Sophos XG too many Notification IPS and Malware over Mail

Hello,

i am reciving many Notifications like

Message:
BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt

Mostly i look up it has something to do with some kind of advertisement api from google or other cloud services. (There are other messages types too)

Now with 60 Users my mailbox gets very much full in no time, about 300 notifications sometimes in one minute.

First of all, these notifactions are not helping much, if i get them, its probaly blocked then right? And if i want check it, i would atleast need a IP-Adress or computername who is causing the trouble, after that i would look up what they were doing. So basically i could spare some work time if this information was already on the e-mail.

And option to group the mails would be nice than too, like if 200 mails of same source/alerttype only one will be send the next 5 secounds?

Adding notification excpetion would be also nice, like dont send or group after minute for specific alert message. (Example the above one is for internet explorer, nobody use that here anymore, but the ips scanns for all browser types sadly)



Edited TAGs
[edited by: emmosophos at 7:01 PM (GMT -8) on 15 Nov 2022]
  • I vote this one up.

    Mail notifications of XG/S is something we WANT but it is a pain that Sophos does not limit mailing for the same events. This has been possible on SG / UTM though.

    So please implement something for the admin to limit mail notifications for the same events to lets say 5 per minute and make the value adjustable.

    And if you may modify mail notifications, please finally bring the source IP into that mail. Without this information the mails are just spammy.

    Also I noticed a lot more IPS detections in v19.0.1 compared to 18.5.4. -> even more mails in my inbox.

  • Hello Team,

    Many thanks team for reaching out to Sophos Community. In addition, if you are keen on this feature you can always bring this one up to your local sales rep/SE as a modern feature request process:  https://community.sophos.com/b/community-blog/posts/sophos-ideas-portal-retirement 

    Or you can use your XG/S Firewalls "Feedback" section on top of the screen and can always enter your feature request. 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello,

    i will do that, but thats kinda sad, problems and ideas should be upvoted and not be anonymized. With each Topic i have, i get worse sight on the expierence with sophos / support.

  • I found it personally very dangeruous to not find the root cause of such alerts. Threat Hunting should be done after each and every alert. If there is a false positive, you should follow up to get those resolved. 

    That is the reason, Managed Detection is currently very popular, as most customers still work like this suggestion: Simply ignore the additional alerts. 

    Actually, you should investigate the alerts by using your EDR/XDR Tools, as this is just a starting point, going forward. Email Alerting could be already to late. Looking into the database/lakes of your choice and logically link them to the detection, you see on your servers/clients should be the next steps.

    See MITRE attack. 

    __________________________________________________________________________________________________________________

  • yes, we do root cause analysis. 50 mails per second for the same detection frome one computer are still bad coded by Sophos..

    the root cause for many IPS alerts: people watching amazon prime videos (permitted usage) with Mozilla Firefox - creating this IPS Alert for Flash Player that does not exist in firefox or the system. FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt

    Or users tracking parcels on Hermes website with Firefox or Chrome, causing Internet Explorer alerts:

    BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt

    That combination does not make sense though.

    We also insert a lot of coins into Sophos MDR service.

  • Yes thats true, you should hunt it down to the root. But does not help if alert is activated each time a user clicks on google ads, and i get 300-500 mails at this moment, while one user tries download something on suspicious site and i only get on mail about real threat.

    What do you think i gonna do? Clear my folder! The hardware should take load of my work not the opposite, and thats something simple to get rid off. I dont mind if this if the system does work, but at the moment its too much!

  • The point is, the product is doing its job. The question is, why is there a false positive (if it is really a false positive). Doing a exception or root cause analyse to reproduce the false positive and report it back to labs could be a better approach. 

    __________________________________________________________________________________________________________________

  • sorry, no the question here is why it needs to sends so many mails and if there are plans to limit the ammount of mailing.

    Sure, we could ask our Sales SE to file an other Feature Request for alert mail throttling.
    .

  • Personally i would never start to Throttle any kind of email alerting. That is a bad way of dealing with Alerts in any sense.

    But yes, if you want to get this into the product, the way is to interact with Sales. 

    __________________________________________________________________________________________________________________

  • Hey Lucar Toni, so you think it is useful to send more than 6000* mails within a few minutes becaue ONE user (successfully) watched an 8 minute ARTE TV video?

    user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"

    hxxps://arte-cmafhls.akamaized.net/am/cmaf/104000/104800/104841-008-A/221013185002/medias/104841-008-A_v216.mp4

    23.32.238.176
    172.16.xxx.xxx
    38227  
    FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt
    file-flash

    Mails still coming into our mailboxes, the spool list is quite long.

    That is literally junk behaviour.