Ukraine Flag Standing with Ukraine

ThreatHive Integration on Sophos Firewall v21

Step-by-step guide to integrating the ThreatHive blocklist

Integration Steps

  1. Log In: Access your Sophos Firewall web admin console.
  2. Go to Threat Feeds: Navigate to Active Threat Response > Third-party Threat Feeds.
  3. Add a New Feed: Click Add to create a new feed.
  4. Enter Feed Details:
    • Name: ThreatHive_Blocklist
    • Action: Block (or Monitor if you want to test first)
    • Position: Top
    • Indicator Type: IPv4 address
    • Feed URL: https://threathive.net/hiveblocklist.txt
    • Authorization Type: No authentication
    • Validate Server Certificate: Optional – tick if you want HTTPS cert validation
    • Polling Interval: 15 minutes
  5. Test & Save:
    • Click Test Connection to verify the URL works.
    • If successful, click Save.
  6. Monitor: Go to Logs & Reports > Threat Indicators to review matches. Check for false positives and blocked traffic you may want to whitelist.