Indicator of Attack Details

Applies To: WatchGuard EPDR, WatchGuard EDR

To open the details page for an IOA, in the Indicators of Attack (IOA) list, click a computer row.

Details Page

On the details page for an IOA, you can see a detailed description of when and where the IOA occurred, as well as details of the pattern of events that led to the IOA.

In the notification section of the page, you can see this information:

  • Detection Date — Date and time when WatchGuard Endpoint Security detected the IOA on the workstation or server.
  • Indicator of Attack — Name of the indicator of attack.
  • Risk — Risk level of the indicator of attack (Critical, High, Medium, Low, or Unknown)
  • Description — Description of the chain of events detected on the computer, and the consequences it could have if the attack achieves its objectives.
    • To see a description of the tactics and techniques used on the affected computer, click Advanced Attack Investigation. A new tab opens with the report. Reports are available for a month after the IOA is generated. The report also shows events that are part of the attack during the thirty days prior to detection of the IOA.
    • If the IOA has a graph associated with it, click View Attack Graph to see an interactive diagram with the sequence of events that led to the generation of the IOA. For more information, see About Attack Graphs.

  • Recommendations — Recommended actions from WatchGuard Security team for the administrator.

Indicator of Attack Details Section

The Indicator of Attack Details section shows the affected computer, the number of detected occurrences, and the last event date and time. To open the computer details page, click the computer name.

The Other Details text box provides data in JSON format that includes fields relevant to the event that led to the generation of the IOA.

MITRE Section

The MITRE section of the page shows details of the attack, mapped to the MITRE ATT&CK matrix.

For each attack, these details are available:

  • Tactic — Category of the attack tactic that generated the IOA, mapped to the MITRE matrix. Click the tactic to open a new window with detailed MITRE information on the tactic.
  • Technique — Category of the attack technique that generated the IOA, mapped to the MITRE matrix. Click the technique to open a new window with detailed MITRE information on the technique.
  • Platform — Operating system and environments where MITRE has previously recorded this type of attack.
  • Permissions Required — Permissions required to run the attack.
  • Description — Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.

See Also

Indicators of Attack

Mark an Indicator of Attack as Pending

Archive an Indicator of Attack