MDR threat feeds
Sophos Managed Detection and Response (MDR) service is integrated with the firewall. MDR threat feeds enable Sophos MDR analysts to push real-time threat feeds based on network traffic related to malicious servers.
The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in the MDR threat feeds. The action doesn't need you to configure other rules and policies for the threat feeds.
The following diagram shows Sophos MDR and the firewall in action.
Video
The following video gives an overview of MDR threat feeds.
Security Heartbeat
MDR threat feeds implement the same Synchronized Security response for Security Heartbeat conditions, including enforcing firewall rules.
The firewall automatically identifies Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information to provide insights on the host, user, and process that accessed the Indicator of Compromise (IoC).
The firewall also coordinates lateral movement protection, which informs all healthy managed endpoints that a compromised host is on the LAN so they will block traffic from that device.
See Security Heartbeat overview.
Note
Additional information such as the host, user, and process only appears if the Action is Log and drop or Block.
Requirements
-
Ensure you have the following licenses:
- Sophos Firewall: Xstream Protection Bundle
- Sophos Central: Sophos MDR
- Endpoint Protection: Sophos Intercept X if you want Synchronized Security.
-
Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.
- Configure Sophos MDR. See MDR setup.
-
If you want Synchronized Security, do as follows in Sophos Central:
- To configure Endpoint Protection, see Getting started.
- To implement lateral movement protection, see Reject network connections.
Configure MDR in the firewall
You can turn on MDR threat feeds and configure logs and exclusions in the firewall.
Configure MDR threat feeds
- Turn on MDR threat feeds for MDR analysts to push the threat feeds to the firewall in real time.
-
Select the action from the following options:
- Log only: Only logs the threats.
- Log and drop: Logs and blocks threats.
-
Click Apply.
Configure log settings
To configure log settings, do as follows:
- Go to Active threat response > MDR threat feeds.
-
Click Change the settings.
It takes you to System services > Log settings.
-
Under Log settings, make sure MDR and Sophos X-Ops threat feeds is selected for the following:
- Local reporting
-
Central reporting.
Note
If you don't see this option, go to Sophos Central and select Send reports and logs to Sophos Central.
-
Click Apply.
Firewall modules that block threats
The firewall blocks threats through the following modules:
Malicious traffic | Traffic type | Module |
---|---|---|
IP addresses | Traffic to or from IPv4 addresses. | Firewall |
Domains and URLs | DNS requests when the firewall acts as the DNS server. | DNS |
DNS requests to other servers. | IPS | |
Encrypted and decrypted HTTPS. | IPS (for DPI engine, involving SSL/TLS inspection rules) Web (for Web proxy) |
Exclusions and logs
- To exclude hosts, networks, IP addresses, domains, or URLs from being checked, click Add threat exclusions. See Add threat exclusions.
- To go to the Active threat response logs in Log viewer, click Logs.
How to use the logs
- Go to Log viewer, and select Active threat response to see the blocked threats.
- If you have Synchronized Security, you can see additional information, such as the user, host, and process that accessed the IoC. See Logging.
- To ask the MDR analyst about a threat feed, find the audit ID in the logs. They need the ID to identify the feed.
Import, export, and API
You can't import, export, or use the API for the following MDR threat feed settings:
- Turn threat feed on or off.
- Action
You must configure MDR threat feeds individually for firewalls managed through Sophos Central. You can't import MDR threat feed settings from Sophos Central using Import existing configuration in a new firewall group's initial configuration. Currently, the settings aren't part of the default settings in Sophos Central.
You can import, export, or use the API for threat exclusions. The firewall group's threat exclusions in Sophos Central are synchronized when firewalls are added to a firewall group. You don't need to configure these manually.