Review MDR Detections

Applies To: WatchGuard Core MDR, WatchGuard Core MDR for Microsoft, WatchGuard Total MDR

The Detections page in the Managed Services portal shows information about security detections in your environment. Detections are events with potential security implications. WatchGuard MDR automatically blocks or manually investigates detections, as needed.

Different WatchGuard MDR products support different types of detections:

All WatchGuard MDR Products

Includes detections for endpoints with WatchGuard Advanced EPDR, EPDR, or EDR. If you connect WatchGuard MDR with Microsoft 365, you also see detections for your Microsoft 365 environment.

WatchGuard Core MDR for Microsoft

Also includes detections for endpoints with Microsoft Defender for Endpoints

WatchGuard Total MDR

Also includes detections from ThreatSync and ThreatSync+ NDR:

  • Some ThreatSync incidents show as detections in the Managed Services portal.
  • ThreatSync incidents for AuthPoint (Identity), Fireboxes (Network), and ThreatSync+ NDR (Network) show as detections.
  • ThreatSync incidents for access points and ThreatSync+ Saas are not shown in WatchGuard MDR.

For more information about the incidents ThreatSync supports, go to Incident Types and Triggers in ThreatSync.

Endpoint detections are based on data received directly from Endpoint Security. Endpoint detections do not use ThreatSync incident data.

To see a list of example detections, go to MDR Cloud Detection Examples.

View Detections

The first section of the Detections page includes tiles with graphs that show the number of detections over time by severity and by source. It also includes a tile that shows trend data analysis over the last 30 days. You can configure filters to show specific detections and then see detection details in the last section of the page.

If no data shows in the Managed Services portal, the service is still active and no detections have occurred. The portal shows data only after an event with potential security implications is detected. After you allocate users from the WatchGuard MDR license, it might take up to 6 hours for activity to show in the portal.

Screen shot of MDR portal Detections page

To open the Detections page:

  1. In WatchGuard Cloud, select Monitor > Managed Services.
    The Managed Services portal opens in a new browser tab.
  2. If you are a Service Provider, select your Subscriber account from the drop-down list.
  3. Select Activity > Detections.
    The Detections page opens.

View Data Graphs

The Detections page contains tiles with graphs that show detection data over time.

Total By Severity

The Total By Severity tile shows the total number of detections by severity over time. By default, the tile shows only Critical and High severity detections. Use the filters to show additional severity levels or change the date range for the graph.

For accounts with WatchGuard Total MDR, the severity level for detections in the Managed Services portal might not match the incident severity level that shows in ThreatSync.

Screen shot of MDR Detections by Severity graph

Total by Source

The Total By Source tile shows the total number of detections by source over time. Use the filters to change the sources and date range for the graph.

Screen shot of MDR Detections by Source tile

The source indicates the origin of the data sent to WatchGuard MDR. The available sources are:

  • Endpoint — Connected endpoints that run WatchGuard Endpoint Security or Microsoft Defender.
  • Cloud — Connected cloud services, such as Microsoft 365. For accounts with WatchGuard Total MDR, this includes connected AWS CloudTrail and Google Workspace cloud services.
  • Network — For accounts with WatchGuard Total MDR, connected Fireboxes and ThreatSync+ NDR.
  • Identity — For accounts with WatchGuard Total MDR, credential access incidents from AuthPoint.

Trends

The Trends tile shows the percentage change of detections and the total number of detections (by severity) for the last 30 days.

Screen shot of MDR portal Detections Trends tile

Review Detection Details

The list in the lower section of the Detections page shows detections that match your filters. The list includes the date and time of the detection, the source, severity, detection type, target, actions, and case number.

  • To review the details of a detection, select the detection from the list.
    The details open to show additional information.

    • Screen shot of MDR portal Detection details

  • To go to the investigation opened for the detection, click the Case Number.
    The investigation details open in the Investigations page.

For more information about investigations, go to Review MDR Investigations.

Sort and Filter the Detections List

By default, the detections list shows all critical and high severity detections for the selected time period, sorted by time in descending order, so the most recent investigations appear first in the list. To change the order of detections, click a column header.

To customize which detections show in the list, you can filter the list by severity, source, and status.

Severity

To filter the detections list by severity, select one or more options.

Source

To filter the detections list by source, select one or more of these options:

  • Endpoint — Connected endpoints that run WatchGuard Endpoint Security or Microsoft Defender.
  • Cloud — Connected cloud services, such as Microsoft 365. For accounts with WatchGuard Total MDR, this includes connected AWS CloudTrail and Google Workspace cloud services.
  • Network — For accounts with WatchGuard Total MDR, connected Fireboxes and ThreatSync+ NDR.
  • Identity — For accounts with WatchGuard Total MDR, credential access incidents from AuthPoint.

Action

To filter the detections list by action, select one or more of these options:

  • Logged — WatchGuard MDR detected a potential threat.
  • Alerted — WatchGuard MDR generated a ticket for investigation.
  • Blocked — WatchGuard MDR blocked the detected threat.
  • Killed — WatchGuard MDR killed a detected process tree execution.
  • Quarantine — WatchGuard MDR isolated the endpoint.
  • Scanned — WatchGuard MDR scanned the endpoint for issues.

Time

By default, the detections list shows detections that occurred in the last 30 days. To filter the detections list by date range, in the Time section, select a time period or a custom date range.

To reset the filters, click Reset Filter. To export the list of investigations to a .CSV file, click Export.

MDR Cloud Detection Examples

WatchGuard regularly evaluates the attack surface, works with security analysts, and adds new detections to the MDR pipeline to protect your infrastructure from malicious actors.

To protect our customers and to maintain competitive integrity, WatchGuard does not publish a comprehensive detection catalog. The following example detections represent a small sample from the extensive list of WatchGuard MDR detections.

Microsoft O365 Detections

Identity and Access

Focus

  • Anomalous geographies
  • Impossible travel
  • Suspicious user agents
  • Brute‑force outcomes
  • MFA administration risk

Examples

  • O365 anomalous country login
  • User login location and impossible travel anomaly

Admin and Privilege Changes

Focus

  • Rapid admin assignment
  • Role elevation
  • Account enablement by newly‑privileged accounts

Examples

  • O365 elevate to high‑level administrator
  • O365 create admin account

Email and Collaboration Security

Focus

  • Malicious URL clicks
  • Anomalous inbox rules
  • Send restrictions
  • Anti‑spam/phish/malware guardrails

Examples

  • O365 anomalous new inbox rule
  • O365 potentially malicious URL clicked

Data Protection and DLP

Focus

  • Exfiltration anomalies
  • Bulk restore behavior
  • External sharing policy changes

Examples

  • Office 365 data exfiltration attempt anomaly
  • Office 365 multiple file restore

Governance, Audit, and eDiscovery

Focus

  • eDiscovery role changes or exports
  • Access governance alerts

Examples

  • O365 eDiscovery manager changed
  • O365 eDiscovery search exported by new admin

Security Controls Tampering

Focus

  • Attempts to weaken defenses
  • Audit logs off
  • Safe links/attachments
  • Anti‑spam/phish/malware policies disabled/removed

Examples

  • O365 audit log disabled
  • O365 safe links disabled

Behavioral Analytics and Anomaly Engine

Focus

  • AI‑driven behavioral analytics

Examples

  • O365 Sixth Sense Longcycle
  • O365 suspicious login detection

AWS Detections

Identity and Access

Focus

  • Root account usage, credential abuse
  • Anomalous login patterns
  • Impossible travel
  • Login anomalies
  • Brute-force success

Examples

  • AWS root login
  • Brute-force successful user login

Admin and Control Plane Integrity

Focus

  • Critical configuration changes that weaken visibility or security posture
  • Disabling logging
  • Deleting trails
  • Removing detectors

Examples

  • AWS stop logging
  • DeleteDetector

Network and Infrastructure Security

Focus

  • Destructive actions or exposure risks in core infrastructure
  • Virtual Private Cloud (VPC)
  • Subnets
  • Flow logs

Examples

  • DeleteVpc
  • DeleteSubnet
  • DeleteFlowLogs

Data Protection and Storage Security

Focus

  • Public exposure or tampering with storage and encryption settings
  • S3 buckets
  • Snapshots
  • EBS encryption

Examples

  • AWS public S3 bucket
  • DisableEbsEncryptionByDefault

Database and Compute Resource Hardening

Focus

  • Misconfigurations or destructive actions in RDS clusters and AMIs
  • Public snapshots
  • AMI sharing

Examples

  • DeleteDBCluster
  • AWS AMI made public

Governance and Logging Integrity

Focus

  • Attempts to disable or delete audit trails
  • Log validation
  • Multi-region logging

Examples

  • AWS DeleteTrail
  • AWS disable multi-region logging

Behavioral Analytics and Anomaly Detection

Focus

  • AI-driven detection of suspicious user behavior
  • Login anomalies
  • Impossible travel
  • Credential stuffing

Examples

  • User login time anomaly and impossible travel anomaly
  • Credential stuffing

Google Workspace Detections

Identity and Access

Focus

  • Account takeover indicators
  • Anomalous login patterns
  • Brute-force attempts
  • Logins from bad reputation IPs

Examples

  • User login location and impossible travel anomaly
  • Brute-forced successful user login

Account and Security Policy Integrity

Focus

  • Suspicious account state changes and security posture downgrades
  • User suspension
  • Unenrollment from advanced protections

Examples

  • G-Workspace user suspended
  • G-Workspace Advanced Protection unenroll

Email and Collaboration Security

Focus

  • Risky email forwarding configurations and out-of-domain forwarding that could enable data exfiltration

Examples

  • G-Workspace out of domain email forwarding enabled

Threat Intelligence and Attack Warnings

Focus

  • Alerts from Google on government-backed attacks and emerging threats

Examples

  • G Suite attack warning
  • Emerging threat

Behavioral Analytics and Anomaly Detection

Focus

  • AI-driven detection of unusual user behavior
  • Login time anomalies
  • Impossible travel
  • Credential abuse

Examples

  • Login time and impossible travel anomaly
  • Bad reputation login

Related Topics

Review MDR Investigations

Review MDR Connection Service Status