diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 1b0bd17c8db..22ab9bb7b0a 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -495,6 +495,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `event.category` "configuration" to o365 module events. {pull}23010[23010]
 - Add `event.category` "configuration" to zoom module events. {pull}23010[23010]
 - Add `network.direction` to auditd/log fileset. {pull}23041[23041]
+- Add logic for external network.direction in sophos xg fileset {pull}22973[22973]
 
 *Heartbeat*
 
@@ -641,4 +642,3 @@ port. {pull}19209[19209]
 
 
 
-
diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
index 193af05b836..a9ad2eb988c 100644
--- a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
+++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml
@@ -390,6 +390,10 @@ processors:
     field: network.direction
     value: internal
     if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)"
+- set:
+    field: network.direction
+    value: external
+    if: "ctx?.observer?.ingress?.zone == 'WAN' && ctx?.observer?.egress?.zone == 'WAN'"
 
 #########################
 ## ECS Related Mapping ##