This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Risk level

Hello! I just integrated Sophos Alert with my Service Desk software to open tickets regarding high risk alerts with Intrusion Prevention and Advanced Threat Protect.
Fortunately most of them are alerts of temporary files, cache or even false positivos and they disappear in next day or few days. However there are some that need attention if they persist.

So I created a scheduled ticket every week to check SUM and see if there are any major threats. Regarding only security level (Threat), what risk level should I take an action in this print: 

 

Thank you!



This thread was automatically locked due to age.
Parents
  • I assume that you have ATP configured to BLOCK mode, not simply alert!

    I have seen ATP errors mean one of these things:

    • Someone browsed to an infected website, which tried to redirect them to something bad, and UTM blocked the action.  No harm done.
    • Something tried to do a DNS lookup on a name that UTM always blocks.   Name not resolved, no harm done if this is a random event, UNLESS the requester is able to bypass the UTM block by querying a different DNS server!   Spam-getting-through is one way this could happen.   If someone tries to click a bad link, ATP might block the DNS lookup before Web Filter has a chance to evaluate the URL reputation.
      Related:   I have a non-UTM email filter that checks every URL, and blocks the suspicious ones.   I had to exempt it from IPS/ATP filtering so that UTM did not block the DNS request (which might cause the email filter to conclude that the URL is harmless).
    • However, it might mean that the source PC is actually infected, and is trying to download instructions and payload.   UTM blocked the attempt, but it may have more than one way to do its dirty work.   This requires taking the PC off the network immediately and getting it disinfected.

     

  • Yeah, I do.

     

    But I want to act based on the threat level showed in the SUM, not in the UTM. I mean, the objective is to create a scheduled ticket where my analysts have to access SUM and see if they have to take an action based on threat. That´s why I need to understand when (threat level) we should take an action.

     

    Was I clear enough? Sorry English is not my native language.

  • Your English is fine.   I only manage a single UTM, so I do not use SUM.    Outside my skill set.

Reply Children
  • Does anyone have enough experience with SUM to give me some tips? I really would like to implement something to check all my UTM´s periodically based on threat level but I dont want to overload my analysts with risks that are "unnecessary" to take action.

  • Does anyone know how is that trending math calculated? I am pretty sure that the level 1 risk is caused by those two.

    I still dont know what is the minimum risk level that we should intervene, so I am now trying to understand how those data works.