We have some exciting news for Intercept X and Intercept X for Server customers.  This week we launched a new and improved version of Root Cause Analysis (RCA) for investigations.  With this new functionality comes a new name - “Threat Cases”.  Threat Cases automatically identify the root cause or sequence of events that led to a potentially malicious file.  With the new release, we will also display more intelligence to aid in investigating and will provide suggested next steps.

New enhancements include:

  • Suggested next steps aiming to provide guidance on artifacts that may warrant further investigation

  • Updated iconography to more easily identify the different types of artifacts involved in a threat chain
  • The Sophos file reputation on processes identified in the threat chain
  • A combined and filterable Threat Case graph with a searchable artifact table for easier analysis of threats



  • A new option to choose between showing the full threat case graph, or simplifying the graph by showing the direct path between what has been determined to be the root cause and the detected item or beacon event.

Access to the new Threat Cases can be found for Endpoints under Sophos Central Admin > Endpoint Protection >  Threat Cases and for Servers under Sophos Central Admin > Server Protection >  Threat Cases:  



Looking for more investigation and analysis?

 Threat Cases are available to all Intercept X and Intercept X for Server customers.  However, Threat Cases just scratch the surface of what Intercept X Advanced with EDR is able to do (EDR for Servers will be available in 2019).  With our new EDR capabilities administrators will be able to leverage even more machine learning and SophosLabs intelligence to dive deeper than ever before when investigating a suspicious event.  Intercept X Advanced with EDR will also allow administrators to respond to potential threats with a click of a button, isolate machines on demand while investigating, hunt for threats across their estate, and much more. You can sign up for a sneak preview of the EDR capabilities by joining our Early Access Program.