Configure Indicators of Attack Settings

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.

Indicators of Attack (IOAs) are confirmed events that are highly likely to be an attack. By default, all available Indicators of Attack are enabled. You can disable or enable Indicators of Attack as required.

To configure Indicators of Attack settings:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. From the left pane, select Indicators of Attack.
4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.
   
5. Enter a Name and Description for the profile, if required.
6. Enable the RDP Attack toggle and Configure RDP Attack Settings, if required.
7. Enable the toggles for any the Indicators of Attack you want to include in the settings profile.
   For information on the type of IOA, click the information icon. WatchGuard periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals.
8. (Advanced EPDR) Enable the Advanced IOA toggle.
   • Enable the toggles for the Advanced Indicators of Attack you want to include in the settings profile.
     Advanced IOAs are enabled by default in new accounts. Advanced Indicators of Attack (IOAs) provide in-depth monitoring of the applications on your computers, detect suspicious behavior, and determine if the event is an IOA. For information on the type of advanced IOA, click the information icon.
9. Click Save.
10. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Related Topics

Manage Settings Profiles

Configure RDP Attack Settings