The RCA component in the Sophos EDB console is a great feature, but can we trust the analysis?

Question

The RCA component in the Sophos EDB console is a great feature, but can we trust the analysis? 
 
 We've got 100s of endpoints on which the PUAs and malwares are detected and 100s of tickets generated in the ticketing tool. 
 1. Do we have to collect the SDU logs from all the endpoints to make sure its not a false-positive? 
 2. Can we depend on the analysis done by the RCA? Is it trustworthy? 
 3. What's the best way to deal 100s of false positives detected by Sophos? 
 4. If there are no business files affected in the RCA analysis, can I be sure its a false positive?

Barb@Sophos · Answer

Hello G33k, 
 This thread should help 
 As for your questions: 1 - If they are all triggering the same detection, and show same thumbprint, you do not need to collect the SDUs from each computer. Sophos Support may ask you for additional data as needed. This is the process to report a false positive You can also submit a sample of any file to Sophos Labs for their review (this is in case you are not sure about a specific file/program) . 
 2 - Please see the link at the beginning for details regarding RCA. 
 3 - Please see response 1. 
 4 - Following the process to report a false positive and contacting support is the best course of action. 
 Regards,