Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats. TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect and respond to security threats. TDR assigns threat level scores based on heuristics, threat feeds, and a cloud-based malware verification service.
Threat Detection and Response is supported for Firebox and XTMv device models only and requires Fireware v11.12 or higher.
WatchGuard EDR Core is a service in the Total Security Suite. It provides a subset of the functionality available with WatchGuard EDR and is a replacement service for the Threat Detection and Response (TDR) host sensor in WatchGuard Cloud. Endpoints with EDR Core installed are able to send data to ThreatSync. For more information, see About WatchGuard EDR Core.
The Threat Detection and Response subscription service has several components:
Threat Detection and Response Account
Threat Detection and Response is a cloud-based service hosted by WatchGuard. Your Threat Detection and Response account in the cloud collects and analyzes forensic data received from Fireboxes and Host Sensors on your network. You log into your TDR account on the WatchGuard Portal to configure account settings, Host Sensor settings, and to monitor and manage security threats.
Because your login credentials for TDR are your WatchGuard Portal credentials, when you log in to the WatchGuard Portal, single sign-on enables you to also be automatically logged in to your TDR account.
Firebox or XTMv Device
Threat Detection and Response is a security subscription that you activate for your Firebox. In the Firebox configuration, you enable the Firebox to send data to your TDR account, and you configure policies, services, and log settings to enable the Firebox and Host Sensors to send information to your TDR account. In Fireware v12.5.4 or higher, you can enable TDR Host Sensor Enforcement to limit mobile VPN connections to devices that follow specified requirements.
You install Host Sensors on the computers on your network. Each Host Sensor collects forensic data from the host and sends it to the Threat Detection and Response cloud for analysis. Forensic data includes information related to files, processes, network connections, and registry keys on the host. You can configure Host Sensors to simply report security threats or to take action to fix certain types of security threats.
AD Helper is an application that you can install to deploy Host Sensors on your network. AD Helper uses your existing Windows Active Directory infrastructure to assist with distributed installation of Host Sensors on your network.
TDR Account Regions
WatchGuard hosts TDR servers in these regions:
- Americas (Oregon)
- Europe (Frankfurt)
- Asia Pacific
You select the account region the first time you activate a TDR subscription for a Firebox on the WatchGuard Portal. Host Sensors and Fireboxes send data to your TDR account in the region you selected.
For more information, see About TDR Account Regions.
Get Started with TDR
For information about how to get started with TDR, see: