Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-mdr-logging

Logging

You can see the logs for MDR threat feeds in the Admin and Active threat response module of the log viewer.

Endpoint threat details

When a threat is detected, the firewall also queries the endpoints managed by Sophos Central for additional information, such as the host, user, and process, which helps you determine any Indicators of Compromise (IoC).

You can see the threat details in the Active threat response module of Log viewer, under the Process user and Executable columns, and in the log details. You can also see this in Reports > Network & threats > Active threat response under Synchronized IoC.

The endpoint threat details are as follows:

  • host_process_user
  • endpoint_id
  • execution_path

Endpoint log.

Endpoint details.

MDR security analyst audit ID

When an MDR security analyst adds or removes an IoC, such as an IP address, domain, or URL, the event is logged showing the action and identity of the security analyst (audit_ID).

You can see the action and audit_ID in the Admin module of the log viewer and in My Products > Firewall management > Tasks Queue in Sophos Central.