Applies To: ThreatSync+ NDR
This feature is only available to participants in the ThreatSync+ NDR Beta program.
ThreatSync+ NDR policies continuously monitor your network for activity that violates the policies of your organization. Policies detect vulnerabilities and threats in your network and generate policy alerts if unauthorized activity is detected.
To minimize your response time and maximize your protection, it is important to configure and tune your policies to:
- Reflect the security policies of your organization.
- Apply policies only to parts of your network that your organizational policies govern.
- Reflect the appropriate severity for your organization.
To get started with ThreatSync+ NDR policies, we recommend that you:
- Start with a small, manageable set of policies.
- Tune these policies so that you only receive alerts that are actionable — alerts that you can respond to and remediate so that the alert does not recur.
- Create additional policies that expand the protection of your network and tune them to prevent too many alerts.
For recommendations on how to tune your policies, go to Policy Tuning.
We recommend that you wait two to three days before you configure policies so ThreatSync+ NDR can monitor and learn about your network.
Enable Default ThreatSync+ NDR Policies
ThreatSync+ NDR includes over 100 default policies that you can enable. Because every default policy might not be appropriate for your network or your security policies, default policies are disabled by default, with the exception of a subset of Level 1 policies that automatically generate alerts. For a list of default policies, go to Default Policies and Zones.
If you enable a large number of default policies, you might receive more alerts than you can respond to. If you enable too few policies, you might miss important alerts about possible threats in your network.
To enable a default ThreatSync+ NDR policy:
- Log in to your WatchGuard Cloud account.
- Select Configure > ThreatSync+ NDR > Policies.
- Next to the default policy you want to enable, click Not Active.
The policy status changes to Live.
Add Custom ThreatSync+ NDR Policies
You can create a new ThreatSync+ NDR policy and customize policy definitions for your network. Each policy evaluates all traffic or event logs between a source zone and a destination zone and triggers an alert when specific conditions are met. These conditions are activity triggers.
For more information, go to Policy Evaluation.
To add a custom ThreatSync+ NDR policy:
- Log in to your WatchGuard Cloud account.
- Select Configure > ThreatSync+ NDR > Policies.
- On the Manage ThreatSync+ NDR Policies page, click New Policy.
The Create a New Policy page opens.
- (Optional) In the Policy ID text box, enter a policy ID.
The policy ID uniquely identifies the policy. If you create a custom defense goal report with the Compliance Reporting license, you might want to reference a custom policy in one of the controls defined in the defense goal. Use this policy ID to uniquely identify the policy. If you do not enter a policy ID, ThreatSync+ NDR assigns it for you. For more information about compliance reporting, go to About WatchGuard Compliance Reporting.
- In the Policy Name text box, enter a name for your new policy.
- Enter a description.
- In the Tags text box, select or create tags to apply to your policy.
- Click Activity Triggers.
The Activity Triggers section expands. - In the Activity Triggers section, select what type of activity you want to set the alert for: Traffic, Anomalies, or Service Events.
- From the Importance drop-down list, select the importance to assign to your activity: Very Low, Low, Medium, High, or Very High.
- If you only want to receive alerts for specific traffic, select Alert on Specific Traffic and specify the alert conditions.
- If you only want to receive alerts for specific anomalies, select Alert on Specific Anomalies and specify the alert conditions.
- If you only want to receive alerts for specific service events, select Alert on Specific Service Events and specify the alert conditions.
- Click Traffic Flow.
The Traffic Flow section expands. - Configure the source and destination traffic flow settings. If you want to create a new zone, click Create a Zone to go to the Zones page. For more information, go to Manage ThreatSync+ NDR Zones.
- Review your policy details.
- Activate your policy or save it as a draft to review later.
Activate or Deactivate ThreatSync+ NDR Policies
On the Manage Policies page, you can activate or deactivate one or more policies. When you activate a policy, ThreatSync+ NDR detects violations of the access policies of your organization and generates policy alerts to notify you about policy violations.
Default policies are similar to templates. When you activate or edit a default policy, ThreatSync+ NDR saves a copy of the policy for you. If you delete your copy, any changes you made to the policy definition are discarded and the policy reverts back to the default policy definition. For more information, go to About ThreatSync+ NDR Policies and Zones.
To activate or deactivate a ThreatSync+ NDR policy, from the Manage Polices page:
- Select one or more policies you want to edit.
- Click
. - Select Activate Selected or Deactivate Selected.
- You can also click Live in the Status column to deactivate the policy and change the status to Not Active, or click Not Active to activate the policy and change the status to Live.
Edit the Policy Alert Severity Scale
For policy alerts that are based on machine learning, ThreatSync+ NDR builds a baseline of activity and generate alerts only when traffic varies from this baseline. For example, an unexpected large volume of data sent to the Internet generates an alert because it varies substantially from the baseline activity.
If you want to generate fewer alerts, you can adjust the alert sensitivity to make the detection less sensitive.
To edit the alert severity scale for a specific ThreatSync+ NDR policy:
- On the Manage ThreatSync+ NDR Policies page, click
next to the policy you want to edit.
The Policy Details page opens. - In the Activity Triggers section, next to Alert Severity Scale, click .
The Edit Alert Severity Scale dialog box opens.
- To change the alert severity scale, drag the slider to a new value. To generate fewer alerts, select a higher value. To generate more alerts, select a lower value.
- Click Save.