Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/enterprise/help/en-us/index.html?contextId=alerts

Alerts

Some features might not be available for all enterprise administrators yet.

You can view and take action on the alerts for your Sophos Central Admin sub-estates that have enterprise management turned on.

Go to My Environment > Alerts.

The Alerts page lists all the alerts that require your action. We show you alerts for the last 90 days from your sub-estates. We show you up to 2,500 alerts.

If you want to take action on alerts older than 90 days, you can do that in your sub-estates' Sophos Central Admin accounts.

On the Alerts page, you can view, search, filter, and take actions against alerts.

View your alerts

To see your alerts, go to My Environment > Alerts.

The alerts list shows details for each alert:

  • Severity: High, Medium, or Low.
  • Status: Open, Closed, Reopened, or Resolved.
  • Events: Some alerts combine multiple events. This column shows the number of events.
  • Device: The device where the event or events occurred.

Alerts with multiple events

You may see alerts that include multiple events.

Sophos Central automatically collates some repeated events and shows them as a single alert. For example, if a firewall VPN tunnel goes down and is later restored, both events are included in one alert.

Alerts resolved automatically

You may see alerts that are resolved automatically.

If an event resolves an earlier event in the same alert, for example, when a connection goes down and is then restored, the alert closes automatically. The alert is shown as "Resolved".

View alert details

To view the full details of an alert, do as follows:

  1. In the alerts list, click the Alert title.

    A slide-out opens on the right of the screen, showing alerts and the Associated events they're based on.

    Alert details slide-out.

  2. Click the Full screen icon Full screen icon. in the upper right to see the details in full screen.

Group alerts

You can group all alerts for a specific threat or event under a single entry in the list. This makes alerts easier to manage.

Turn on Grouped above the alerts list.

"Ungrouped" and "Grouped" toggle.

Filter alerts

To view alerts with a specific priority, click the Filter icon next to the figures for High, Medium, or Low alerts at the top of the page.

To view alerts for a specific product or threat type, do as follows:

  1. Click the Filter icon above the alerts list.

  2. Select the filter you want to use. You can filter by Status (Open or Closed), Severity, Products, Category (for example, Malware or Product Updates), Available actions, Alert title, or Last updated.

    You can select multiple filter options. For example, you can select malware alerts from a specific product.

  3. Click Apply to view your filtered alerts.

Alerts filters.

To reset filters, click Reset to defaults, and then click Apply.

Customize columns

You can choose which columns you want to show in the alerts list.

Click the Customize icon Customize icon. above the alerts list on the right, and select the columns you want.

Take action against alerts

If you want to take action against alerts, use the filter options to find the alerts.

Select the alerts and click Actions.

We show you the actions that are available for all your selected alerts. We don't show you actions that are only available for some of your selected alerts. For example, if a cleanup action is available for some of your selected alerts but not all of them, we don't show you the cleanup action.

This is an example of selecting an action for alerts.

Selecting an alert action.

Depending on the alert type, the following actions are available for alerts:

  • Clear alert: Use this to remove alerts from the list. We don't show the alert again .This action doesn't resolve threats.
  • Clean up virus: Use this to remove malware.

  • Clean up PUA: Use this to remove a Potentially Unwanted Application (PUA).

    Warning

    You only see this action if you've turned off automatic cleanup in your threat protection policies. We recommend you don't do this.

  • Authorize PUA: Use this to authorize a PUA to run on all computers.

Close alerts

You can close alerts in one of these ways:

  1. Click an Alert title to open its details, then click Close alert.
  2. Select an alert in the alerts list, then go to Actions, and click Close alert. Click the Customize column icon Customize column icon..

Use the Closed filter to see closed alerts.

Sub-estate picker

If you add an Alerts widget to your custom dashboard, clicking an alert description in the Description column will take you to the Alerts page.

For information about custom dashboards, see Manage Dashboards.

Alerts widget on custom dashboard.

You can use filters or customize the columns to manage the data displayed on the Alerts page.

Email alert frequency

You can change the frequency at which you receive email notifications about an alert type.

To change the frequency, do as follows:

  1. In the alerts list, click the Alert title.
  2. In Email alert, select the frequency for sending this alert type.

This setting is added to Exceptions in your email alert settings. You can also edit the setting there.

Export to CSV

This option exports all alerts and ignores alert filters.

You can export all alerts to a CSV file, which you can then view in Microsoft Excel.