The KBA for Threat Graphs and Threat Graph analysis both fail to mention the core limitation that ML PUA events do not generate threat cases.
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/ThreatGraphs/index.html
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/ThreatGraphs/ThreatAnalysisDetails/index.html
^These pages should BOTH include the caveat mentioned in the "Sophos Intercept X: ML detections explained" KBA that notes:
https://support.sophos.com/support/s/article/KB-000036922?language=en_US
"Note: ML PUA detections don’t create Threat Graphs. However, you can use the Threat Hunting query under Live Discover to search your devices for the reported file name or SHA-256."
It took me waaaaaay to long googling the issue to find out that ML PUA detections not making threat cases is expected and not a bug. Please update the feature documentation to include this limitation for deep learning PUA detections.
Many thanks,
Michael
