Configure TDR Policies

TDR policies define the actions that Host Sensors can take to respond to threats detected on a host. You can configure TDR policies that apply to different hosts and host groups at different CYBERCON levels.

TDR policies are ranked to show their relative priority. TDR evaluates the policies in rank order. More than one TDR policy can apply to the same host at the same time. As long as policy actions do not conflict, all active policies for the target are evaluated in rank order to determine which actions a Host Sensor is allowed to execute to remediate a threat. If two or more active policies could allow or deny the same action for the same target host, the highest rank (lowest number) policy has priority.

As part of your network security procedures, you define the CYBERCON levels to have specific meaning to your organization. After you define the meaning of CYBERCON levels, you can configure TDR policies for each level. For more information, see About TDR CYBERCON Levels.

Policy Rules, Actions, and Targets

For each TDR policy, you configure Rules, Actions, and Targets.

Rules

Rules define when Host Sensors execute the TDR policy. In each policy you configure two thresholds that control when Host Sensors execute the actions in the policy:

  • CYBERCON Threshold — The maximum CYBERCON level required to execute the policy.
  • Threat Score Threshold — The maximum incident Threat Score detected on a host that is required to execute the policy. If the CYBERCON threshold rule is met, the policy applies to all target hosts with an incident score equal to or greater than the threshold enabled in the policy.

Actions

Actions define what the Host Sensor does when the policy executes. For each policy, you define whether the policy allows or denies actions.

  • Allow — The policy allows the Host Sensor to take the specified actions
  • Deny — The policy prevents the Host Sensor from taking the specified actions if they are allowed by a lower ranked policy that applies to the same target host. A policy with the Deny action does not prevent an operator from manually executing an action.

For each policy, select one or more of these actions:

  • Kill Process — Applies to Process or Host Ransomware Prevention indicators. After the Host Sensor identifies the communication port, the Host Sensor ends the process that supports communication to the network port.
  • Quarantine File — XOR encrypts the content of a file identified in an indicator so the file is not executable.
  • Delete Registry Value — Deletes the registry value that references a malicious file.

Actions apply to files and processes in indicators that contribute to an incident that meets the Threat Score Threshold. The Threat Score of the individual indicators could be lower than the overall incident Threat Score. For example, if the policy Threat Score Threshold is set to 8, and an incident with a Threat Score of 8 or higher is detected, Host Sensors execute the action in the policy for files and processes in all indicators that contribute to that incident, regardless of the Threat Score of each individual indicator that contributed to the incident.

Targets

Targets define which hosts the action applies to. In each policy, you can add individual hosts or groups of hosts as targets. A policy without a target does not affect any hosts.

For information about groups, see Manage TDR Groups.

See and Manage Policies

To manage policies:

  1. Log in to the TDR web UI  as a user with Operator credentials.
  2. Select Configure > Policy.
    The Policy page appears.

Screen shot of the Policy page

  1. To search for specific policies, from the filter drop-down lists and in the search text boxes, specify the policy details.

Add a Policy

To add a policy:

  1. On the Policy page, click Add Policy.
    The Add Policy dialog box appears.

Screen shot of the Add Policy dialog box

  1. In the Name text box, type a name for this policy.
  2. (Optional) In the Comments text box, type other information about the policy.
  3. From the Cybercon Threshold drop-down list, select the CYBERCON threat level at which you want this policy to execute.
  4. From the Threat Score Threshold drop-down list, select the Incident threat score at which you want this policy to execute.
    The policy executes for an incident with any Threat Score equal to or higher than the value you select here.
  5. Select an option to specify whether the Host Sensors completes the actions you specify:
    • Allow — Host Sensors complete the specified actions.
    • Deny — Host Sensors do not complete the specified actions.
  6. Select the check box for each action you want this policy to allow or deny.
    For more information about these actions, see Actions.
  7. In the Targets text box, type at least three characters from the name of the host or group to add.
    Host names and group names that include the characters you type appear below the text box.

Screen shot of search results in the targets text box

  1. Select the host or group name to add.
  2. To add other hosts and groups as targets for this policy, repeat the previous two steps.
  3. Click Save & Close.

Change Policy Rank

The Policy page includes all currently defined policies in order of precedence, numbered from the highest rank (1) to the lowest rank. When you add a new policy, it is automatically added to the top of the Policy list, at the highest rank. Policies do not change rank automatically based on the target of the policy. You must manually change the rank of each policy.

For example, if you configure a policy for a single host to deny a Host Sensor, and then add a new policy to allow Host Sensor actions for a group that the host is a member of, the policy that you added last (the new policy for the group) has the highest rank and takes precedence. If you want the deny policy for the single host to take precedence, you must manually change the rank of that policy to a higher position in the list than the last policy that you added (the policy for the group).

To change the rank of a policy, you can:

  • In the Rank column, to increase or decrease the rank of a policy, adjacent to that policy, click or .
  • In the Rank column, change the number in the text box.
  • Drag-and-drop a policy to a different position in the list .

When you change the rank of a policy, the numbers assigned to all other policies in the list are automatically updated to show their new rank.

Policy Rank and Action Precedence

More than one active TDR policy can apply to the same target host at the same time. This is different from how policy precedence works in Fireware. If multiple active TDR policies apply to the same target host, the action in the highest ranked policies applies for each action. For example if the highest ranked policy for a target denies the Delete Registry Value action, and a lower ranked policy for the same target allows the Kill Process, Quarantine File, and Delete Registry Value actions, the Host Sensor allows the Kill Process and Quarantine File actions, but denies the Delete Registry Value action because the deny action has higher precedence.

Back Up or Import Policies

You can save a backup of all policies to an .XML file. To add the policies to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy policies configured in one managed customer account to another managed account. To avoid duplicate policies, the imported policies are merged with the current list of policies.

To save the policies to a backup file:

  1. Select Configuration > Policy.
    The list of currently configured policies appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the exclusions backup file includes the current date and time. For example: 

WatchGuardTDR_Policies_2017-01-25_22-39-43.xml

To import policies from a saved policies .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The policies from the file are added to the Policy list.

Edit, Duplicate, or Remove a Policy

To edit a policy, from the Policy page:

  1. To expand the details of a policy, click .
  2. Edit the settings as described in the previous section.
  3. Click Save & Close.

To duplicate a policy, from the Policy page:

  1. Adjacent to the policy to duplicate, click .
  2. Select Duplicate Policy.

To remove a policy, from the Policy page:

  1. Adjacent to the policy to remove, click .
  2. Select Remove Policy.

Give Us Feedback     Get Support     All Product Documentation     Technical Search