Make the alert control more granular, let us decide what alerts we want to get
Detection name: Lockdown
Root cause: Could not find root cause
Possible data involved: no business files
Its concerning when we don't get HIGH alerts that involve blocking a PROD App.
I had to chase around trying to spot why it wasn't working. Several hundred people couldn't the app after an update! Once I saw the Lockdown alert I could allow the App as a Safe Allowed Application.
Also other malicious activity is 'cleaned' by Sophos but we don't get alerted! Why ?
We need to have the choice of getting Alerts or not.
We find this disturbing that Sophos App will do something to our PC’s etc and not tell us! This is our network and our equipment, we need to know!
This is a critical problem for us!
These events could be a symptom of a larger problem that Sophos might be unable to see and action, Why can’t we have all the alerts?
Make the alert control more granular, let us decide what alerts we want to get.
The alert categories HIGH/MEDIUM/LOW could be broken down to sub categories and let us select which alerts we get and when.
I have to do Incident Reports for all malicious activity, and the serious ones have to be reported to the Security Agency in Central Government. We have to have ALL THE ALERTS!
If they have a suitable worded subject we can do email filtering to different folders and different alerts etc.
Reduce volume- stop unnecessary alerts.
If the volume was more manageable, then many of the feature requests would be unnecessary or less important.
We plan to re implement how alerts are generated as part of an overhaul of status reporting and how it is displayed. this should allow us to be more accurate in generating alerts.
Where alerts are genuine (but still too common) we are addressing the underlying issues as we identify them.
Admin responsibility specific alerting, for example an admin only responsible for servers should only get alerts for servers, not for computers. We are looking at implementing roles along these lines, and can add suitable alerting as we do that.
Please note there are some recently completed items that may help:
Group alerts by type (and be able to delete all alerts in a category/ies)
Disable alerts for a certain user (e.g. helpdesk user or person who only needs Central access for generatign reports)
Send alerts to addresses that aren't a Central admin