Automated Threat Alerts
This would be much easier if there was an integration with ConnectWise Manage.
marked this post as
Immediate automated alerting is much needed for high priority activity. As stated in other comments, if for example malware is reaching out to a C&C domain, we would need to be alerted immediately with pertinent details for investigation and remediation.
marked this post as
Merged in a post:
More alerting options
IT would be useful to be able to receive email alerts for certain types of malicious traffic.
It would also be very useful to set alerts for malicious traffic based on timeframes.
For example, admins should be alerted to malicious traffic detected during off-hours.
Will this potential feature also include regular scheduled summaries/digests of blocked sites? It would be good from customer perspective to provide them with a high level report of what has been successfully blocked over the course of say 30 days. If they need further detail then can access the portal and drill in to the detail.
Scott: we are currently working on an update to our reporting system which will include scheduled emails as you requested. We’ll offer weekly or monthly emails sent to any number of email addresses. These automated threat alerts are geared for real time events where you want immediate notice. An example: one of your users visits a known ransomware site. DNSFilter will block the site if you have threats blocked but you may want to know so you can educate the user how to spot phishing emails.
I hope that helps and look for the new reporting to launch later this year.
Hello voters! Would you take a few short minutes to fill out our survey regarding this feature? https://joshl2.typeform.com/to/k3zm4e
We want to make sure that everyone's voice is heard.
Josh Lamb: done 👍
Josh Lamb: Done. I've also added some notes below in response to Ken which are somewhat in line with some of the survey questions.
Thanks guys this is helpful insight here. I’ll run it past the dev team. We are thinking a once daily alert summary - I suppose it seems like mainly this would start with C&C activity.
Ken Carnesi: Only thing about that would be if a machine is compromised and reaching out to a C&C server, we'd need to know right away, not waiting on a daily summary.
Dave: so you think it’d be best for us to send the alert immediately even if we see a single request?
What if we see the activity, but we are blocking it for you. You’d still want the alert? And you’d want it just the first time?
Just curious, because if we are alerting even on C&C domains we’ve blocked for you it may become noise/a pester if we kept alerting until you fixed the problem creating the requests in the first place.
Ken Carnesi: If there is a way to categorize as ultra-high-risk sites, which is basically only C&C servers, then yeah, I'd want to know right away. Maybe rate limit the number of emails, but it should be immediate, because that's a high probability you just got infected with something that needs immediate remediation. People generally don't stumble onto C&C servers like you can with all the various other categories.
Dave: Cool - you think there’s any interest/point in text message alerts as well? Or is that just unrealistic/not useful?
Ken Carnesi: as an option, sure. For us smaller players, sometimes a text is more quickly noticed than emails. Bigger firms I assume would have emails directed right into a ticket, so texting doesn't make as much sense for them.
Ken Carnesi: Something worth considering is webhooks with customisable post data. That way we could construct things like Microsoft Teams alerts and have them delivered where we want.
I think we should be able to say "If X requests are made to X category in X time" send an alert. Give
uscontrol over how many alerts we get in a day.
One DNS block for something here and there isn't overly concerning, but if a site hits a blocked DNS record 30 times in a 30 second block, then we probably want to know about it.
Regarding your request how the feature could look like.
I don't want to get alarms for each blocked site. But it would be useful to get an alarm email if URLs known for command and control servers are blocked.
So basically alerts which tend to show that there are network internal infections.
- Wish: Alerts if the amount of dns requests rises dramatically in a short time span.
Hope the is usefull