Logging
You can see the logs for MDR, Sophos X-Ops, and third-party threat feeds in the Admin and Active threat response module of the log viewer.
Endpoint threat details
When a threat is detected, the firewall also queries the endpoints managed by Sophos Central for additional information, such as the host, user, and process, which helps you determine any Indicators of Compromise (IoC).
You can see the threat details in the Active threat response module of Log viewer, under the Process user and Executable columns, and in the log details. You can also see this in Reports > Network & threats > Active threat response under Synchronized IoC.
The endpoint threat details are as follows:
host_process_user
endpoint_id
execution_path
Note
Additional information such as the host, user, and process only appears if the Action is Log and drop or Block.
MDR security analyst audit ID
When an MDR security analyst adds or removes an IoC, such as an IP address, domain, or URL, the event is logged showing the action and identity of the security analyst (audit_ID).
You can see the action and audit_ID in the Admin module of the log viewer and in My Products > Firewall management > Tasks Queue in Sophos Central.