Frequently asked questions about Active threat response
All threat feed modules
Can I export and import Active threat response configurations?
You can't import or export threat feed configurations, but you can import and export threat exclusions.
You can't import MDR threat feed settings from Sophos Central using Import existing configuration in a new firewall group's initial configuration.
Third-party threat feeds
How many Indicators of Compromise (IoCs) can a third-party threat feed have?
The feed can have any number of IoCs. However, the disk space available for the feeds depends on the appliance model. For more information, see Storage limit for third-party threat feeds.
Can I restore third-party threat feed lists from firewall backups?
The third-party threat feed configurations are restored, but their lists aren't restored. However, after the firewall restores the backup, it immediately starts polling the source for the latest feeds and implements the action configured.
Which third-party threat feeds can I integrate with the firewall?
You can integrate any third-party feed if it meets the file requirements. We tested the following third-party threat feeds:
Can you share some example URLs of the threat feeds you've tested?
IPv4 addresses
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://check.torproject.org/torbulkexitlist
URLs
https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt
https://urlhaus.abuse.ch/downloads/text/
Domains
https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/master/disposable_email_blocklist.conf
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt