This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG too many Notification IPS and Malware over Mail

Hello,

i am reciving many Notifications like

Message:
BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt

Mostly i look up it has something to do with some kind of advertisement api from google or other cloud services. (There are other messages types too)

Now with 60 Users my mailbox gets very much full in no time, about 300 notifications sometimes in one minute.

First of all, these notifactions are not helping much, if i get them, its probaly blocked then right? And if i want check it, i would atleast need a IP-Adress or computername who is causing the trouble, after that i would look up what they were doing. So basically i could spare some work time if this information was already on the e-mail.

And option to group the mails would be nice than too, like if 200 mails of same source/alerttype only one will be send the next 5 secounds?

Adding notification excpetion would be also nice, like dont send or group after minute for specific alert message. (Example the above one is for internet explorer, nobody use that here anymore, but the ips scanns for all browser types sadly)



This thread was automatically locked due to age.
Parents
  • I found it personally very dangeruous to not find the root cause of such alerts. Threat Hunting should be done after each and every alert. If there is a false positive, you should follow up to get those resolved. 

    That is the reason, Managed Detection is currently very popular, as most customers still work like this suggestion: Simply ignore the additional alerts. 

    Actually, you should investigate the alerts by using your EDR/XDR Tools, as this is just a starting point, going forward. Email Alerting could be already to late. Looking into the database/lakes of your choice and logically link them to the detection, you see on your servers/clients should be the next steps.

    See MITRE attack. 

    __________________________________________________________________________________________________________________

Reply
  • I found it personally very dangeruous to not find the root cause of such alerts. Threat Hunting should be done after each and every alert. If there is a false positive, you should follow up to get those resolved. 

    That is the reason, Managed Detection is currently very popular, as most customers still work like this suggestion: Simply ignore the additional alerts. 

    Actually, you should investigate the alerts by using your EDR/XDR Tools, as this is just a starting point, going forward. Email Alerting could be already to late. Looking into the database/lakes of your choice and logically link them to the detection, you see on your servers/clients should be the next steps.

    See MITRE attack. 

    __________________________________________________________________________________________________________________

Children
  • yes, we do root cause analysis. 50 mails per second for the same detection frome one computer are still bad coded by Sophos..

    the root cause for many IPS alerts: people watching amazon prime videos (permitted usage) with Mozilla Firefox - creating this IPS Alert for Flash Player that does not exist in firefox or the system. FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt

    Or users tracking parcels on Hermes website with Firefox or Chrome, causing Internet Explorer alerts:

    BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt

    That combination does not make sense though.

    We also insert a lot of coins into Sophos MDR service.

  • Yes thats true, you should hunt it down to the root. But does not help if alert is activated each time a user clicks on google ads, and i get 300-500 mails at this moment, while one user tries download something on suspicious site and i only get on mail about real threat.

    What do you think i gonna do? Clear my folder! The hardware should take load of my work not the opposite, and thats something simple to get rid off. I dont mind if this if the system does work, but at the moment its too much!

  • The point is, the product is doing its job. The question is, why is there a false positive (if it is really a false positive). Doing a exception or root cause analyse to reproduce the false positive and report it back to labs could be a better approach. 

    __________________________________________________________________________________________________________________

  • sorry, no the question here is why it needs to sends so many mails and if there are plans to limit the ammount of mailing.

    Sure, we could ask our Sales SE to file an other Feature Request for alert mail throttling.
    .

  • Personally i would never start to Throttle any kind of email alerting. That is a bad way of dealing with Alerts in any sense.

    But yes, if you want to get this into the product, the way is to interact with Sales. 

    __________________________________________________________________________________________________________________

  • Hey Lucar Toni, so you think it is useful to send more than 6000* mails within a few minutes becaue ONE user (successfully) watched an 8 minute ARTE TV video?

    user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"

    hxxps://arte-cmafhls.akamaized.net/am/cmaf/104000/104800/104841-008-A/221013185002/medias/104841-008-A_v216.mp4

    23.32.238.176
    172.16.xxx.xxx
    38227  
    FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt
    file-flash

    Mails still coming into our mailboxes, the spool list is quite long.

    That is literally junk behaviour.

  • Having simliar Problem like LHerzog.

    The users are browsing news site in their breaktime.

    Some news site have weird features like watching news on sites which looks like real paper magazine news (Where you can swipe pages with fancy animations)

    Often i get then following alert:

    Message:
    FILE-PDF Foxit Reader remote query string buffer overflow attempt

  •  <-- Mailbox unread

    Today 15 min Break time, that is really fun

  • being XG admin is always fun