Skip to content


Investigations let you analyze potential threats.

Investigations groups together suspicious events reported by our Detections feature and helps you do forensic work on them.

This page explains how investigations work and tells you how to do the following:

  • Set up investigations.
  • View and start investigations.
  • Investigate detected events.
  • Close investigations.

About investigations

We create investigations for you automatically. These focus on the detections that we recommend you investigate.

  • We create an investigation when there's a high-risk detection (if it hasn't been included in an investigation on the same day).
  • We add later detections to the investigation if they're related (they share the same detection type or affected devices).

A detection can be in multiple investigations.

For full details, see How Sophos creates investigations.

You can edit and work on these investigations. Alternatively, you can create your own investigations. See Create an investigation.

Set up investigations

Detections and Investigations are based on data in the Sophos Data Lake. Before you start using these features, ensure that uploads of security data to the Data Lake are turned on.

The data can come from various Sophos products.

See Data Lake uploads.

View and start investigations

To view investigations we've created, start them, and assign them to people, do as follows:

  1. Go to Threat Analysis Center > Investigations.
  2. You see a list of investigations. Click an investigation to see its details.


    The first time you view this page, the list might be empty. Come back later to see automatically-created investigations, or create your own.

    Investigations page

  3. Investigation record shows investigation details, and Detection list shows which suspicious events are included. Start the investigation as follows:

    1. Set the priority to High, Medium, or Low.
    2. Change the status from Not Started to In Progress.
    3. Click Type to assign and select the Sophos Central admins who will investigate.

    Investigation details page

We'll add related detections to the investigation as they occur. You can also add or remove detections. In Detection list, click Actions and choose what you want to do.


By default, we send Super Admins an email whenever there's a new investigation. See Email notifications.

Investigate detected events

We've given you a template for doing investigations. To investigate, do as follows:

  1. Go to Threat Analysis Center > Investigations.
  2. Click an investigation.

    Investigations page

  3. Expand Investigation notes. You'll see a series of questions based on the Observe-Orient-Decide-Act model.

    • Decide whether you need to investigate or close the investigation.
    • Check the external and internal connections used in the event.
    • Check which devices and users were affected.
    • Find out the attack tactics and techniques used. These are identified in the detection details.
    • Use the pivot options in the detections to run queries on the data or consult third-party threat analysis websites. See Detections.

    Investigation notes

Close investigations

To close an investigation, change the status to Closed.

We'll delete the investigation in 30 days.