Skip to content

Configure third-party threat feeds

You can configure third-party threat feeds to add threat intelligence from external threat feed sources to block threats. You can also configure log settings.

To configure third-party threat feeds, do as follows:

  1. Go to Active threat response > Third-party threat feeds and click Add.
  2. Enter a name.
  3. Optional: Enter a description.
  4. Select an action.

    • Block: Logs and blocks threats.
    • Monitor: Only logs threats.

    The firewall evaluates both Blocked feeds and Monitored feeds in the order shown and logs the first match in both feeds. It blocks traffic based on the first match in the blocked list.

  5. Select a position.

    • Top: Postions the threat feed at the top of the list.
    • Bottom: Postions the threat feed at the bottom of the list.
  6. Select an indicator type.

    • IPv4 address: A list of IPv4 addresses IoC.
    • Domain: A list of domains IoC.
    • URL: A list of URLs IoC.
  7. Enter the external URL.

  8. Select an authorization type.

    • No authentication
    • API key

      1. Enter the key.
      2. Enter the value. Supports up to 64 characters.
      3. Select where to add the API key.

        • Header
        • Query parameters
    • Basic authentication

      1. Enter the username.
      2. Enter the password. Supports up to 64 characters.
  9. Select Validate server certificate if you want to validate the server certificate.

  10. Select a polling interval to synchronize the threat feed.

    Note

    XGS 87(w) and 107(w) only support 24 hours, 7 days, and 30 days polling intervals.

  11. Optional: Click Test connection to test the connection.

  12. Click Save.

Configure log settings

To configure log settings, do as follows:

  1. Go to System services > Log settings.
  2. Make sure MDR, Sophos X-Ops, and Third-party threat feeds is selected for the following:

    1. Local reporting
    2. Central reporting.

      Note

      If you don't see this option, go to Sophos Central and select Send reports and logs to Sophos Central.

  3. Click Apply.