This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP alert mail pretty useless

Subject: *ALERT* Sophos XG Firewall - Advanced threat protection DROP


Alert for XG430 (SFOS 18.0.1 MR-1-Build396) xxxSNxxxxx

Device Information:
Hostname: xxxxfirewall's-hostnamexxx
Management Interface IP: Not configured/Not available
Date/Time: 2020-12-11 14:36:02
Alert ID: 18010

Message:
Drop by Advanced threat protection (ATP).


No IP addresses listed. I have to look in livelog viewer.

Is this as how it should be?

Background: a internal machine did DNS resolution to menece.com with the XG Fw as resolver. Would expect the ATP bahaviour if this is a bad domain, where I don't care about in this case. But the alert should not be so useless.



Edited TAGs
[edited by: emmosophos at 6:22 PM (GMT -7) on 7 Jun 2021]
Parents
  • I don't know if it is the point LHerzog was trying to make, but I have to agree the ATP alert emails are pretty useless - they just contain no information about what has actually happened, they may as well say "Something's happened" for the use they are.

    Not all of us sit at a computer screen all day and it would be useful for the emails to have some useful information in them about what has actually happened rather than having to check the log every time one occurs.

  • There should be more information, if this alert is relayed by Central. But the question would be: 

    If you get a ATP alert via Email and you see a Domain and a IP: What can you do with this kind of information? You still have to check everything (Virustotal etc.) to investigate this further. I agree, starting from Email is a better approach as logging into XG and looking at the alert there, but the information still needs to be gathered. 

    __________________________________________________________________________________________________________________

Reply
  • There should be more information, if this alert is relayed by Central. But the question would be: 

    If you get a ATP alert via Email and you see a Domain and a IP: What can you do with this kind of information? You still have to check everything (Virustotal etc.) to investigate this further. I agree, starting from Email is a better approach as logging into XG and looking at the alert there, but the information still needs to be gathered. 

    __________________________________________________________________________________________________________________

Children
  • I take your point but I just don't see why the email alert can't contain all the information from the log file entry.

  • What  wrote is correct. If I get an alert, it should contain basic information as it does for years on the UTM / SG Firewall. Should not be too difficult to add the IPs into the alert. Then, what is this? Management Interface IP: Not configured/Not available

    Sounds like the team programming the alerts was only half way done.

    On weekends or at evening it's essential for me to have the src/dst IP information at first sight. I can then decide if action is needed or not.

     you will surely not do this every time and at any time, won't you? "You still have to check everything (Virustotal etc.) to investigate this further."