This knowledge base article provides information on the required actions when dealing with Threat Cases, along with links to example cases for various types of infection.
This feature is only available to customers with an Intercept X or Intercept X with EDR license.
The following sections are covered:
Applies to the following Sophos products and versions
Not product specific
The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security.
For endpoints or servers with an Intercept X license access:
For endpoints or servers with an Intercept X with EDR license access:
Note: The Admin generated tab contains threat cases that have been generated using the Generate a new threat case option from a threat search.
The following are the types of infection along with the remedial actions that can be seen in the Threat Cases section:
The threat case for malware detection is logged to provide further information about the malware. You can use the details to understand how the malware arrived on the computer, and what triggered the detection.
As the cleanup of malware is enabled by default, you can close the Threat Cases when you have finished your investigation.
In certain cases where automatic cleanup is unable to take place, (e.g, the detection identity does not have a cleanup routine, permissions to the file do not permit cleanup, or the threat is an archive or some form of container format) the Threat Case is logged to provide further information on the Beacon event triggering the detection. You can use this to deal with failed clean up alerts. See Sophos Central Dashboard: Alerts Section reports one or more 'Malware not cleaned up' alerts.
See also the Threat Case examples: Malware detections for guidance on malware detections (blocked but not cleaned up) using the Threat Cases feature.
The threat case for Web threats is logged to provide further information about the threat. You can use the details to understand which site contains the threat and how this was triggered. While access to the site is blocked, you may want to add it to your own block list if you use web control or have a 3rd party web appliance.
As Web threats are blocked by default, you can close the Threat Case when you have finished your investigation.
The threat case for Malicious behavior is logged to provide further information on ransomware.
The Threat Case for ransomware is logged to provide further information about the detection. You can use the details to understand how the ransomware arrived on the computer (Root Cause), along with the file that triggered the detection (Beacon). You can use this information to prevent other computers from being infected. For example, by blocking the file triggering the detection at a Gateway level.
Ransomware detections will trigger a clean up operation by default. To determine whether this has succeeded, open the Sophos UI on the affected computer, click on Events, and then check for the Event Threat cleaned up against the ransomware detection.
The threat case for Malicious traffic is logged to provide further information about the detection. You can use the details to understand what triggered the HTTP traffic to known bad URLs.
The threat case for Exploits is logged to provide further information about the exploit. As the exploit is blocked, you can use the information to determine how the exploit arrived on the computer and prevent this from reoccurring.
As these detections are blocked, you can close the Threat Case when you have finished your investigation.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.