Mark an Indicator of Attack as Pending

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.

When you have not analyzed or resolved the pattern of the IOA, you can mark the IOA as pending further review. You can also change an archived IOA to pending.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure IOA permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To mark an IOA as pending, from the Indicators of Attack (IOA) list:

1. Click in a row.
2. Select Mark IOA as Pending.
   If you already marked the IOA as pending, this option is not available. You can select Archive IOA.

To mark an IOA as pending, from the attack details page:

1. To open the details for an IOA, in the Indicators of Attack (IOA) list, click a computer row.

2. In the upper notification section of the page, next to the Detection Date, click Mark IOA as Pending.

Related Topics

Indicator of Attack Details

Archive an Indicator of Attack