Indicators of Attack List

Applies To: WatchGuard EPDR, WatchGuard EDR

The Indicators of Attack list shows details of the IOA detected on workstations and servers by WatchGuard Endpoint Security.

Each IOA refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, WatchGuard Endpoint Security generates a separate IOA for each computer. If the same pattern is detected several times in an hour on the same computer, a minimum of two IOAs are generated — one when the first IOA is detected and one every hour that shows the number of occurrences in that hour.

From the options menu for a computer row, you can:

Filter the Indicators of Attack List

To filter the Indicators of Attack list and open attack details:

  1. Click Filters.

  1. Specify the parameters you want to filter the results for.
    • Risk — Impact of the IOA detected (Critical, High, Medium, Low, Unknown).
    • Action — Type of action taken by WatchGuard Endpoint Security on brute-force attacks against RDP IOAs (Reported, Attack Blocked).
    • Tactic — Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.
    • Dates — Time period when the IOA was generated.
    • Status — Status of the IOA (Archived or Pending). Archived IOAs no longer require administrator attention because it was a false positive or was resolved. Pending IOAs have not been investigated by the administrator.
    • Indicator of Attack — Name of the rule that detected the pattern of events that triggered the IOA.
    • Technique — Category of the attack technique that generated the IOA, mapped to the MITRE matrix.
  2. Click Filter.
    To export the list to a CSV file, click .
  3. To view the IOA details for a computer, select the computer in the list.
    For more information, see Indicator of Attack Details.

See Also

Indicators of Attack

Indicators of Attack Dashboard

Indicator of Attack Details