Third-party threat feeds
Third-party threat feeds allow you to add threat intelligence from external threat feed sources to block threats.
The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in plain text format from third-party threat feeds. The action doesn't need you to configure other rules and policies for the threat feeds.
Managed Services Provider (MSP) services and alternative Managed Detection and Response (MDR) solutions are also supported. This allows Sophos partners to utilize third-party threat feeds as their own MDR service and integrates customers' alternative MDR solutions.
The following diagram shows how third-party threat feeds work with the firewall.
Video
The following video gives an overview of Third-party threat feeds.
Example third-party feeds
Third-party threat feeds can include those provided by security organizations, industry consortiums, and community-based, or open-source threat intelligence sources, such as the following:
- Cisco Talos
-
- For more information, see Firewall Blocking with GreyNoise Trends.
- Abuse.ch / URLhaus
- OSINT (Open-source Intelligence) / DigitalSide
- CINS Score
- Feodo Tracker
- Tor
- Emerging threats
Examples of tested threat feeds
IPv4 addresses
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://check.torproject.org/torbulkexitlist
URLs
https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt
https://urlhaus.abuse.ch/downloads/text/
Domains
https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/master/disposable_email_blocklist.conf
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt