When Threat Case is not created revert to Pre-Intercept X behavior
After upgrading to Intercept X with EDR in situations where are Threat Case is not created revert to the pre-Intercept X behavior of publishing the Detection Event as an Alert.
"Note: Threat cases are only created for malicious detections; this does not include detections for PUAs, Application Control, Device Control, Web Control. Additionally if Sophos isn't able to automatically confirm a root cause, a Threat Case may not be generated."
We've gotten a number of malicious Events which haven't created corresponding Threat Cases for hosts assigned to the Intercept X with EDR policy. Sophos Support mentioned a Threat Case was not forwarded to Central was because a root cause could not be found. When this occurs the Event is not displayed on our Central Dashboard nor in the Alerts tab. This reduces the value compared to Sophos Endpoint Protection since Intercept X with EDR should provide additional context, and we now must query via the Event Viewer under Logs and Reports periodically.