Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-sophos-xops-threat-feeds

Sophos X-Ops threat feeds

Sophos X-Ops threat feeds is a SophosLabs-managed global threat database that's regularly updated and pushed to the firewall. The firewall blocks all requests and traffic matching with this database of malicious IP addresses, domains, or URLs.

You can turn on Sophos X-Ops threat feeds and configure logs and exclusions on the firewall. Sophos X-Ops threat feeds is turned off by default.

Security Heartbeat

Sophos X-Ops threat feeds implement the same Synchronized Security response for Security Heartbeat conditions, including enforcing firewall rules.

The firewall automatically identifies Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information to provide insights on the host, user, and process that accessed the IoC.

The firewall also coordinates lateral movement protection, which informs all healthy managed endpoints that a compromised host is on the LAN so they will block traffic from that device.

See Security Heartbeat overview.

Note

Additional information such as the host, user, and process only appears if the Action is Log and drop or Block.

Configure Sophos X-Ops threat feeds

  1. Turn on Sophos X-Ops threat feeds for periodic threat feed updates.

  2. Select the action from the following options:

    • Log only: Only logs threats.
    • Log and drop: Logs and blocks threats.

  3. Click Apply.

Configure Log settings

To configure log settings, do as follows:

  1. Go to Active threat response > Sophos X-Ops threat feeds.

  2. Click Change the settings.

    It takes you to System services > Log settings.

  3. Under Log settings, make sure MDR and Sophos X-Ops threat feeds is selected for the following:

    1. Local reporting

    2. Central reporting.

      Note

      If you don't see this option, go to Sophos Central and select Send reports and logs to Sophos Central.

  4. Click Apply.

Firewall modules that block threats

The firewall blocks threats through the following modules:

Malicious traffic Traffic type Module
IP addresses Traffic to or from IPv4 addresses. Firewall
Domains and URLs DNS requests when the firewall acts as the DNS server. DNS
DNS requests to other servers. IPS
Encrypted and decrypted HTTPS.

IPS (for DPI engine, involving SSL/TLS inspection rules)

Web (for Web proxy)

Other settings

  • To exclude hosts, networks, IP addresses, domains, or URLs from being checked, click Add threat exclusions. See Add threat exclusions.
  • To go to the Active threat response logs in Log viewer, click Logs.
  • For Advanced security settings, see Advanced security settings.

How to use the logs

  • Go to Log viewer, and select Active threat response to see the blocked threats.
  • If you have Synchronized Security, you can see additional information, such as the user, host, and process that accessed the IoC. See Endpoint threat details.