Sophos Firewall: Active Threat Response

Active Threat Response is a Sophos Firewall feature that uses Sophos X-Ops threat feeds to help detect and block threat activity, including C2-related indicators.

Where to configure

Go to:

Protect > Active Threat Response > Sophos X-Ops threat feeds

Recommended action

Set the action to:

Log and drop

Investigation

To review detections, go to:

Control center > Sophos X-Ops

There you can review detected endpoints and IPs.

Remediation

If a device is affected, perform a full/deep scan using Sophos Endpoint Security before marking the incident as resolved.

Notes

• The feature is used for threat-feed-based detection and blocking.
• It may be shown as enabled/active when detections occur.

If you want, I can reformat this into a fuller KB article with purpose, procedure, and troubleshooting sections.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/ActiveThreatResponse/