About TDR Threat Scores
When TDR receives an event reported by a Host Sensor or Firebox, the ThreatSync analytics engine analyzes the event and assigns a Threat Score based on the severity of the event. A reported event that is assigned a threat score becomes an indicator. Higher scores indicate a higher likelihood that the observed event or object represents a threat.
Host Sensor Events
The Host Sensor monitors the host for changes to files, processes, and registry entries. The Host Sensor monitors these event types:
- File creation and deletion — for files with a Portable Executable (PE) header
- Process creation and termination
- Registry changes
When events are received from a Host Sensor, ThreatSync assigns indicator scores to the events with one of these methods:
- Threat Feed — ThreatSync compares the MD5 of an observed file or process to threats in the Threat Detection and Response threat feed.
- Malware Verification Service — ThreatSync can send the MD5 of an observed file or process to a cloud-based malware verification service to determine if it is a known threat.
- Heuristics — The observed behavior or characteristics of a file or process can indicate that it is suspicious.
The Firebox sends a network event when a threat is detected by Reputation Enabled Defense, Gateway AntiVirus, APT Blocker, WebBlocker, Botnet Detection, Blocked Sites, or other configured options on the Firebox. For the Firebox to identify and send network indicators, you must configure proxy policies and services on the Firebox, and you must enable logging so that the Firebox sends a report of the action to TDR as an indicator. For information about recommended proxy policy configuration see Configure Proxy Policies for TDR.
ThreatSync assigns indicator scores for network events reported by a Firebox only if the IP address of the host involved in the event is the same as the IP address of a host with a Host Sensor installed.
Indicator Threat Scores
Indicators are scored on a scale of 0 to 10. A score of 10 indicates the most critical threat.
|10||Critical — Scored based on host indicator threat feed, Malware Verification Service confirmation, or both, and critical network alerts. This score can also indicate that Host Ransomware Prevention was triggered and the Host Sensor action to prevent it failed.|
|8||Severe — Scored based on host Indicator threat feed, Malware Verification Service confirmation, or heuristics identification of multiple behaviors for the same object.|
|7||High — Scored based on network activity, heuristics identification of multiple behaviors for the same object, or third-party network activity.|
|6||High — Scored based on network activity or heuristics identification of multiple behaviors for the same object.|
|5||Investigation — Scored based on heuristics identification of multiple potential malicious process behaviors|
|4||Medium — Medium priority ranked indicators, including third-party vendor scores, primarily network activity indicators.|
|3||Low — Low priority ranked indicators, including WatchGuard and third-party vendor scores, primarily network indicators.|
|2||Suspect — Low fidelity file heuristics without other correlation.|
|1||Remediated — Identified host indicator has been remediated on the host.|
|0||Known Good — Host does not have any detected indicators or the object is on the whitelist.|
For more information about how TDR assigns Threat Scores to Host Ransomware Prevention indicators, see Host Ransomware Prevention.
Incident Threat Scores
An incident is a group of active indicators on an endpoint. ThreatSync correlates the scores of indicators on a host and assigns an overall score to the incident that reflects the overall severity of the threats to that host. The threat score for an incident is a combined threat score based on correlation of multiple indicators in the incident. On the ThreatSync > Incidents page, in the list of incidents for an indicator, the symbol appears adjacent to each indicator score that is used to calculate the combined threat score for an incident.
For more information about incidents, see Manage TDR Incidents.