The Indicators of Attack (IOA) dashboard provides visibility into detections by the Threat Hunting Services. Several tiles show important information and provide links to more details.
Time Period Selector
The dashboard shows information for the time period selected by the administrator in the drop-down list at the top of the page.
You can select from these time periods:
- Last 24 hours
- Last 7 days
- Last month
The Indicators of Attack dashboard includes these tiles:
- Threat Hunting Service
- Evolution of Detections
- Indicators of Attack Mapped to the MITRE Matrix
- Detected Indicators of Attack
- Indicators of Attack by Computer
Click a tile to view detailed information.
The Threat Hunting Service tile shows a summary of the Events, Indicators, and IOAs for all computers and devices on the network, for a selected time, to help you determine if there are intrusion attempts.
- Events — Number of actions carried out by programs installed on protected computers and monitored by WatchGuard EPDR or WatchGuard EDR.
- Indicators — Number of suspicious event patterns detected in the event data flow.
- Indicators of Attack — Number of indicators that are highly likely to be an attack.
To open the list, click the number of Indicators of Attack. For more information, see Indicators of Attack List.
To see a list of the computers that experienced an attack through the RDP protocol, click View All.
The Computer Protection Status list opens. Each row displays the red RDP icon to indicate that the computer is in RDP Attack Containment mode. For more information, see RDP Attack Containment Modes.
The Evolution of Detections tile includes a line and bar graph that shows the number of Indicators, Pending IOAs, and Archived IOAs over time.
- Indicators — Number of suspicious patterns detected in the event flow received.
- Pending IOAs — Number of suspicious patterns that are highly likely to indicate an attack. An administrator has not analyzed or resolved the IOA.
- Archived IOAs — Number of IOAs that an administrator has analyzed or resolved and marked as Archived.
The Y-axis on the left measures detected pending and archived IOA. The Y-axis on the right measures indicators detected.
To open the Indicators of Attack list, click the tile. For more information, see Indicators of Attack List.
The MITRE ATT&CK™ framework is an industry standard to classify attack tactics and techniques. It is used by threat hunters to assess risk to an organization. On the IOA dashboard, this tile shows a table of the numbers of IOA detected during the selected time period, arranged by MITRE tactic and technique.
To view the name and code of the technique or the total number of detections, point to a column or box. Tactics are the columns headings. Techniques display below the tactic.
Point to the red circle to see the pending IOA.
Click a tactic or technique to open the Indicators of Attack list filtered by the tactic, or tactic and technique. For more information, see Indicators of Attack List.
The Detected Indicators of Attack tile shows the distribution of IOA by type detected during the selected time period. The greater the number of detected IOA of a particular type, the larger the box within the tile.
The Indicators of Attack by Computer tile shows the distribution of IOA for each computer on the network during the time period.
To open a filtered Indicators of Attack list, click the box for a computer. For more information, see Indicators of Attack List.