Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=threat-analysis-cases

Cases

The Cases page groups together suspicious events reported by our Detections feature and helps you or the MDR team investigate them and respond.

How cases work

We create and manage cases for you automatically or you can create and manage your own.

Cases Sophos manages

We create cases for you automatically. These focus on the detections that we think need investigation.

  • We create a case when there's a high-risk detection if it hasn't already been included in a case on the same day.
  • We add later detections to the case if they share the same detection type.
  • If the case is based on MDR detections, we investigate and respond. This is a "Sophos-managed" case.

Note

If the case is based on Sophos XDR detections, we don't investigate. See Cases you manage.

Cases you manage

If we create a case based on XDR detections, it's a "Self-managed" case. When you review your cases, look for "Self" in the "Managed by" details. You must assign an admin to investigate and respond. See Assign cases.

You can also create and manage your own cases manually. See Create cases.

View cases

To view your cases, go to Threat Analysis Center > Cases.

Cases page.

Note

The first time you view this page, the list might be empty. Come back later to see automatically-created cases, or create your own. If you still don't get cases, see Troubleshoot cases.

The Cases list includes the following details for each case.

Severity

Level Color Description
Critical Red A confirmed compromise or unauthorized access to systems.
High Orange Detections that indicate a targeted attack that could cause a compromise or unauthorized access.
Medium Yellow Detections that might not be malicious by themselves and aren't known to be targeted.
Low Dark gray Detections that don’t indicate poor health, malicious activity, or a compromise or unauthorized access.
Info Light gray A special severity level typically used for initial health checks.

Status

Sophos-managed cases can show the following statuses:

  • In progress: We're still analyzing the data.
  • Action required: You need to take action. We've notified your contacts.
  • Resolved: We've resolved the threat.

Managed by

You can see who manages the case:

  • Sophos: Our MDR team investigate the case and respond. You can’t make any changes but you can reply to the MDR team on the case.
  • Self: You must investigate the case and respond.

Assign cases

This section is only for automatically generated cases that show "Self" in the "Managed By" column.

You can assign cases to your admins for analysis as follows:

  1. Go to Threat Analysis Center > Cases to see a list of cases.
  2. Click the Case ID next to a case to see its details.

  3. In the Case details page, the Overview tab is open by default. Do as follows:

    1. In Assignee, select the administrator you want to assign the case to. If the administrator you want isn't listed, click Add user and add them.

      You can select the assignee later if you want to.

    2. Set the Severity to Critical, High, Medium, Low, or Info.

    3. Change the Status from New to Investigating, if you're ready to start.
    4. In Summary, enter a description of the case.

    Case details page.

    For advice on investigating a case, go to Create cases and see "Investigate cases".

Note

We notify Sophos Central admins about new cases if you set up email notifications for them. See Email notifications.

See case details

To see the details of a case and follow its progress, do as follows:

  1. On the Cases page, click the Case ID next to the case.

    Case ID link in Cases list.

  2. On the Case details page, the page header shows the severity, status, and assignee. It also shows when the case was created, assigned, and last updated.

    Case details.

The page also has tabs for further details.

Overview tab

The Overview tab is open by default and shows a case summary, MITRE tactic details, and recent activity.

Case details Overview tab.

Summary

If you're an MDR customer, the MDR team enters a case summary for you. If you're an XDR customer, enter your own case description.

MITRE tactics

MITRE tactics lists any MITRE ATT&CK tactics and techniques we detected.

Click the fold-out arrow beside a tactic to see the technique.

Click the link beside any tactic or technique, for example Credential Access, to go to its details on the MITRE website.

MITRE tactics details.

Recent activity

Recent activity shows recent changes to the case. Click See all to go to the History tab.

Detections tab

The Detections tab lists all the detections included in the case. It shows the same details as the list on the Detections page. See Detections.

Detections tab.

Notebook tab

If you're working on a Self-managed case, use the Notebook tab to keep a record of your investigations.

Messages tab

On the Messages tab, you can see and reply to messages about the case from the Sophos MDR team.

  • Messages that you send go into an MDR inbox. We'll respond to them later.
  • Messages that you send or receive are copied to your authorized contacts' mailboxes, so you won't miss any messages.
  • You can send and receive attachments as well as messages.

History tab

The History tab shows the history of all the activity on that case. For example, detections added, or changes in status, owner, and so on.

Troubleshoot cases

Cases are based on detections found in data that your devices upload to the Sophos Data Lake. These uploads are usually turned on by default. If you're not getting detections, check that they’re turned on.

To check that data’s uploaded from Sophos products, see Data Lake uploads. For data from third-party products, see About MDR and XDR integrations.