MDR threat feeds
MDR threat feeds is the Sophos Managed Detection and Response (MDR) service that's integrated with the firewall.
Sophos MDR analysts can push threat intelligence to the firewall directly from Sophos Central, allowing the firewall to coordinate defenses immediately. The feed is based on your network's traffic related to malicious servers.
The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs in the MDR threat feeds.
Video
The following video gives an overview of MDR threat feeds.
Requirements
- For license requirements, see Licenses for threat feed modules.
- For additional configurations required for all threat feed modules, see Firewall configurations for threat feeds.
-
Additionally, MDR threat feeds require configurations related to Sophos Central. You must do as follows:
- Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.
-
Configure Sophos MDR.
MDR analysts take action based on the Threat response mode you select in Sophos Central. See Set up the Sophos MDR service.
Configure MDR threat feeds
You can turn on MDR threat feeds and configure logs and exclusions in the firewall.
- Go to Active threat response > MDR threat feeds.
- Turn on MDR threat feeds so MDR analysts can push threat feeds to the firewall in real time.
-
Select the action from the following options:
- Log only: Only logs the threats.
- Log and drop: Logs and blocks threats.
-
Click Apply.
Note
To ask MDR analysts about a threat feed, find their audit ID in the logs. They need the ID to identify the feed. See MDR security analyst audit ID
More resources