Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Log settings for Active threat response

You can configure log settings for threat feeds to save logs locally in the firewall and to send logs to syslog servers and Sophos Central.

Configure Log settings

To configure log settings, do as follows:

  1. Go to System services > Log settings.
  2. Under Log settings, select Active threat response for the following options:

    1. Local reporting.
    2. Syslog servers that you configure.
    3. Central reporting.

      The column appears after you select Send reports and logs to Sophos Central on the Sophos Central page in the firewall.

  3. Click Apply.

How to see the logs

The firewall first implements MDR threat feeds if it's configured. To know how it logs events related to IoCs that exist in all threat feeds, see How the firewall implements threat feeds.

Summary

  • Go to Log viewer, and select Active threat response to see the blocked Indicators of Compromise (IoCs).
  • If you have Synchronized Security, see the additional information, such as user, host, and process, to take action.
  • To ask MDR analysts about an IoC identified by MDR, find their audit ID in the logs. They need the ID to identify the feed.

Endpoint threat details

When a threat is detected, the firewall queries endpoints managed by Sophos Central for information, such as the host, user, and process, which helps you determine any Indicators of Compromise (IoC). You can see the threat details using any of the following options:

  • In Log viewer, select Active threat response from the drop-down list and look under the Process user and Executable columns, and in the log details.
  • Go to Reports > Network & threats, select Active threat response from the drop-down list, and look under Synchronized IoC.

The endpoint threat details are as follows:

  • host_process_user
  • endpoint_id
  • execution_path

Note

You can't see the host, user, and process details of compromised macOS endpoints. Instead, a generic alert appears, for example, "Active threat C2/Generic-C deleted". To identify the endpoint, look for the source IP address in Log viewer in the firewall.

Endpoint log.

Endpoint details.

MDR security analyst audit ID

When an MDR security analyst adds or removes an IoC, such as an IP address, domain, or URL, the event is logged showing the action and the security analyst's identity (audit_ID).

To ask MDR analysts about a threat feed, find their audit ID in the logs. They need the ID to identify the feed.

You can see the action and audit_ID using one of the following options:

  • In Log viewer, select the detailed view button, then select Admin from the drop-down list.
  • In Sophos Central, go to My Products > Firewall management > Tasks Queue.