WatchGuard MDR Managed Service Overview

Applies To: WatchGuard Core MDR This topic applies to the WatchGuard Core MDR managed service., WatchGuard Core MDR for Microsoft This topic applies to the WatchGuard Core MDR for Microsoft managed service., WatchGuard Total MDR This topic applies to the WatchGuard Total MDR managed service.

WatchGuard MDR is a managed service provided by WatchGuard to eligible partners and customers. To learn more about how WatchGuard works with partners and customers to provide MDR services and how to get started, go to these sections:

• Responsibilities
• Partner and Customer Eligibility
• Onboarding Process

Responsibilities

To provide MDR services to customers, partners and WatchGuard work together. Before you get started with WatchGuard MDR, it is helpful to understand the roles and responsibilities for partners or customer and WatchGuard.

Partner or Customer Responsibilities

If you have WatchGuard MDR for your own account or for accounts you manage, your responsibilities for WatchGuard MDR include:

Determine Eligibility and Initiate Partner Onboarding

You must meet with your WatchGuard account manager to confirm eligibility requirements and to initiate the onboarding process. For more information, go to Partner and Customer Eligibility.

Purchase and Allocate Licenses

Each time you purchase a new MDR license, you activate the license then allocate the MDR service to the users in WatchGuard Cloud. For more information, go to About WatchGuard MDR Licenses.

Configure the Environment

The steps you must take to configure and connect MDR to your environment depend on your WatchGuard MDR license. For more information, go to About WatchGuard MDR Integrations.

Follow Remediation Guidelines

If an incident occurs, make sure you or your customer can follow recommendations from WatchGuard MDR to remediate the incident so you can return to business-as-usual as soon as possible. For more information, go to Review MDR Investigations.

WatchGuard Responsibilities

WatchGuard responsibilities for WatchGuard MDR include:

Monitor, Analyze, and Triage

WatchGuard proactively monitors and analyzes telemetry data from your customer endpoints to identify, aggregate, and prioritize indicators and alerts.

Investigate

WatchGuard determines whether an abnormal activity is malicious and requires a response.

Provide Threat Response

A threat response includes alerts that include details of the investigation, the list of affected endpoints, and guidelines to remediate the threat. When you onboard a WatchGuard MDR account, you can specify whether you want to allow WatchGuard MDR to isolate affected endpoints in response to a threat.

Search for Threats

WatchGuard threat hunters search for threats that might have evaded existing detection controls, based on threat intelligence and relevant indicators of compromise (IOCs) observed over time. If the threat hunting activity reveals indicators of malicious activity, the threat hunters perform an investigation. Additionally, WatchGuard creates new indicators of attack (IoAs) and indicators of compromise (IoCs) to improve the efficacy and efficiency of the service.

Deliver Reports

WatchGuard MDR automatically delivers periodic health status and service activity reports. For more information, go to View MDR Reports.

Provide Remediation Guidance

The WatchGuard SOC provides remediation guidance for any detected threats. For more information, go to Incident Mitigation and Remediation.

Partner and Customer Eligibility

To provide the WatchGuard MDR service to your environment, we recommend that you have experience with the installation, support, and troubleshooting of WatchGuard EDR, EPDR, Advanced EPDR, Microsoft Defender, or Microsoft 365, and your third-party cloud platforms like Microsoft Defender, Microsoft 365, AWS CloudTrail, and Google Workspace.

Your staff must also have access to the environment or provide permission to the WatchGuard SOC team, so that they can work directly with the environment when the MDR service detects a compromise attempt.

In addition, you must attend an initial partner onboarding session. For more information about onboarding, go to Onboarding Process.

You must have at least one person available 8 hours a day, 5 days a week, or 24 hours a day, 7 days a week (based on the model you select in the onboarding process), in case the WatchGuard SOC team needs to contact you. For example, we might need your help to determine whether activity we detect on the network is approved by you or your customer or indicates a potential security threat.

We also recommend:

• You have a scalable business plan in place to support the growth of the MDR service.
• For WatchGuard Core MDR or WatchGuard Total MDR, you have at least one staff member with a current WatchGuard Endpoint Security technical certification.

Onboarding Process

When you meet the eligibility requirements, you work with WatchGuard to complete the onboarding process:

1. Contact your account manager to express interest in WatchGuard MDR.
2. After your account manager qualifies your organization as eligible, they forward the request to the onboarding team.
3. The onboarding team interviews you or your team to collect essential data and to review your responsibilities.
4. Sign the Terms of Service agreement.
5. Complete these forms (provided by the onboarding team):
   • MDR Onboarding Form
   • MDR Client Delegation Form
   • MDR Microsoft Defender for Endpoint Onboarding Form

Enable Support Access to WatchGuard Cloud Accounts

To enable WatchGuard MDR to monitor and monitor your licensed endpoints and products, including Fireboxes, AuthPoint, ThreatSync and ThreatSync+ NDR, you must enable WatchGuard Support to connect to your WatchGuard Cloud account.

To enable Support access to your WatchGuard Cloud account:

1. Log in to WatchGuard Cloud.
   If you have a Service Provider account, from Account Manager, select the Subscriber account.
2. Select Administration > Managed Access.
3. In the Support Access section, click Enable Support Access.

4. From the Access Role drop-down list, select Administrator.
5. From the calendar, select the maximum of number of days for the expiration date.

6. Click Save.

WatchGuard will extend the expiration date past the maximum of 45 days and until your license expires. We recommend that you do not disable support access. If you disable support access your MDR service is limited.

Disable Notification Rules

WatchGuard MDR notifies you in the Managed Services portal when there are detections.

If you set up notification rules in WatchGuard Cloud for products that WatchGuard MDR monitors, we recommend you disable those notifications to avoid discrepancies. Use the Managed Services portal to see the status of the service for your account. For more information, go to Review MDR Detections and Review MDR Investigations.

Incident Mitigation and Remediation

When you use WatchGuard Endpoint Security and configure the WatchGuard Core MDR settings for an account in WatchGuard Cloud, you can choose to allow WatchGuard to automatically isolate computers on the network when an incident occurs. For more information on how to change WatchGuard Core MDR settings, go to Configure WatchGuard Core MDR Settings.

When an incident occurs, unless you gave permission to WatchGuard to work directly with the account, you are responsible for the remediation or post-incident activities. The WatchGuard SOC team provides guidelines on how to execute the remediation for the account. We might also make recommendations on how to improve the network security posture to avoid compromise by threat actors who use the same techniques in the future.

Related Topics

About Managed Services with WatchGuard MDR

About the Managed Services Portal