This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat Case required action - inconsistent documentation

I am trying to determine what Sopho's take is on Threat Cases. There are some inconsistencies with the definition, thus could leave an analyst confused as to if action is required on part of threat cases. 

From my understanding, unless I have IXA w/ EDR licensing, I cannot elevate an alert to a threat case. However, I do notice several instances in which threat cases do not have an alert that preceded it. With that and definition one (1) in mind, why do we not get alerts e-mailed to us for new threat cases? 

 

------- Definition 1 -------

From the Sophos Central Admin Help:

“Threat cases let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.

If you have an Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server license, you can also do the following:

  • Isolate affected devices.
  • Search for more examples of the threat on your network.
  • Clean up and block the threat.

We create a threat case for you whenever we detect malware that you need to investigate further.”

Source: hxxps://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ThreatAnalysis.html

 

 ------- Definition 2 -------

From Threat Cases overview knowledge base article (29 May 2019)

"The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security."

Source: hxxps://community.sophos.com/kb/en-us/125011

 

Thanks



This thread was automatically locked due to age.
  • Hi there,

     

    For definition 1, I would probably say a more accurate statement would be 'We create a threat case for you in most cases when we detect malware that you may want to investigate further'. When alerts are sent that is typically because there is something that's worth digging into.  If trying to be proactive I think it's worth having a skim of Threat Cases and analysing for files that maybe weren't part of the detection itself but may have been involved in the attack.  Particularly processes identified as having an uncertain reputation in Threat Cases if you see them.  Actually one enhancement we are looking at is to provide an easy way to identify Threat Cases where we have seen processes with an uncertain reputation as they definitely worth investigating further.

     

    Kevin

  • Just one other thing worth noting, your license has no bearing on whether a Threat Case is generated along with an alert, that is really just specific to the detection that we've actually seen.  From a Threat Case perspective, the big difference between EDR and non EDR enabled products is that with EDR you can take admin isolate devices, use the Clean and Block action (in the event you've identified a suspect process), you can Search across your estate (in the event you've identified a suspect process), and if you Request the Latest Intelligence on a file in a Threat Case you receive a much richer analysis report on that file.

  • What I meant is that it is my understanding that w/ EDR licensing I would have the ability to create a threat case *from* an alert. Is this accurate?

  • Hi Kevin,

     

    Thanks for your reply. How does Intercept X determine which events it classifies as alerts vs. which events get made into a threat case?