How other modules implement threat feeds
Specific firewall modules enable the firewall to identify Indicators of Compromise (IoCs) based on the type of traffic and IoC in the threat feed. IoCs are IP addresses, domains, and URLs involved in malicious activity.
Synchronized Security offers endpoint and lateral movement protection when Sophos-managed endpoints try to communicate with malicious servers.
In addition to configuring the threat feed modules, you need to configure the following settings:
- You must configure the required firewall modules. To know the required configurations, see Firewall configurations for threat feeds.
- Configuring Synchronized Security isn't compulsory for threat feeds. However, we recommend that you configure this feature.
-
See the additional configurations the following threat feed modules need:
- For MDR threat feeds, see MDR threat feeds.
Firewall modules
The following sections show the modules that enable the firewall to identify IoCs:
IP addresses as IoCs
| Traffic type | Module |
|---|---|
| Forwarded traffic | Firewall (Firewall rules) |
Domains and URLs as IoCs
| Traffic type | Module |
|---|---|
| DNS requests when the firewall acts as the DNS server | DNS |
| DNS requests to other servers | IPS |
| Encrypted and decrypted HTTPS | IPS (for DPI engine, using SSL/TLS inspection rules) Web (for Web proxy) |
Synchronized Security
Synchronized Security implements Security Heartbeat and lateral movement protection within your network.
Blocks compromised endpoints' traffic
If you've configured Security Heartbeat, Sophos-managed endpoints that try to communicate with a malicious server send a red Security Heartbeat.
The firewall automatically identifies these endpoints and blocks their traffic. It also shows the IoC, host, user, and process information for these endpoints in the logs. See Endpoint threat details.
Isolates compromised endpoints
Lateral movement protection isolates the compromised endpoint, preventing attackers from moving laterally within the network.
More resources