When reviewing the Events on the SEDR Appliance, you may see many Event ID 4123 or 4099 Suspicious File Detections. If you review the Actions page, you do not see an automatic sandbox submission for each Event, even though you have enabled Automatic Submission under Global Settings.
In order for the file to be submitted automatically, the 4123 Event needs to have an HID level of 300, 400 or 500. If you are not enrolled in SEP Cloud, the 4099 event needs to have a file reputation of -5 or lower.. They also need to be a Portable Executable with a file name ending in ".exe" and have a file size under 10MiB. The automatic submission option will not submit the file if there has been a sandbox verdict within the last 7 days.
Note: The file reputation value is considered proprietary and cannot be viewed.