This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console email notifications

Sophos Enterprise Console v5.3.0, email notification is enabled for alters and errors.

Is there an option for ehnacing the description inside th e email ?

Example:

description filed is emplty, missing for example the computer names

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Alex Durrer,

    first of all (though it won't change the behaviour you ask about) 5.3.0 has been retired a year ago and you should consider upgrading to the current version (but perhaps wait just a little bit longer until 5.5.1 comes out).

    missing for example the computer names
    it's triggered by the number of computers (or, to be exact, the percentage - set in ToolsConfigure Dashboard...) exceeding a certain threshold. It shall alert you to rather unusual conditions not highlight particular endpoints.
    Once the number is above the threshold you won't get any new alerts until have gotten it below and it has subsequently risen again. As an extreme example: Assuming your threshold is 0.00%. Consider a Virus alert by an endpoint that is switched off shortly afterwards. The threat is Cleanable, therefore you naturally decide not to acknowledge it as you want to take action when the endpoint is switched on again. No subsequent alerts even if all your endpoints get infected. Note that you also could get an alert but when you check with the console there no longer is one as it has meanwhile automatically been dealt with.
    If your threshold is non-zero the question is should all endpoint be included or only the "new" ones? In the latter case, what if an endpoint has been on the previous list, been cleaned, and is now again among those with detections? It'd require a lot of logic to keep track of the state changes of individual endpoints and emails sent. Sub-estates further complicate the matter: Each SE can have its own Dashboard configuration.

    You could configure alerting by the endpoints in the SAV policy. The drawback is that you will get alerts for all threats and as the majority is automatically cleaned up this will result in quite some "noise".

    Christian

Reply
  • Hello Alex Durrer,

    first of all (though it won't change the behaviour you ask about) 5.3.0 has been retired a year ago and you should consider upgrading to the current version (but perhaps wait just a little bit longer until 5.5.1 comes out).

    missing for example the computer names
    it's triggered by the number of computers (or, to be exact, the percentage - set in ToolsConfigure Dashboard...) exceeding a certain threshold. It shall alert you to rather unusual conditions not highlight particular endpoints.
    Once the number is above the threshold you won't get any new alerts until have gotten it below and it has subsequently risen again. As an extreme example: Assuming your threshold is 0.00%. Consider a Virus alert by an endpoint that is switched off shortly afterwards. The threat is Cleanable, therefore you naturally decide not to acknowledge it as you want to take action when the endpoint is switched on again. No subsequent alerts even if all your endpoints get infected. Note that you also could get an alert but when you check with the console there no longer is one as it has meanwhile automatically been dealt with.
    If your threshold is non-zero the question is should all endpoint be included or only the "new" ones? In the latter case, what if an endpoint has been on the previous list, been cleaned, and is now again among those with detections? It'd require a lot of logic to keep track of the state changes of individual endpoints and emails sent. Sub-estates further complicate the matter: Each SE can have its own Dashboard configuration.

    You could configure alerting by the endpoints in the SAV policy. The drawback is that you will get alerts for all threats and as the majority is automatically cleaned up this will result in quite some "noise".

    Christian

Children
  • Hi Alex,

    Adding to what Christian already said - 

    Like the configuration says - it's a notification to alert you that something has gone wrong. Please login to the SEC and take corrective measures. 

    Off topic - you can schedule reports which can be sent over email. 

    That being said, if you'd like more information in the notification emails, please raise a feature request here - ideas.sophos.com

    Thanks,

    Vikas