Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=create-cases

Create cases

We create cases automatically for the detections that you're most likely to want us to investigate.

You can also create cases manually and investigate them yourself. You can include any detections, even if they're already included in an automatically generated case.

You can create a case in either of the following ways:

You can also create service requests for Sophos MDR or Sophos Managed Risk, depending on your license. These aren't based on detections, but do let you contact us to suggest investigations or ask for help. See Create an MDR service request or Create a Managed Risk service request.

Create a case from the Cases page

You can create a case based on Sophos XDR detections. You can’t create a case for Sophos MDR or Managed Risk detections. The case will be Self-managed.

  1. Go to Threat Analysis Center > Cases.

  2. On the Cases page, click Create case in the upper right.

    Create case button.

  3. Select Self-managed case.

    Selector for case type.

  4. In Create case, do as follows:

    1. Enter a case name and description.
    2. Select the Severity.
    3. Select the Status (New).

    4. Select an Assignee. This is the admin who will investigate the case.

      You can select an assignee later if you want to.

    5. Click Create.

    Create case dialog.

    The Case details page is shown.

  5. Go to Threat Analysis Center > Detections.

  6. In the Detections list, select the detections you want to add.

    Detections page with detections selected.

  7. Click Actions and select Add to Case.

    Actions menu.

  8. Select your new case and click Add to Case.

    Add to Case dialog.

    The Case details page is shown.

When you're ready to investigate, see Investigate cases.

You can add more detections to your case from the Detections page later.

Create a case from the Detections page

  1. Go to Threat Analysis Center > Detections.

  2. In the Detections list, select the detections you want to investigate.

    Detections page with detections selected.

  3. Click Actions and select Create Case.

    Actions menu.

  4. In Create case, do as follows:

    1. Enter a case name and description.
    2. Select the Severity.
    3. Select the Status (New).

    4. Select an Assignee. This is the admin who will investigate the case.

      You can select the assignee later if you want to.

    5. Click Create.

    Create case dialog.

When you're ready to investigate, see Investigate cases.

You can add more detections to your case later. In the Detections list, select detections, click Actions, select Add to Case and then select your case.

Investigate cases

In Case details, use the Notebook tab to record your investigation into the case. We suggest you follow these steps:

  • Decide whether you need to investigate or close the investigation.
  • Check the external and internal connections used in the event.
  • Check which devices and users were affected.
  • Find out the attack tactics and techniques used. You can see these in the detection details.
  • Use the pivot options in the detections to run queries on the data or consult third-party threat analysis websites. See Use quick actions, enrichments, and queries.

Respond to cases

The Response Action feature is currently not available for most third-party product integrations.

You can resolve detected issues via third-party products.

To use this feature, you must set up a Response Action integration with the third-party product you want to use. Go to Products and click your product.

Our example shows how to use a response action to suspend a compromised user. To take action, do as follows.

  1. Click the Case ID next to a case to see its details.
  2. Select the Respond tab.

  3. Find the action you want. Click the product type Identity to see actions available for that type.

    Respond tab showing Identity actions.

  4. Click the action Suspend User.

  5. In the action's details page, enter the required information and a reason for the action.

    Suspend User dialog.

  6. Click Run.

Close or remove cases

This option only applies to Self-managed cases.

To close a case, change the status to Closed. The case remains in the list for 30 days and then we delete it.

Partner Super Admins and Enterprise Super Admins can't close or remove cases.

To remove a case from the list, select it, and click Remove cases.

Cases list with cases selected for removal.

Create an MDR service request

You must have an MDR license to use this feature.

An MDR service request lets you raise issues with our MDR team. To create a request, do as follows:

  1. Go to Threat Analysis Center > Cases.
  2. On the Cases page, click Create case in the upper right.
  3. Select MDR service request.

  4. In Create service request for the MDR team, do as follows:

    1. Enter a case name and description.
    2. Click Create.

  5. On the Case details page, on the Messages tab, you can exchange messages with the MDR team.

You can't add to or edit any other tabs.

Create a Managed Risk service request

You must have a Managed Risk license to use this feature.

The Sophos Managed Risk service reports on all your internet-facing assets, scans the assets you specify for vulnerabilities, reports risks, and suggests remediations.

A Managed Risk service request lets you ask for changes in your Managed Risk settings or set up meetings with the Managed Risk team.

For a Managed Risk service request, do as follows:

  1. Go to Threat Analysis Center > Cases.
  2. On the Cases page, click Create case in the upper right.
  3. Select Managed Risk service request.

  4. In Create service request for the Managed Risk team, do as follows:

    1. Enter a case name and description.
    2. Click Create.