Applies To: ThreatSync
Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
ThreatSync assigns risk scores and risk levels to help Incident Responders identify issues and prioritize responses in their networks.
- Incident Risk Scores and Risk Levels in ThreatSync
- Endpoint Risk Scores and Risk Levels in ThreatSync
- User Risk Scores and Risk Levels in ThreatSync
Incident Risk Scores and Risk Levels in ThreatSync
Incident risk score indicates the severity of an incident. ThreatSync calculates the risk score for an incident based on an algorithm that correlates data from multiple WatchGuard products. The risk score determines the risk level. Risk levels indicate the relative severity of an incident and provide guidance to Incident Responders on which incidents to prioritize for review. ThreatSync categorizes risk scores into these risk levels:
| Risk Level | Risk Score | Description |
|---|---|---|
| Critical | 9,10 | Incidents with critical risk scores require a response. We recommend you configure automation policies to respond to incidents with critical risk scores. |
| High | 7, 8 | We strongly recommend a response action for incidents with high risk scores. Investigate these types of incidents and configure automation policies to respond to incidents with high risk scores. |
| Medium | 4, 5, 6 | We recommend a response action for incidents with medium risk scores. Investigate these types of incidents to determine whether a response is necessary. |
| Low | 1, 2, 3 | Investigate incidents with low risk if you have the time and resources available. |
This table shows the possible risk scores and levels associated with different incident types and sources in ThreatSync:
| Incident Type | Source | Possible Risk Score Range | Possible Risk Levels |
|---|---|---|---|
| Intrusion Attempt |
Firebox (Intrusion Prevention Service) |
4–6 | Medium |
| Malicious IP Address | Firebox (Botnet Detection) | 4–6 | Medium |
| Malicious URL | Firebox (WebBlocker) | 4–7 | High, Medium |
| Malware | Firebox (APT Blocker) | 6–10 | Critical, High, Medium |
| Virus | Firebox (Gateway AntiVirus, IntelligentAV) | 4–6 | Medium |
| Advanced Security Policy | Endpoint Security | 1–5 | Medium, Low |
| Exploit | Endpoint Security | 7–8 | High |
| IOA (Indicators of Attack) | Endpoint Security | 3–10 | Critical, High, Medium, Low |
| Intrusion Attempt |
Endpoint Security |
4–6 | Medium |
| Malware | Endpoint Security | 6–10 | Critical, High, Medium |
| PUP | Endpoint Security | 7–8 | High |
| Unknown Program | Endpoint Security | 4–6 | Medium |
| Advanced Security Policy | ThreatSync+ NDR | 1–10 | Critical, High, Medium, Low |
| IOA (Indicators of Attack) | ThreatSync+ NDR | 1–10 | Critical, High, Medium, Low |
| Advanced Security Policy | ThreatSync+ SaaS | 1–10 | Critical, High, Medium, Low |
| Credential Access | AuthPoint | 6–8 | Critical, High, Medium |
| Malicious Access Point | Wi-Fi | 5–7 | High, Medium |
Endpoint Risk Scores and Risk Levels in ThreatSync
ThreatSync determines the risk score for an endpoint based on the incident risk scores associated with the endpoint in the past 30 days. The endpoint risk score is the same as the value of the highest incident risk score detected on the endpoint in the past 30 days. For example, if an endpoint has two open incidents in a 30-day period, one with an incident risk score of 9 and the another with a risk score of 7, the endpoint risk score is 9.
ThreatSync uses only new and read incidents to determine endpoint risk scores, not closed incidents. When a new incident occurs or an incident is closed, ThreatSync recalculates the endpoint risk score. After the detection of a new incident, recalculated endpoint risk scores can take several seconds to appear in the ThreatSync UI.
ThreatSync determines the risk level for an endpoint based on its risk score. ThreatSync categorizes endpoint risk scores into these risk levels:
| Risk Level | Risk Score | Description |
|---|---|---|
| Critical | 9,10 | Endpoints with critical risk scores require immediate attention and investigation. |
| High | 7, 8 | We strongly recommend you investigate endpoints with high risk scores. |
| Medium | 4, 5, 6 | We recommend you investigate endpoints with medium risk scores. |
| Low | 1, 2, 3 | Investigate endpoints with low risk scores if you have the time and resources available. |
User Risk Scores and Risk Levels in ThreatSync
ThreatSync determines the risk score for a user based on the risk scores for open incidents associated with that user. The score is the same as the value of the highest detected open incident risk score. For example, if a user has two open incidents, one with an incident risk score of 8 and the another with a risk score of 5, the user risk score is 8.
ThreatSync uses only new and read incidents to determine user risk scores, not closed incidents. When a new incident occurs or an incident is closed, ThreatSync recalculates the user risk score. After the detection of a new incident, recalculated user risk scores can take several seconds to appear in the ThreatSync UI.
ThreatSync determines the risk level for a user based on its risk score. ThreatSync categorizes user risk scores into these risk levels:
| Risk Level | Risk Score | Description |
|---|---|---|
| Critical | 9,10 | Users with critical risk scores require immediate attention and investigation. |
| High | 7, 8 | We strongly recommend you investigate users with high risk scores. |
| Medium | 4, 5, 6 | We recommend you investigate users with medium risk scores. |
| Low | 1, 2, 3 | We recommend you investigate users with low risk scores if you have the time and resources available. |