Provide Enhanced information in Sophos Central about Detection and Security events
There are many events generated in Sophos Central that Lack any specific information that would be required to know what is going on.
Threat Cases. These are advertised as providing you with the root cause analysis, however quite they never actually provide information on what actually happened. An example of this is the
Lockdown events. To see what actually occurred and was blocked you need to review the local hitman pro events, so how is this providing Root Cause Analysis ?
Another example is AV detections within containers like ZIP and MSG files. In Central only the MSG file is reported, however the SAV logs include the Attachment or File within the ZIP that was
detected. This information should be visible in Central
How will this new feature address your business requirements?:
- It will provide what this product has been advertised as doing, Being a central repository for this information.
How would you rate the importance of this feature?; 1 = Critical
Was just about to ask for this. It's silly how in the Dashboard for example, I see an alert "An attempt to communicate with a botnet..." shows up, and I can't click on it to get to that actual alert. Even holding the cursor over the alert shows no detail.
So I click View All Alerts. I don't see that alert anymore. It's grouped under "Advanced Threat detected". So I expand that group and see the alert. The Description is exactly the same as the one-line alert. That's not helpful at all. There's a lot of space for a real description with even basic details such as endpoint name, IP address, destination FQDN/IP, etc. So now here I can only Mark as Acknowledged. That's completely useless. Why would I want to acknowledge this alert when you're still not telling me more about it?
Now I have to go hunting and pecking about to find out where I can see more details. I go to the Threat Analysis Center. Nothing there.
Maybe Logs & Reports. Maybe Events. There are many events now. I don't know which items to filter in order to see that botnet activity alert. I search for "botnet" and no events show up. I scroll through all of them and none of them show that alert. So this isn't helpful at all.
I then go to Endpoint Protection. In its dashboard I don't see that alert either.
So I have an alert that sounds important, but I have no idea where it happened, and what I should do to check for any other possible issues. This is often my experience with Sophos Central. I really like the Sophos product and most things are great but this kind of lack of ability to click through in most (but not all) places is very frustrating.