How does Intercept X determine which events it classifies as alerts vs. which events get made into a threat case?
This thread was automatically locked due to age.
Hi,
Alerts get generated whenever an administrative interaction is required. For a list of what events generate a threat case, this can be found in the KB below:
https://community.sophos.com/kb/en-us/125011
There might be times where a threat case might not be generated. In those cases you can use the SDR Exporter tool to export out the snapshot and bring it into Central.
https://community.sophos.com/kb/en-us/132861
Information on how to read the exported JSON can be found in this KB: