The Indicators of Attack list shows details of the IOA detected on workstations and servers by WatchGuard Endpoint Security.
Each IOA refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, WatchGuard Endpoint Security generates a separate IOA for each computer. If the same pattern is detected several times in an hour on the same computer, a minimum of two IOAs are generated — one when the first IOA is detected and one every hour that shows the number of occurrences in that hour.
From the options menu for a computer row, you can:
- Archive IOA or Mark an Indicator of Attack as Pending
- View the IOAs detected on the computer
- View computers on which the IOA was detected
Filter the Indicators of Attack List
To filter the Indicators of Attack list and open attack details:
- Click Filters.
- Specify the parameters you want to filter the results for.
- Risk — Impact of the IOA detected (Critical, High, Medium, Low, Unknown).
- Action — Type of action taken by WatchGuard Endpoint Security on brute-force attacks against RDP IOAs (Reported, Attack Blocked).
- Tactic — Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.
- Dates — Time period when the IOA was generated.
- Status — Status of the IOA (Archived or Pending). Archived IOAs no longer require administrator attention because it was a false positive or was resolved. Pending IOAs have not been investigated by the administrator.
- Indicator of Attack — Name of the rule that detected the pattern of events that triggered the IOA.
- Technique — Category of the attack technique that generated the IOA, mapped to the MITRE matrix.
- Click Filter.
To export the list to a CSV file, click .
- To view the IOA details for a computer, select the computer in the list.
For more information, see Indicator of Attack Details.