Threat Indicators - beta
Threat indicators was enabled and we had over 70,000, most no longer applicable as they do not even have a suspicion listed. So I'm sifting through these, dismissing 25 at a time.
Threat indicators definitely needs more comprehensive filtering and some way to dismiss multiple by page count, or by the blank suspicion field, by date, etc..
Kevin Kingston commented
Thanks so much for the feedback on this. Since introducing Threat Indicators the team in Sophos has done a lot of work on the Threat Indicators feature and I think we've addressed the bulk of the issues you've highlighted in this idea. See below for a list of some of the improvements made so far:
- There were some problems with purging older data from Threat Indicators and you should no longer be seeing items in the list that have a blank suspicion field.
- In terms of the large number of items in the list, we've also adjusted our scoring thresholds so that you should no longer be seeing large numbers of Low Suspicion items in the list as you were originally seeing.
- A new date filter (show custom, last day, 3 days, 7 days, 30 day) and suspicion level filter has also been added. In the suspicion level filter you can select a single threshold (eg, High only) or multiple suspicion levels (eg. High and medium) in the filter.
- A new banner has also been added to the Suspicious items report page to give a count on the number of High, Medium and Low items have been reported in your environment.