Currently we don't get email alerts if a High Risk program is detected in our environment, so long as Sophos is able to detect it and clean it quickly.

My concern is that clearing-up the High Risk program doesn't necessarily mean the end of an 'attack' episode - it could be that the machine has been compromised in some other way, ongoing Data Loss could be taking place, and we'd want to know about this ASAP, so we can investigate. How do we go about overriding the fact that Sophos won't trigger an email alert is this event?

Allow searches based on the top-level domain in Threat Search.

Having the ability to enable / capture all user browsing activity when the need arises would be helpful in troubleshooting issues where a web site appears to be blocked but its unclear of the cause along with responding to HR requests to determine if a user is accessing sites that may not be blocked but are considered risky / not meant to be accessed as a normal course of business.

Allow for Threat Search results to be exported as excel and/or CSV for use in a pivot table.

Add the ability to filter out based on the device name or allow boolean operations for username and device name.

I sometimes have tens of thousands of indicators of attack and compromise to run through the threat search, but I can do only 100 at a time. Increase the object limit to 500 or allow the importing of CSV's.

If there are detection on the endpoints, the file that is moved to the quarantine must be able to download from the central console.
This can be used as part of EDR incident investigation to be able for the administrator to investigate the detected file and we can also submit the file to SophosLabs for them to create IDE.

Super Admin must be able to assign threat cases to Sophos central administrators.

This will help administrators to watch over their assigned threat cases.

Receiving an email alert when a new item is added into the Threat Analysis Center would be a great benefit.

For now, EDR's feature Threat Search only covers a specific sub-estate (For and Enterprise Dashboard) where a device of reference for a detection is a member of. Manually, the admin has to copy the artefact (SHA or filename) and threat search it to other sub-estates. It will be helpful to cover all sub-estates in the future for threat searches for easier administration and investigation.

In Threat Cases for Endpoint Protection, it currently shows Possible data involved: x number of business files. When clicking on the list of files it populates but does not show all with no option to expand the list. The investigation process could be eased if Sophos showed the names of the "possible data involved" files and their locations, if possible.

We our a large partner servicing many clients. We need the ability to customize what email address alerts are sent to. Additionally, we need the ability to "tune" the level of the alert. Often we find HIGH alerts are false positive. Items like "policy compliance", or "real-time protection disabled" will come in as HIGH and will then self resolve.

We want to be able to control what HIGH tickets are addressed by our NOC staff.

This customization has become very important to us as we scale. Could Alert customization be "fast-tracked" to production?

Respectfully,
Jeff C

It appears there is a way to export logs and events into Solarwinds LEM for the on-prem version of Sophos Enpoint Protection server but not the cloud hosted version. We would love a way to import logs into Solarwinds for the Cloud version.

We had an issue where a customer, most likely, did not configure Sophos Server Protection correctly. That server got hit by ransomware. When the customer called for assistance the Sophos Server protection was no longer installed on the server and was also removed in his Sophos Central account.
At the moment there is no option to see logs from removed devices in Sophos Central.
In such cases it would be handy to still be able to retrieve logs from removed devices for a period in order to investigate and also have some proof.