What do you do when an attempt to communicate with a botnet is detected?

You need some services on the endpoint, causing those alerts. Then perform the general Threat Hunting methods. Sophos Intercept X with EDR has such tools to perform Threat Hunt and find the causing issue. 

https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/b/announcements/posts/intercept-x-edr-xdr-overview

https://community.sophos.com/intercept-x-endpoint/b/threat-hunting-academy/posts/threat-hunting-academy---welcome?CommentId=c85f990d-832e-4432-998b-57768b56ee09

I will look into this Threat Hunting course and see if I can learn the general methods. Unfortunately, we don't use the Endpoint protection for the customer this most recently happened with so I'll see what data I can gather without it. We use BitDefender at the endpoint for this particular customer, which I don't believe will be any help in this scenario.

Please post such a event log from ATP.

Is it DNS traffic?

May only been caused by DNS servers root zone updates.

Ah, I can't see the alert anymore in the log viewer

It was one of the computers trying to hit a subdomain of http://rawlexi.com

I have also seen this domain hitting our ATP some times in the past.

btw: great logging feature on a firewall, that you cannot see this log after about a week, right?
-> Central Cloud Logging is not suitable for everyone. Logging on XG is really not good.

couldn't agree more. they are "adding" value with sophos central, by extracting value from the firewall.

call me old fashioned, but when I have a firewall for a job, I want to use the firewall for the job, not start hooking it to other places for what I consider, standard operations.

The point of Central is XDR. The first step of the new world of extended logging. See: https://community.sophos.com/intercept-x-endpoint/b/blog/posts/sophos-xdr-and-edr-4-0-now-available

Thats the future. 

the future for who? I only need what I need, and I'm a happy customer. SG - tail + grepping logs, thanks. Problem solved in half the time, ssh across in 10 seconds. If I need a historical look I'll search them through the GUI, all the info will be there.

I don't need cloud, delay with two factor. I want to be half deep into the problem and logs within 60 seconds, not still loading up central because it's slow.

Our future desires are different, businesses want control and integration into their global platform, the customer wants results and speed. It's misaligned, in my opinion.

That said, I still choose to use XG at home over all other platforms. It helps it's free, but overall it's also pretty decent. But logging off grid could be improved.

I am talking about the future of Threat Hunting. That is the main goal of a security product to begin with. You want to address complex attack scenarios and want to fight back. Looking at a firewall log only is only a small field of actual "what happen here?". 

Looking at the current state of attacks (See MITRE), you can easily spot the issue, only on relaying on a firewall. The firewall can only give you a small view of the actual attack, while getting more intel of your entire network is the key to fight back. 

I am not saying, the current state of logging is the best, it still get more detail to it (Logviewer improvements etc.). What i am saying is, reporting is not logging. Central is a reporting platform. Its about getting intel of what is going on. 

Just some thoughts for the future. 

fair enough, valid points and appreciate from what I've read from you in this forum in the past you know your onions. (know what you're talking about).

Cheers