Skip to content


The Alerts page lists all the alerts that require your action.

Some features might not be available for all customers yet.

Go to Alerts.

Alerts that are resolved automatically are not shown. To view all events, go to Reports > General Logs > Events.


The alert event time is not updated if the same event occurs repeatedly.

On the Alerts page, you can do as follows:

  • Group alerts.
  • Filter alerts.
  • Take action against alerts.
  • Change the frequency of email alerts.

For information about the different types of alerts, see the other help pages in this section.


If you have Intercept X Advanced with XDR you can investigate, block and clean up threats from Threat Graphs.

Outbreak Detected alerts

We report an outbreak if a device experiences 100 detections in 24 hours. We do this to avoid overwhelming you with similar or repeated detections. You must investigate and resolve these alerts. See Deal with outbreaks.

Restart alerts

We create restart required events to indicate that an update needs a restart. We create alerts when a restart has been pending for 2 more weeks. For more information on restarts see the following:

Group alerts

You can group together all alerts for a specific threat or event under a single entry in the list. This makes alerts easier to manage.

Enable Group (upper right of the page).

To see the number of alerts for each group entry, look in the Count column.

To display all the alerts in a group, click the fold-out arrow on the right.

Filter alerts

To view alerts with a specific priority, click the figures for High Alerts, Medium Alerts or Low Alerts at the top of the page.

To view alerts for a specific product or threat type, use the drop-down filters above the alerts list.

Take action against alerts

You can take action against alerts.

To take action against an individual alert, click the drop-down arrow next to an alert to open its details. In Actions, click an action link (if available).

If you're viewing groups of alerts, click an action button (if available) next to the group in the list.


If you want to allow an application that Sophos deep learning reports as malware, you do it from the Events page, not here.

The following actions are available for alerts, depending on the alert type.

  • Mark As Acknowledged: Click this to remove an alert from the list. The alert will not be displayed again.

    This does not resolve threats and does not remove threat details from the quarantine manager on the computer or server.

  • Mark As Resolved: Click this if the threat has already been resolved on the endpoint computer or server. This action clears the alert from the list in Sophos Central and also clears threat details from the quarantine manager on the computer or server.

    This action does not resolve threats.

    This action is only available for Windows endpoint computers or servers.

  • Clean Up: Click this to remove ransomware from a server.

  • Reinstall Endpoint Protection: Click this to go to the Protect Devices page, where you can download the Sophos agent software.
  • Contact Support: Click this to get additional help. This action becomes available when you might need help, for example when malware cleanup fails.
  • Authorize PUA: Click this to authorize a Potentially Unwanted Application (PUA) to run on all computers. You might do this if you consider the application useful. For more information on dealing with PUAs see Deal with PUAs.

    This action is available only for computers.

Change the frequency of email alerts

You can change the frequency with which an alert type is sent.

Click the drop-down arrow next to an alert to open its details. In Email Alert , select the frequency for sending this type of alert.

This setting will be added to the Exceptions in your email alert settings. You can also edit the setting there.