Skip to content

Third-party threat feeds

Third-party threat feeds allow you to add threat intelligence from external threat feed sources to block threats. The threat feeds can include those provided by security organizations, industry consortiums, and community-based, or open-source threat intelligence sources, such as:

The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in plain text format from third-party threat feeds. The action doesn't need you to configure other rules and policies for the threat feeds.

Managed Services Provider (MSP) services and alternative Managed Detection and Response (MDR) solutions are also supported. This allows Sophos partners to utilize third-party threat feeds as their own MDR service and integrates customer's alternative MDR solutions.

The following diagram shows Third-party threat feeds and the firewall in action.

Third-party threat feeds diagram.

Video

The following video gives an overview of Third-party threat feeds.

Requirements

The third-party threat feed requirements are as follows:

  1. Ensure you have the following licenses:

    1. Sophos Firewall: Xstream Protection Bundle.
    2. Endpoint Protection: Sophos Intercept X if you want Synchronized Security.

    Note

    You can configure third-party threat feeds without the license but your network won't be protected. You must have the license to protect your network using third-party threat feeds.

  2. Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.

  3. If you want Synchronized Security, do as follows in Sophos Central:

    1. To configure Endpoint Protection, see Getting started.
    2. To implement lateral movement protection, see Reject network connections.

Threat feed format requirements

To ensure proper functionality, the threat feed must have the following format:

  • Text file format: The threat feed must be a plain text file.
  • One Indicator of Compromise (IoC) per line: Each line must contain a single IoC, such as an IP address, URL, or domain. Don't add any comments or other information.

    Example threat feed content
    103.140.73.49
    103.142.86.221
    103.173.155.111
    103.46.186.148
    104.131.133.129
    104.143.77.12
    104.143.77.8
    104.236.201.22
    104.236.202.98
    
    Examples of tested threat feeds

    IPv4 addresses

    • https://rules.emergingthreats.net/blockrules/compromised-ips.txt
    • https://check.torproject.org/torbulkexitlist

    URLs

    • https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt
    • https://urlhaus.abuse.ch/downloads/text/

    Domains

    • https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/master/disposable_email_blocklist.conf
    • https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt

Supported IoC types

  • IPv4 addresses
  • URLs
  • Domains

Unsupported IoC types

  • IPv4 address ranges
  • IPv6 addresses
  • Subnets
  • Wildcard domains
  • Regular expressions

Important

The threat feed can contain multiple IoC types. However, the firewall only processes the IoCs relevant to the configured indicator type. For example, if your threat feed contains both IPv4 addresses and domains, and the firewall is configured to detect IPv4 addresses, only the IPv4 addresses are used.

Security Heartbeat

Third-party threat feeds implement the same Synchronized Security response for Security Heartbeat conditions, including enforcing firewall rules.

The firewall automatically identifies Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information to provide insights on the host, user, and process that accessed the IoC.

The firewall also coordinates lateral movement protection, which informs all healthy managed endpoints that a compromised host is on the LAN so they will block traffic from that device.

See Security Heartbeat overview.

Note

Additional information such as the host, user, and process only appears if the Action is Log and drop or Block.

Firewall modules that block threats

The firewall blocks threats through the following modules:

Malicious traffic Traffic type Module
IP addresses Traffic to or from IPv4 addresses. Firewall
Domains and URLs DNS requests when the firewall acts as the DNS server. DNS
DNS requests to other servers. IPS
Encrypted and decrypted HTTPS.

IPS (for DPI engine, involving SSL/TLS inspection rules)

Web (for Web proxy)