Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=wireless-active-threat-response

Active Threat Response

Active Threat Response (ATR) provides API-triggered responses to automatically isolate malicious hosts across the network. This extends threat intelligence from Sophos MDR, Sophos XDR, Sophos NDR, and third-party solutions to the access layer, quickly preventing lateral movement via any wired, wireless, managed, or unmanaged host.

Sophos AP6 access points registered with Sophos Central with a valid support and services license can access ATR. The ATR API ingests threat feed data, allowing MDR analysts and network administrators to quickly isolate malicious hosts across the network.

MDR/XDR Threat Feed

The MDR/XDR Threat Feed lists the isolated hosts across all AP6 access points and Sophos Switches managed in Sophos Central.

You can click the radio button next to AP6 to turn ATR on or off for AP6 access points.

Note

Active Threat Response (ATR) overrides any MAC Filtering configured on the access point's SSIDs. You can't use the Allowed list to allow MAC addresses blocked by ATR.

You can click the radio button next to Switch to turn ATR on or off for Sophos Switches.

Isolated devices

You can see information about devices connected to your access points.

The MAC address column lists the MAC addresses of devices.

The Switch and AP6 columns show the status of devices with the following statuses:

  • A green check mark Green check mark icon. indicates that a device is isolated.
  • A hyphen Hyphen icon. indicates that a device isn't isolated.

Active Threat Response API

The ATR APIs are available on Sophos Central. The APIs allow third-party integrations and workflows to swiftly isolate malicious activity at the network access layer. For information on how to access and use the ATR APIs from Sophos Central, see the following links: