Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
Applies To: WatchGuard Core MDR
For environments that use Endpoint Security products such as Advanced EPDR, EPDR, and EDR, WatchGuard Core MDR enables the WatchGuard SOC team to monitor your licensed endpoints and your cloud-based Office 365 environment. For more information, go to About WatchGuard MDR.
After you purchase, activate, and allocate the WatchGuard Core MDR license for a new customer in WatchGuard Cloud, complete the MDR settings in the WatchGuard Endpoint Security UI. The information you provide helps the WatchGuard SOC team understand the customer environment, which devices provide critical services, and whether WatchGuard can automatically isolate infected computers.
Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure MDR permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.
Before you begin, you must activate your WatchGuard Core MDR license and allocate the endpoints in WatchGuard Cloud. For more information, go to Activate an Endpoint Security License and Allocate Endpoints.
To complete the WatchGuard Core MDR customer settings:
- In WatchGuard Cloud, select the Subscriber account for the customer.
- Select Configure > Endpoints.
- Select Settings.
- From the left pane, select MDR.
The WatchGuard Core MDR settings page opens. - From the Customer Business Vertical section, select the business vertical for the customer.
- In the Number of Business Locations text box, enter the number of locations.
- In the Number of Employees text box, enter the number of employees.
- If the customer has remote employees, enable Includes Remote Employees.
- From the Operating Systems section, select the operating systems used by the customer.
- In the Hardware Devices section, add the hardware vendors and devices used in the customer network.
- Click Add Hardware Vendor.
- In the Hardware Vendor text box, enter the hardware vendor name.
- Select the hardware types for the vendor.
- Repeat these steps to add additional hardware devices.
- In the Critical Computers section, specify computers that provide a critical service or require additional attention.
- Click Add Computers.
- To select a group of computers, from the Computer Groups list, select a group.
- To select individual computers, from the Additional Computers list, select the critical computers.
- Click Add.
- To allow the WatchGuard SOC team to isolate computers on the customer network, in the Response Plan section, enable Allow WatchGuard Security Operations Center to Isolate Computers on the Customer Network.
- To add computers that WatchGuard cannot isolate without additional approval, in the Exceptions section, click Add Computers.
- To select a group of computers, from the Computer Groups list, select a group.
- To select individual computers, from the Additional Computers list, select the critical computers.
- Click Add.
- Click Save.
To help you mitigate and remediate identified threats, WatchGuard MDR automatically delivers periodic health status and service activity reports. The SOC team sends reports to the recipient email addresses you provide in the Managed Services portal, Tenant Settings page. For more information, go to MDR Reports.
Confirm WatchGuard Endpoint Security Installation and Configuration
For a successful implementation of the WatchGuard Core MDR service, it is important that WatchGuard Endpoint Security software is correctly deployed and configured on your customer's endpoints.
To help you verify your customer's WatchGuard Endpoint Security products are configured correctly and securely, the onboarding team provides a checklist of important configuration settings. Make sure that:
- The WatchGuard Endpoint Agent is installed on all endpoints.
- The management UI is protected by multi-factor authentication.
- Anti-tamper protection is enabled.
- Protection cannot be uninstalled without a password.
- All endpoints are configured to use Hardening or Block mode.
- Anti-exploit protection is enabled for all endpoints.
WatchGuard also recommends that you allocate the WatchGuard Full Encryption and Patch Management modules to the customer account.