Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=InvestigationDetails

How Sophos creates investigations

How and when we create and update investigations.

We automatically create investigations for you and update them with related new detections.

To see them, go to Threat Analysis Center > Investigations. The automatically-created investigations show the Sophos shield in the Created by column.

Sophos shield

We base these investigations on the detection type (which corresponds to the Classification rule shown in the detection details), the risk level, and the device where it occurred.

Creating investigations automatically

We create a new investigation if there's a detection with risk level 6 or above that hasn't been included in an investigation on the same day.

We add new detections with risk level 6 or above to an existing investigation if the following apply:

  • The detection is a type already included in the investigation.
  • The detection is on a device already included in the investigation.

We don't close automatically created investigations. However, we delete them after 30 days if the status is Not started or you've closed them.

Creating investigations: an example

Here's an example of how the automatic creation of investigations works.

Diagram of automatic creation of investigations