It should be helpful for the product when it automatically remediates (aka removes without trace or ability to restore for many files types!) report back to Sophos Central various key data about the file such as the SHA-256 hash, size, created and modified date back to Sophos Central to use in EDR searches etc.

I have recently been trying to understand a threat that has been cleaned up and wanted to 1) search for it via EDR using the SHA-256 hash and 2) understand if it was a newly dropped file or one that had been sat there a long time. The file that triggered this idea was a .HTA file (although the content was actually a load of powershell code and the filename deceptive) but after Intercept X cleaned it up automatically all we had was a file name and path and ended up having to refer back to a previous backup of the server to restore it to investigate it - not ideal when what we really wanted was just the "situational awareness" to do threat investigation and huntingl

Supports only suggestion was currently turn off auto remediation of threats so the detected file is left and you can investigate it first and make a decision.