Skip to content

Sophos X-Ops threat feeds

Sophos X-Ops threat feeds is a SophosLabs-managed global threat database that's regularly updated and pushed to the firewall. The firewall blocks all requests and traffic matching with this database of malicious IP addresses, domains, or URLs.

You can turn on Sophos X-Ops threat feeds and configure logs and exclusions on the firewall. Sophos X-Ops threat feeds is turned off by default.


Sophos X-Ops threat feeds was previously called Advanced threat protection (ATP).

Configure Sophos X-Ops threat feeds

  1. Turn on Sophos X-Ops threat feeds for periodic threat feed updates.
  2. Select the action from the following options:

    • Log only: Only logs threats.
    • Log and drop: Logs and blocks threats.
  3. Click Apply.

Configure Log settings

To configure log settings, do as follows:

  1. Go to Active threat response > Sophos X-Ops threat feeds.
  2. Click Change the settings.

    It takes you to System services > Log settings.

  3. Under Log settings, make sure MDR and Sophos X-Ops threat feeds is selected for the following:

    1. Local reporting
    2. Central reporting. This appears after you select Send reports and logs to Sophos Central on the Sophos Central page in the firewall.
  4. Click Apply.

Other settings

  • To exclude an IP address, domain, or URL from being checked, click Add threat exclusions.
  • To go to the Active threat response logs in Log viewer, click Logs.
  • For Advanced security settings, see Advanced security settings.

How to use the logs

  • Go to Log viewer, and select Active threat response to see the blocked threats.
  • If you have Synchronized Security, see the additional information, such as user, host, and process, to take action. See Endpoint threat details.