Hello everyone! Today we will talk about a very important feature of Sophos Intercept X which is Root Cause Analysis (RCA). RCA allows you to view the threat analysis of all the attacks attempted on the endpoints protected by Sophos Central Intercept X. So let’s get started,
In the Sophos Central Admin Dashboard, we can have an at-a-glance look at all our threats’ analysis as show in the image below:
By clicking on anyone of these cases, you can get a detailed overview of that particular threat containing the below information:
- Which attack happened? For example, a Command & Control (C&C) attack.
- Which host/user were affected? For example, Desk-01/Paul etc.
- When did it occur? For example, Detected on Sept, 12 2018, 4:30 PM
- How did it occur? For example, through which process it was executed, chrome.exe etc.
After RCA has answered the above questions, it follows by providing the next steps to mitigate the threat.
In the Artifacts section, we can see all the files and processes that have been affected by that particular threat, and the business files that were tried to be stolen.
Now the best part of this feature is the Visualizer. The visualizer shows the life of the attack. As you can see in the image below, two indicating dots are shown. The Red (Root Cause – where the threat originated ) and Blue ( Beacon – where the threat was detected) .
With the visualizer, RCA allows you to see exactly how many files were written, how many processes were executed, how many network connections were opened etc. This kind of sophisticated information presented in such an easy-to-understand manner is only facilitated in Sophos Intercept X.