I want a High level alert when a server stops checking into Sophos Central. Not just when it goes Inactive (2+ weeks) but any time it stops calling home for 24 hours. I work for an MSP and there is no way I'm going to check on that many client portals in one day just to look for issues; that's what alerts are for. The lack of this visibility has caused us a major liability with a client.

If a connection check isn't possible, then have Device Not Updated alerts happen implicitly when a server doesn't call home for 24 hours. Virus definition updates happen every few hours; a server will be out of date if it isn't checking in at all.

Ill put this feature against Email Gateway as that is where is sorely needed but this feature should be for all Sophos Central components.

Part of the power of Sophos Central should be centrally across all security product reacting to a security event and taking action to resolve it.

Currently there is no "Block URL" feature in Email Gateway - There is an URL Allow list but no block feature. This is sorely needed.
One of the main benefits of using Time of Click is to immediately react to issues not only on future emails but existing emails in users mailboxes. Yet there is a reliance on Sophos Labs to have information on Malicious URLs which often they do not...

If a URL is indicated in a phishing email that slipped through, a company admin, using a URL Blocklist, can IMMEDIATELY react to this and block the URL for all existing emails that have that URL and emails received in the future. The company is immediately protected from a Email persepective.

Sophos can use this list as a sample submission of sorts also to validate and potentially block that URL for all Sophos customers.

--

Additionally there should be a means of blocking IOCs - Domains, URLs, IPs, Hashs - across all products in Sophos Central. -- Global Block List

URL on the Company Global Blocklist would mean --

• Block URL in Web Control for Endpoints and Servers and Mobile (this is possible using the web tag system BUT ridiculously convoluted)


• Block URL in connected XG Firewall


• Block URL at the device level for Sophos Wireless users.


• Block URL in Email Gateway for ToC emails also


• Quarantine email that is specified in the new Search and Destroy feature.

That is ridiculously powerful and massive missing potential from Sophos Central.

Priority: HIGH
Detection name: Lockdown
Root cause: Could not find root cause
Possible data involved: no business files

Its concerning when we don't get HIGH alerts that involve blocking a PROD App.
I had to chase around trying to spot why it wasn't working. Several hundred people couldn't the app after an update! Once I saw the Lockdown alert I could allow the App as a Safe Allowed Application.
Also other malicious activity is 'cleaned' by Sophos but we don't get alerted! Why ?

We need to have the choice of getting Alerts or not.

We find this disturbing that Sophos App will do something to our PC’s etc and not tell us! This is our network and our equipment, we need to know!
This is a critical problem for us!

These events could be a symptom of a larger problem that Sophos might be unable to see and action, Why can’t we have all the alerts?
Make the alert control more granular, let us decide what alerts we want to get.
The alert categories HIGH/MEDIUM/LOW could be broken down to sub categories and let us select which alerts we get and when.

I have to do Incident Reports for all malicious activity, and the serious ones have to be reported to the Security Agency in Central Government. We have to have ALL THE ALERTS!
If they have a suitable worded subject we can do email filtering to different folders and different alerts etc.

1> Blacklist check for a domain/IP.
2> Test a mail server response on SMTP/SMTPS.
3> SPF & aSPF detailed logs, at least for those which fail either or both. Policy enhancements for aSPF condition.
4> DKIM & aDKIM detailed logs, at least for those which fail either or both. Policy enhancements for aDKIM condition.
5> DMARC logs, list domains that pass & fail DMARC strict policies.
6> ToC detailed analysis logs instead of just blocking/warning.
7> Header anomalies detailed logging and reporting.
8> Sender's Mail service provider & DNS. Top 50/100 at least.
9> Look out for report generated by MXTOOLBOX https://mxtoolbox.com/EmailHeaders.aspx from header anomalies.
10> Tools to create strong SPF & DMARC policies. This should be difficult to add.
11> Mails received from which country, AI & Deep ML analysis on mail content. Reports based on that. This can be a unique feature.
12> Plug in Outlook or on browser indicating reputation of mail for that user. Adding this functionality on CIXA might also help in upsell.
13> Some more tools were explained here can be integrated in Central mail.
14> Restrictions on attaching links/content/file from cloud storage providers.