3. Expand the Query selection area and click "Create new query"
4. Enter a name and category for the query and select the operating systems (Windows & Windows Server)
5. In the "SQL" section paste the query from the URL below
6. Click "Save" and "Run query" then follow steps 5-9 from above to triage the results

• Sophos Community post - Compliance query to report on uptime, last date of a Windows OS patch installation and any pending restart requests

Review "What's new" change notes

Sophos regularly updates Sophos Central with improvements or new features. Reviewing the “What’s new” change notes is a great way to stay on top of UI changes and feature updates that will benefit administration and overall security.

1. From the "Overview", click “Help” Then "What's New?" or click the link below
2. Review the latest announcements from Sophos
3. For more information about any new features or products reach out to your Sophos account team

• What's new in Sophos Central

Full heath check via Sophos PS / TAM