Applies To: ThreatSync
The ThreatSync management UI presents correlated event data as incidents. Based on the products you enable to send data to ThreatSync, you can receive incidents from these WatchGuard products:
Endpoint Security
This table shows the types of endpoint incidents ThreatSync receives from Endpoint Security, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Intrusion Attempt: Network Attack | Intrusion was detected by Network Attack Protection. | Intrusion detected |
| Advanced Security Policy: PowerShell with Suspicious Parameters | PowerShell was detected because the interpreter received suspicious parameters. | PowerShell interpreter received suspicious parameters |
| Advanced Security Policy: PowerShell run by the user | PowerShell was detected because it was run by a user and not through administrative tools. | PowerShell manually initiated by user |
| Advanced Security Policy: Unknown scripts | Scripts were detected as unclassified by WatchGuard. | Unclassified script detected |
| Advanced Security Policy: Locally compiled programs | Program was detected because it was compiled on a local user computer. The program is blocked until the Zero-Trust Application Service classifies it as trusted. | Program compiled on local user computer |
| Advanced Security Policy: Documents with macros | File was detected because it is a Microsoft Office document with macros. | Microsoft Office document includes macros |
| Advanced Security Policy: Registry modification to run when Windows starts | Program was detected because it adds a branch to the Windows registry to run at every system startup. | Registry modified to run program on Windows startup |
| Advanced Security Policy: Program blocking by name | Program was detected to be blocked because of the program name. Programs required by WatchGuard programs or OS-critical processed for system startup are not blocked. | Blocklist program detected |
| Malware | File was detected as malware by local or remote technology in WatchGuard Endpoint Security. | Malware detected |
| Potentially Unwanted Program (PUP) | File was detected as Potentially Unwanted Program (PUP) by local or remote technology in WatchGuard Endpoint Security. | PUP detected |
| Exploit: APC | Exploit was detected as local code execution through APC. For more information, go to Exploit Techniques. | Local code execution through APC detected |
| Exploit: Covenant | Exploit was detected as covenant detection framework. For more information, go to Exploit Techniques. | Covenant exploit detected |
| Exploit: DumpLsass | Exploit was detected as LSASS Process Memory Dump. For more information, go to Exploit Techniques. | DumpLsass exploit detected |
| Exploit: HookBypass | Exploit was detected as Hook bypass in running functions. For more information, go to Exploit Techniques. | HookBypass exploit detected |
| Exploit: IE_GodMode | Exploit was detected as GodMode technique in Internet Explorer. For more information, go to Exploit Techniques. | GodMode technique detected |
| Exploit: Metasploit | Exploit was detected as metaploit shellcode signature detection. For more information, go to Exploit Techniques. | Metasploit exploit detected |
| Exploit: ROP1 | Exploit was detected as execution of memory management APIs when the stack is out of the thread limits. For more information, go to Exploit Techniques. | ROP1 exploit detected |
| Exploit: ShellCodeBehavior | Exploit was detected as code execution on MEM_PRIVATE pages that do not correspond to a PE. For more information, go to Exploit Techniques. | ShellCodeBehavior exploit detected |
| Exploit: ReflectiveLoader | Exploit was detected as reflective executable loading (metasploit, cobalt strike, etc.). For more information, go to Exploit Techniques. | ReflectiveLoader exploit detected |
| Exploit: RemoteAPCInjection | Exploit was detected as remote code injection through APCs. For more information, go to Exploit Techniques. | RemoteAPCInjection exploit detected |
| Exploit: DynamicExec | Exploit was detected as execution of code in pages without execution permissions (32 bits only). For more information, go to Exploit Techniques. | DynamicExec exploit detected |
| Exploit: RunPE | Exploit was detected as process hollowing technique/RunPE. For more information, go to Exploit Techniques. | RunPE exploit detected |
| Exploit: PsReflectiveLoader1 | Exploit was detected as PowerShell - reflective executable loading (mimikatz, etc.). For more information, go to Exploit Techniques. | PsReflectiveLoader1 exploit detected |
| Exploit: PsReflectiveLoader2 | Exploit was detected as PowerShell - reflective executable loading (mimikatz, etc.). For more information, go to Exploit Techniques. | PsReflectiveLoader2 exploit detected |
| Exploit: NetReflectiveLoader | Exploit was detected as NET reflective load (Assembly.Load). For more information, go to Exploit Techniques. | NET reflective load (Assembly.Load) exploit detected |
| Exploit: JS2DOT | Exploit was detected as JS2DOT technique. For more information, go to Exploit Techniques. | JS2DOT technique detected |
| Exploit: Vulnerable Driver | Exploit was detected as a driver with vulnerabilities that have been exploited in the threat landscape. For more information, go to Exploit Techniques. | Driver with vulnerabilities detected |
| Indicator of Attack (IOA) | Event was detected by the WatchGuard Threat Hunting Service through lateral movements or other early indicators of malware activity before the malware took action. | IOA detected |
| Unknown Program | Unknown Program was detected or reclassified by WatchGuard Endpoint Security. For more information, go to Unknown Programs and Incident Reclassification. | Unknown program detected or reclassified |
Fireboxes
This table shows the types of incidents ThreatSync receives from Fireboxes, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Virus | File was detected as a virus by Gateway AntiVirus. | Virus detected by Gateway AntiVirus |
| Malware: APT | File was submitted to APT Blocker and returned a malicious result. | Malware detected by APT Blocker |
| Intrusion Attempt | Intrusion was detected by the Firebox Intrusion Prevention Service (IPS) engine. | Intrusion detected by IPS |
| Malicious URL | Malicious URL was detected by WebBlocker. | Malicious URL detected by WebBlocker |
| Malicious IP | Malicious IP address was detected by the Firebox. | Malicious IP address detected |
AuthPoint
This table shows the types of incidents ThreatSync receives from AuthPoint, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Credential Access: Login attempts with incorrect password | The user was blocked because they entered an incorrect password too many times. |
10 incorrect password login attempts (default) In AuthPoint, you can change the number of login attempts that trigger this type of incident. For more information, go to AuthPoint Settings. |
| Credential Access: Token blocked by too many failed authentications | User failed too many consecutive authentication attempts, and AuthPoint automatically blocked their token. | 3 consecutive failed authentication attempts |
| Credential Access: User disabled push notifications | A user disabled MFA push notifications on their mobile device. This usually indicates that they received a high number of push notifications that they did not recognize. | User disabled MFA push notifications on their mobile device |
| Credential Access: User received too many push notifications | When a user receives a high number of MFA push notifications that they deny or ignore, this might indicate that the user is the target of MFA spamming, a type of cyberattack. | 7 or more push notifications received within 10 minutes |
| Credential Access: Authentication denied by AuthPoint policy | An AuthPoint authentication policy denied a user authentication to a protected resource. This indicates that a user tried to access resources that they are not authorized for or that they do not have an AuthPoint policy for. | 4 or more denied authentication attempts within 15 minutes |
| Credential Access: Authentication attempt from an unknown user | An unrecognized user account attempted to log in to a protected resource multiple times. | 30 or more unknown user authentication attempts within 10 minutes |
Access Points
This table outlines the types of incidents ThreatSync receives from access points, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Malicious Access Point: Evil Twin | An Evil Twin access point was detected by one or more access points. An Evil Twin is a nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points. | 1 or more access points detected an Evil Twin access point |
| Malicious Access Point: Rogue AP | A Rogue Access Point was detected by one or more access points. A Rogue Access Point is an unauthorized access point physically connected to your wired network. | 1 or more access points detected a Rogue Access Point |
| Malicious Access Point: Suspected Rogue AP | A device that might be a Rogue Access Point was detected by one or more access points. A Rogue Access Point is an unauthorized access point physically connected to your wired network. | 1 or more access points detected a Suspected Rogue Access Point |
ThreatSync+ NDR
ThreatSync+ NDR policy alerts appear as Advanced Security Policy incidents and Smart Alerts appear as Indicators of Attack (IOA) incidents in ThreatSync. This table outlines the types of Advanced Security Policy and IOA incidents ThreatSync receives from ThreatSync+ NDR, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Advanced Security Policy: AA21-356A - Detect potential Log4Shell Attacks to New Organizations via LDAP or RMI | As recommended in CISA Alert AA21-356A, this policy identifies LDAP and RMI activity to sites never communicated with previously. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unusually large volume of DNS, LDAP, or RMI activity to new destinations detected |
| Advanced Security Policy: AA21-356A — Detect Potential Log4Shell Attacks Through LDAP or RMI | As recommended in CISA Alert AA21-356A, this policy identifies LDAP and RMI activity to known malicious IP addresses. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unusually large volume of DNS, LDAP, or RMI activity to malicious IP addresses detected |
| Advanced Security Policy: AA21-356A — Detect Unusual Volume of DNS, LDAP, or RMI Activity Due to Potential Log4Shell Attacks | As recommended in CISA Alert AA21-356A, this policy identifies high volumes of LDAP and RMI activity. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unusually large volume of DNS, LDAP, or RMI activity detected |
| Advanced Security Policy: Active Directory to External | This policy generates alerts when Active Directory servers are communicating improperly with the outside world on ports other than 53, 80, 123, or 443. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from a known DNS server to the Internet on unexpected ports detected |
| Advanced Security Policy: Activity Between Development and Production | This policy generates alerts when unauthorized development systems communicate with production systems. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic between internal Development and Production subnets detected |
| Advanced Security Policy: Activity From High-Risk Countries | This policy generates alerts for traffic from high-risk countries to internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from Prohibited Countries zone to internal device detected |
| Advanced Security Policy: Activity Involving IP Addresses in the Blocklist | This policy generates alerts for traffic to or from IP addresses in the blocklist. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic to or from IP addresses listed in the blocklist detected |
| Advanced Security Policy: Activity to High-Risk Countries | This policy generates alerts for traffic from internal devices to high-risk countries. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from internal device to Prohibited Countries zone detected |
| Advanced Security Policy: Activity to Social Media Sites | This policy generates alerts when anyone communicates with a prohibited social media site. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from internal device to Social Media Sites zone detected |
| Advanced Security Policy: Anomalous Activity from High-Risk Countries | This policy generates alerts when any anomalous events occur with communication from high-risk countries. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unusual traffic from Prohibited Countries zone to internal device detected |
| Advanced Security Policy: Anomalous Activity to High-Risk Countries | This policy generates alerts when any anomalous events occur in communication to high-risk countries. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unusual traffic from internal device to Prohibited Countries zone detected |
| Advanced Security Policy: Beaconing Through the Web API | This policy generates alerts when possible automated beaconing activity through a third-party web service occurs between an IP address in your network and a remote location. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic to Internet detinations on ports 443 or 80 that indicate automated beaconing activity detected |
| Advanced Security Policy: Communicate with Suspicious AA21-062A IP Addresses | This policy generates alerts for communication from a set of IP addresses that are well-known to be used by attackers for Log4J attacks. For more information, go to ThreatSync+ NDR Level 1 Policies. | Incoming connection to unpatched Microsoft exchange from Suspicious AA21-062A IP addresses to exploit RCE vulnerabilities CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 detected |
| Advanced Security Policy: Detect Large Volume to File Sharing Sites | This policy generates alerts when a large volume of data is uploaded to a file-sharing website. For more information, go to ThreatSync+ NDR Level 1 Policies. | 40,000 or more bytes uploaded to a web file-sharing domain listed in the Destination zone within 30 minutes |
| Advanced Security Policy: Internal LLMNR Traffic | This policy generates alerts when Link-Local Multicast Name Resolution (LLMNR) traffic (on port 5355 UDP) passes between two internal endpoints. For more information, go to ThreatSync+ NDR Level 1 Policies. | Internal traffic greater than 1 byte to UDP port 5355 detected |
| Advanced Security Policy: Internal mDNS Traffic | This policy generates alerts when Multicast Domain Name service (mDNS) traffic (port 5353 UDP) is detected between two internal endpoints. For more information, go to ThreatSync+ NDR Level 1 Policies. | Internal traffic greater than 1 byte to UDP port 5353 detected |
| Advanced Security Policy: Internal WUDO Traffic | This policy detects Windows Update Delivery Optimization (WUDO) traffic between devices within your network. For more information, go to ThreatSync+ NDR Level 1 Policies. | Activity on port 7680 between devices within your private network detected |
| Advanced Security Policy: LLMNR Traffic Crossing Network Boundary | This policy generates alerts for Link-Local Multicast Name Resolution (LLMNR) traffic (port 5355 UDP) traveling across the network boundary. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from an internal source to port 5355 exiting or evading the edge network detected |
| Advanced Security Policy: NetBIOS-NS Traffic Crossing Network Boundary | This policy generates alerts when NetBIOS-NS traffic (port 137 UDP) is detected crossing the network boundary. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic on port 137 from the internal host to the external network detected |
| Advanced Security Policy: RDP Attempts From External to Internal | This policy generates alerts when Remote Desktop Protocol (RDP) sessions are attempted to your network from an external IP address, but fail. For more information, go to ThreatSync+ NDR Level 1 Policies. | Inbound RDP sessions that indicate a connection but a failed authorization detected |
| Advanced Security Policy: RDP Connection From New External Host | This policy generates alerts for incoming RDP connections from the Internet when the external source IP address connects to an internal IP address for the first time. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic from a new Internet source on the RDP port to the internal network detected |
| Advanced Security Policy: RDP From External to Internal | This policy generates alerts for inbound RDP connections from an external IP address. For more information, go to ThreatSync+ NDR Level 1 Policies. | RDP session with greater than 5 KB of data from an external network source detected |
| Advanced Security Policy: SSH Attempts from External to Internal | This policy generates alerts when failed SSH sessions are attempted to be established into your network from an external IP address. For more information, go to ThreatSync+ NDR Level 1 Policies. | Inbound SSH sessions that indicate a connection but failed authorization detected |
| Advanced Security Policy: Suspected Data Exfiltration through DNS | This policy generates an alert when an unusually large volume of traffic passes from internal endpoints to external locations using the DNS protocol. For more information, go to ThreatSync+ NDR Level 1 Policies. | DNS traffic with larger than expected payloads and a DNS tunnel between an internal and an external IP address detected |
| Advanced Security Policy: Unexpected DNS Resolution Server | This policy generates alerts when traffic from internal endpoints passes to unexpected external DNS resolution servers. For more information, go to ThreatSync+ NDR Level 1 Policies. | DNS traffic (port 53) to a new/unexpected domain detected |
| Advanced Security Policy: Unsecured Inbound FTP/TFTP Traffic | This policy generates alerts when FTP or TFTP traffic passes from external sources to internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic on FTP and TFTP ports detected from the Internet to internal devices |
| Advanced Security Policy: Unsecured Inbound IRC Traffic | This policy generates alerts when IRC traffic passes from external sources to internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic on IRC ports from the Internet to internal devices detected |
| Advanced Security Policy: Unsecured Inbound Telnet Traffic | This policy generates alerts when Telnet traffic (port 23 TCP) passes from external sources to internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Telnet traffic (port 23 TCP) from the Internet to internal devices detected |
| Advanced Security Policy: Unsecured Inbound Web Server Activity | This policy generates alerts when unsecured HTTP web server traffic (port 80 TCP) passes from external sources to internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Unsecured HTTP web server traffic (port 80 TCP) from external sources to internal devices detected |
| Advanced Security Policy: Unsecured Internal Telnet Traffic | This policy generates alerts when Telnet traffic (port 23 TCP) passes between internal devices. For more information, go to ThreatSync+ NDR Level 1 Policies. | Telnet traffic (port 23 TCP) in internal network detected |
| Advanced Security Policy: WUDO Traffic Crossing Network Boundary | This policy generates alerts when Windows Update Delivery Optimization (WUDO) traffic passes between devices within your network and the public Internet. For more information, go to ThreatSync+ NDR Level 1 Policies. | Traffic on port 7680 from devices in your network to public IP addresses detected |
| IOA: Internal to External Probing or Reconnaissance Activity | One or more horizontal or vertical port scans detected from a device within your network to external addresses on the Internet. For more information, go to About Smart Alerts. | 1 or more horizontal or vertical port scans from an internal device to an external address detected |
| IOA: Suspicious Tunneling Plus Data Exfiltration | Tunneling activity with a large outbound data transfer was detected. For more information, go to About Smart Alerts. | Tunneling activity with a large outbound data transfer detected |
| IOA: Suspicious DNS Tunneling Plus Port Scan | DNS tunneling activity with a port scan was detected. For more information, go to About Smart Alerts. | DNS tunneling activity with port scan detected |
| IOA: Suspicious Tunneling Plus Port Scan | Tunneling activity with a port scan was detected. For more information, go to About Smart Alerts. | Tunneling activity with port scan detected |
| IOA: Suspicious Tunneling Plus Data Exfiltration | Tunneling activity with an unexpectedly large outbound data transfer was detected. For more information, go to About Smart Alerts. | Tunneling activity with a large outbound data transfer detected |
| IOA: Probing or Reconnaissance Activity | One or more horizontal or vertical port scans between devices in your network were detected. For more information, go to About Smart Alerts. | 1 or more horizontal or vertical port scans between internal devices detected |
| IOA: Suspected Lateral Movement Activity | Unexpected data sessions between internal devices that have no significant communication history with each other were detected in your network. For more information, go to About Smart Alerts. | Unexpected data sessions between internal devices with no communication history detected |
ThreatSync+ SaaS
ThreatSync+ SaaS policy alerts appear as Advanced Security Policy incidents in ThreatSync. This table outlines the types of Advanced Security Policy incidents ThreatSync receives from ThreatSync+ SaaS, and what triggers them:
| Incident Type | Incident Description | Trigger |
|---|---|---|
| Advanced Security Policy: Anonymous File Activity | An anonymous user gained access to files. This might be an attacker trying to encrypt or exfiltrate your data. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User gained access to a file made available for public access through an anonymous link |
| Advanced Security Policy: Internal Files Made Public | This policy generates alerts when internal files are made available to anyone on the Internet, which might expose files to an attacker who can try to exfiltrate your data. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User created an anonymous link for a file |
| Advanced Security Policy: Internal Files Shared Externally | This policy generates alerts when an internal user in your organization shares internal files with an external user. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | Internal user shared internal files with an external user |
| Advanced Security Policy: Possible Brute Force Account Access Attempt | This policy generates alerts when a user tries and fails to log in to resources on your network multiple times. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User tried and failed to log in to resources on your network multiple times within 30 minutes |
| Advanced Security Policy: Brute Force Attempt | This policy generates alerts when a user tries and fails to log in to resources on your network multiple times followed by a successful login. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User tried and failed to log in to resources on your network multiple times, then successfully logged in, within 30 minutes |
| Advanced Security Policy: Suspicious Access Location | This policy generates alerts when a user connects to resources on your network from a suspicious location. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User connected to resources on the network from a suspicious location |
| Advanced Security Policy: Suspicious Access Time | This policy generates alerts when a user connects to resources on your network at a suspicious time. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | User connected to resources on the network at a suspicious time |
| Advanced Security Policy: Suspicious Rate of File Activity | A suspicious rate of file creation, deletion, or modification is detected. This might occur when an attacker encrypts your files with ransomware or exfiltrates your files. For more information, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365. | Suspicious rate of file creation, deletion, or modification detected |