My employees accidentally cleared an alert in Sophos Central for a ransomeware attack. Doing so erased all the detail information (File locations, etc.) Can someone point me to the log location so I can get that information from the log?
Hi Kyle,
Thanks for reaching out to the Sophos Community Forum.
You can find the detailed analysis by navigating to the device in question within Sophos Central to view the Events list, wherein you'll find a "Details" button on the detection event.
You can also find these details recorded in the Windows Application Event Log locally on the device. By filtering for the event ID 911, you'll see a list of all Intercept X detections.
Hi Kyle,
Thanks for reaching out to the Sophos Community Forum.
You can find the detailed analysis by navigating to the device in question within Sophos Central to view the Events list, wherein you'll find a "Details" button on the detection event.
You can also find these details recorded in the Windows Application Event Log locally on the device. By filtering for the event ID 911, you'll see a list of all Intercept X detections.
I don't see a "Details" link. I remember there used to be a link that said that, but I don't see it anymore.
Could you try checking the device "NTSRVAD01" to see is further details are available there?
