Root Cause Analysis - Not showing network connections / lateral movement


We recently had a Coin Miner spread in our network.


This was performed by the infected machine dropping files into shared folders of other machines - thankfully Sophos does pick up the file once it was dropped,  however, the RCA does not show the machine / network connection that dropped the file?


Why is this? Surely this should be part of what the Data Recorder service should capture for detection of lateral movement - or is Sophos not capable of this? (not great if so)