What do you do when an attempt to communicate with a botnet is detected?

You need some services on the endpoint, causing those alerts. Then perform the general Threat Hunting methods. Sophos Intercept X with EDR has such tools to perform Threat Hunt and find the causing issue. 

https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/b/announcements/posts/intercept-x-edr-xdr-overview

https://community.sophos.com/intercept-x-endpoint/b/threat-hunting-academy/posts/threat-hunting-academy---welcome?CommentId=c85f990d-832e-4432-998b-57768b56ee09

I will look into this Threat Hunting course and see if I can learn the general methods. Unfortunately, we don't use the Endpoint protection for the customer this most recently happened with so I'll see what data I can gather without it. We use BitDefender at the endpoint for this particular customer, which I don't believe will be any help in this scenario.

Please post such a event log from ATP.

Is it DNS traffic?

May only been caused by DNS servers root zone updates.

Ah, I can't see the alert anymore in the log viewer

It was one of the computers trying to hit a subdomain of http://rawlexi.com

I have also seen this domain hitting our ATP some times in the past.

btw: great logging feature on a firewall, that you cannot see this log after about a week, right?
-> Central Cloud Logging is not suitable for everyone. Logging on XG is really not good.

couldn't agree more. they are "adding" value with sophos central, by extracting value from the firewall.

call me old fashioned, but when I have a firewall for a job, I want to use the firewall for the job, not start hooking it to other places for what I consider, standard operations.

The point of Central is XDR. The first step of the new world of extended logging. See: https://community.sophos.com/intercept-x-endpoint/b/blog/posts/sophos-xdr-and-edr-4-0-now-available

Thats the future. 

the future for who? I only need what I need, and I'm a happy customer. SG - tail + grepping logs, thanks. Problem solved in half the time, ssh across in 10 seconds. If I need a historical look I'll search them through the GUI, all the info will be there.

I don't need cloud, delay with two factor. I want to be half deep into the problem and logs within 60 seconds, not still loading up central because it's slow.

Our future desires are different, businesses want control and integration into their global platform, the customer wants results and speed. It's misaligned, in my opinion.

That said, I still choose to use XG at home over all other platforms. It helps it's free, but overall it's also pretty decent. But logging off grid could be improved.

I am talking about the future of Threat Hunting. That is the main goal of a security product to begin with. You want to address complex attack scenarios and want to fight back. Looking at a firewall log only is only a small field of actual "what happen here?". 

Looking at the current state of attacks (See MITRE), you can easily spot the issue, only on relaying on a firewall. The firewall can only give you a small view of the actual attack, while getting more intel of your entire network is the key to fight back. 

I am not saying, the current state of logging is the best, it still get more detail to it (Logviewer improvements etc.). What i am saying is, reporting is not logging. Central is a reporting platform. Its about getting intel of what is going on. 

Just some thoughts for the future. 

fair enough, valid points and appreciate from what I've read from you in this forum in the past you know your onions. (know what you're talking about).

Cheers

The logs should be there at the firewall and be available through log viewer. In fact it is a bit opposite to what you said Lucar Toni: the ATP reports (something that I would expect as a Central Cloud Feature) are available on the XG but not the logs.

Ace Carter: please go to Reports > Network & Threats

and select ATP and the correct time frame.

I can still find the event from 2021 04 22 on our XG there. In our case it was the DNS server resolving a request to this FQDN which was blocked by XG ATP.

The logs should be there at the firewall and be available through log viewer. In fact it is a bit opposite to what you said Lucar Toni: the ATP reports (something that I would expect as a Central Cloud Feature) are available on the XG but not the logs.

Ace Carter: please go to Reports > Network & Threats

and select ATP and the correct time frame.

I can still find the event from 2021 04 22 on our XG there. In our case it was the DNS server resolving a request to this FQDN which was blocked by XG ATP.

Should the Logviewer show the same information? 

Of course it should show something  after such a short time!

Yes, I was able to find the event within the Report section. I wish I could determine what triggers their computer to try and hit that url. I supposed they could have clicked a link they shouldn't have. Fortunately, the XG blocks it. I'm fairly new to Sophos and far from being an expert in security but I would like to learn more. Thank you all for sharing some of your brains with me. I can see the Sophos tools have a lot more to offer than I am currently taking advantage of.