Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=create-cases

Create cases

We create cases automatically for the detections that you're most likely to want us to investigate.

You can also create cases manually and investigate them yourself. You can include any detections, even if they're already included in an automatically generated case.

You can create a case in either of the following ways:

You can also create service requests for Sophos MDR or Sophos Managed Risk, depending on your license. These aren't based on detections, but do let you contact us to suggest investigations or ask for help. See Create an MDR service request or Create a Managed Risk service request.

Create a case from the Cases page

You can create a case based on Sophos XDR detections. You can't create a case for Sophos MDR or Managed Risk detections. The case will be Self-managed.

  1. Go to Threat Analysis Center > Cases.

  2. On the Cases page, click Create case in the upper right.

    Create case button.

  3. Select Self-managed case.

    Selector for case type.

  4. In Create case, do as follows:

    1. Enter a case name and description.

      Note

      Don't use special characters in the case name. Sophos APIs might interpret special characters as syntax instead of values. Use only alphanumeric characters, spaces, and basic punctuation.

    2. Select the Severity.

    3. Select the Status (New).

    4. Select an Assignee. This is the admin who will investigate the case.

      You can select an assignee later if you want to.

    5. Click Create.

    Create case dialog.

    The Case details page is shown.

  5. Go to Threat Analysis Center > Detections.

  6. In the Detections list, select the detections you want to add.

    Detections page with detections selected.

  7. Click Actions and select Add to Case.

    Actions menu.

  8. Select your new case and click Add to Case.

    Add to Case dialog.

    The Case details page is shown.

When you're ready to investigate, see Investigate cases.

You can add more detections to your case from the Detections page later.

Create a case from the Detections page

  1. Go to Threat Analysis Center > Detections.

  2. In the Detections list, select the detections you want to investigate.

    Detections page with detections selected.

  3. Click Actions and select Create Case.

    Actions menu.

  4. In Create case, do as follows:

    1. Enter a case name and description.

      Note

      Don't use special characters in the case name. Sophos APIs might interpret special characters as syntax instead of values. Use only alphanumeric characters, spaces, and basic punctuation.

    2. Select the Severity.

    3. Select the Status (New).

    4. Select an Assignee. This is the admin who will investigate the case.

      You can select the assignee later if you want to.

    5. Click Create.

    Create case dialog.

When you're ready to investigate, see Investigate cases.

You can add more detections to your case later. In the Detections list, select detections, click Actions, select Add to Case and then select your case.

Close or remove cases

This option only applies to Self-managed cases.

To close a case, change the status to Resolved. The case remains in the list for 30 days and then we delete it.

Partner Super Admins and Enterprise Super Admins can't close or remove cases.

To remove a case from the list, select it, and click Remove cases.

Cases list with cases selected for removal.

Create an MDR service request

You must have an MDR license to use this feature.

An MDR service request lets you raise issues with our MDR team. To create a request, do as follows:

  1. Go to Threat Analysis Center > Cases.
  2. On the Cases page, click Create case in the upper right.
  3. Select MDR service request.

  4. In Create service request for the MDR team, do as follows:

    1. Enter a case name and description.

      Note

      Don't use special characters in the case name. Sophos APIs might interpret special characters as syntax instead of values. Use only alphanumeric characters, spaces, and basic punctuation.

    2. Click Create.

  5. On the Case details page, on the Messages tab, you can exchange messages with the MDR team.

You can't add to or edit any other tabs.

Create a Managed Risk service request

You must have a Managed Risk license to use this feature.

The Sophos Managed Risk service reports on all your internet-facing assets, scans the assets you specify for vulnerabilities, reports risks, and suggests remediations.

A Managed Risk service request lets you ask for changes in your Managed Risk settings or set up meetings with the Managed Risk team.

For a Managed Risk service request, do as follows:

  1. Go to Threat Analysis Center > Cases.
  2. On the Cases page, click Create case in the upper right.
  3. Select Managed Risk service request.

  4. In Create service request for the Managed Risk team, do as follows:

    1. Enter a case name and description.
    2. Click Create.