Applies To: ThreatSync
In WatchGuard Cloud, you can configure notification rules to generate alerts and send email notifications for ThreatSync activity. Notification rules make it easier for you to respond to emerging threats on your network and endpoints, and provide awareness of incident changes and remediated threats.
On the Rules page, you can see all rules created for your account. By default, several predefined rules exist. You can edit the default rules to change the name, description, and delivery method. If you select Email for the delivery method, you can also change the frequency of the alerts. There are some default system rules you cannot delete.
ThreatSync Notification Types
Each notification rule in WatchGuard Cloud uses a Notification Type that specifies the action or event that causes the rule to generate an alert.
On 13 November 2025, ThreatSync consolidated three notification types to a single unified notification type: New/Updated Incident. ThreatSync continues to support existing rules based on the three previous notification types and you do not have to update those rules.
New/Updated Incident
Generates an alert when an incident is detected or updated in ThreatSync.
Add a Notification Rule for ThreatSync
Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Notification Rules permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.
To add a new notification rule, from WatchGuard Cloud:
- Select Administration > Notifications.
- Select the Rules tab.
- Click Add Rule.
- On the Add Rule page, in the Name text box, type a name for your rule to help you identify it.
- From the Notification Source drop-down list, select ThreatSync.
- From the Notification Type drop-down list, select the action or event that causes this rule to generate an alert.
- (Optional) Type a description for your rule.
- Select the conditions that must be met to generate an alert:
- Risk From/Risk To — Select a range of risk scores from 1 to 10.
- Incident Type — Select one or more incident types.
- Entity Type — Select one or more entity types.
- To send a notification email to the specified recipients, in the Delivery Method section, select or enable Email
- From the Frequency drop-down list, configure how many emails the rule can send per day:
- To send an email for each alert the rule generates, select Send All Alerts.
- To restrict how many email messages the rule sends each day, select Send At Most. In the Alerts Per Day text box, type the maximum number of email messages this rule can send each day. You can set specify a value of up to 20,000 alerts per day.
- In the Subject text box, type the subject line for the email message this rule sends when it generates an alert. You can type a maximum of 78 characters.
- In the Recipients text box, type the email address for each person you want to receive an email message when this rule generates an alert. You can type multiple email addresses. Press Enter after each email address or separate the email addresses with a space, comma, or semicolon.
- From the Frequency drop-down list, configure how many emails the rule can send per day:
- For PSA integrations, to send a ticket notification to the PSA tool, enable PSA Ticket.
- For ConnectWise, select the Priority, Service Board, New Status, and Close Status for the ticket sent to ConnectWise.
For participants in the Centralized Notification Management for PSA Ticketing beta, the PSA ticket options are disabled. To manage notification rules, go to Overview > Administration > PSA Ticketing. For more information about notification rules for PSA ticketing, go to Configure PSA Ticketing Notification Rules.
- For Autotask, select the Priority, Queue, Ticket Category, New Status, and Close Status for the ticket sent to Autotask.
- Click Add Rule.
To delete a notification rule, click
in the row for the rule you want to delete.
For more information on how to manage alerts, go to Manage WatchGuard Cloud Alerts.