This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat Case required action - inconsistent documentation

I am trying to determine what Sopho's take is on Threat Cases. There are some inconsistencies with the definition, thus could leave an analyst confused as to if action is required on part of threat cases. 

From my understanding, unless I have IXA w/ EDR licensing, I cannot elevate an alert to a threat case. However, I do notice several instances in which threat cases do not have an alert that preceded it. With that and definition one (1) in mind, why do we not get alerts e-mailed to us for new threat cases? 

 

------- Definition 1 -------

From the Sophos Central Admin Help:

“Threat cases let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected. This helps you improve security.

If you have an Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server license, you can also do the following:

  • Isolate affected devices.
  • Search for more examples of the threat on your network.
  • Clean up and block the threat.

We create a threat case for you whenever we detect malware that you need to investigate further.”

Source: hxxps://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ThreatAnalysis.html

 

 ------- Definition 2 -------

From Threat Cases overview knowledge base article (29 May 2019)

"The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security."

Source: hxxps://community.sophos.com/kb/en-us/125011

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hi there,

     

    For definition 1, I would probably say a more accurate statement would be 'We create a threat case for you in most cases when we detect malware that you may want to investigate further'. When alerts are sent that is typically because there is something that's worth digging into.  If trying to be proactive I think it's worth having a skim of Threat Cases and analysing for files that maybe weren't part of the detection itself but may have been involved in the attack.  Particularly processes identified as having an uncertain reputation in Threat Cases if you see them.  Actually one enhancement we are looking at is to provide an easy way to identify Threat Cases where we have seen processes with an uncertain reputation as they definitely worth investigating further.

     

    Kevin

  • Hi Kevin,

     

    Thanks for your reply. How does Intercept X determine which events it classifies as alerts vs. which events get made into a threat case? 

Reply Children
No Data