One of the key new features delivered in Intercept X Advanced with EDR is the ability to search across an endpoint estate for details on portable executable files that have an uncertain or bad reputation and the network destinations those files have connected to. This will search across all the data that has been sent back to Sophos Central but only from Endpoints that have Threat Protection policies with the ‘Allow computers to send data on suspicious files and network events to Sophos Central’ feature enabled.
Due to a policy rendering error, this setting may have been disabled in some Threat Protection policies for some of our EDR early adopters. For endpoints being tested where customers want data on portable executable files that have an uncertain or bad reputation to be continuously sent to Sophos, EAP customers should ensure that the ‘Allow computers to send data on suspicious files and network events to Sophos Central’ policy setting is enabled in Threat Protection policies applying to those endpoints as you can see below:
This also then allows this data to be returned in Threat Search results.
You can find more details in this KBA