MDR threat feeds
Sophos Managed Detection and Response (MDR) service is integrated with the firewall. MDR threat feeds enable Sophos MDR analysts to push real-time threat feeds based on network traffic related to malicious servers.
The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in the MDR threat feeds. The action doesn't need you to configure other rules and policies for the threat feeds.
The following diagram shows how Sophos MDR works with the firewall.
Video
The following video gives an overview of MDR threat feeds.
Requirements
-
Ensure you have the following licenses:
- Sophos Firewall: Xstream Protection Bundle.
- Sophos Central: Sophos MDR Essentials or Sophos MDR Complete license.
- Endpoint Protection: Sophos Intercept X if you want Synchronized Security.
-
Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.
-
Configure Sophos MDR.
MDR analysts take action based on the Threat response mode you select in Sophos Central. See Set up the Sophos MDR service.
-
If you want Synchronized Security, do as follows in Sophos Central:
- To configure Endpoint Protection, see Getting started.
- To implement lateral movement protection, see Reject network connections.
Configure MDR threat feeds
You can turn on MDR threat feeds and configure logs and exclusions in the firewall.
- Turn on MDR threat feeds for MDR analysts to push the threat feeds to the firewall in real time.
-
Select the action from the following options:
- Log only: Only logs the threats.
- Log and drop: Logs and blocks threats.
-
Click Apply.
Note
To ask MDR analysts about a threat feed, find their audit ID in the logs. They need the ID to identify the feed. See MDR security analyst audit ID
More resources