Manage TDR Groups

To learn about the new ThreatSync service in WatchGuard Cloud, go to About ThreatSync in WatchGuard Cloud Help. References to ThreatSync in this topic relate to the older TDR feature.

In Threat Detection and Response, you can create groups of the hosts on your network. With these groups, you can:

  • Specify a group name in a policy to configure different policies for different hosts.
    For more information, see Configure TDR Policies.
  • See and manage Host Sensors, group membership, and Host Sensor settings for a group.
    For more information, see Manage Hosts In a Group.

TDR supports three types of groups:

Active Directory Group

Active Directory groups are created in TDR when AD Helper sends the device group information from your Active Directory server to TDR. You manage membership in these groups on your Active Directory domain controller. You can synchronize the Active Directory group on your Active Directory server with TDR from the Groups page in TDR.

Host Group

You can add a Host group, which is a list of hosts. A host can be a member of only one Host group. An Analyst can manage Host Sensors for members of the group and configure Host Sensor settings specific to the group. You can create and add members to a Host Group from the Groups page or from the Hosts page.

The easiest way to add multiple hosts to a group is from the Hosts page. For more information, see Manage TDR Hosts and Host Sensors.

IP Subnet Group

You can add an IP Subnet group, which is for a specific IPv4 subnet. The group includes hosts with IP addresses in the IP subnet specified for the group.

An observer operator can see information about groups but cannot edit them.

From the Groups page, an Analyst can:

  • Synchronize Active Directory groups
  • Add, edit, and remove IP Subnet and Host groups
  • Edit the members of a Host Group
  • Install and remove Host Sensors for members of a Host group
  • Configure Host Sensor settings for a Host group

See Threat Detection and Response Groups

To see the list of groups:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the ThreatSync section, select Groups.
  4. To see information for a Host group, next to the group name, click .
    The hosts in the group and Host Sensor settings for the group appear.

An Analyst can add and edit IP Subnet and Host groups on this page. An Analyst can also manage host sensor settings, and install and remove Host Sensors for members of a group.

Manage Filters

You can filter the information seen on the page at the top of each column. You can save a filter setting so the page defaults to the specified information each time you open it.

  1. Select the column settings you want to save.
  2. In the far left column heading, click .
  3. Select Save.
  1. In the far left column heading, click .
  2. Select Apply.
  1. In the far left column heading, click .
  2. Select Clear.
  1. In the far left column heading, click .
  2. Select Remove.

Synchronize an Active Directory Group

From the Groups page, an Analyst can synchronize the Active Directory groups. When you synchronize a group, AD Helper gets updated information about the group from the Active Directory domain controller and updates the group information in your TDR account.

To synchronize an Active Directory group:

  1. On the Groups page, next to an Active Directory group, click .
  2. Select Sync Group.
    A confirmation message about whether you want to synchronize the group appears.
  3. Click Yes, Sync.

You must synchronize an Active Directory group before you can expand it on the groups page or change the Host Group membership for members of the Active Directory group.

Add a Group

From the Groups page, you can add a Host group or an IP Subnet group.

You can also use the Change Host Group action to add a Host Group for selected hosts. For more information, see Manage TDR Hosts and Host Sensors.

When you add a Host group, you specify the hosts in the group by name. Before you can add hosts to the group, you must know the names of the hosts. Because you can configure different Host Sensor settings for each group, a host cannot be a member of more than one Host group.

  1. On the Groups page, click Add Group.
    The Add Group dialog box opens.

Screen shot of the Add Group dialog box

  1. In the Group Name text box, type a name for this group.
  2. From the Type drop-down list, select Host. This is the default option.
  3. Click Add Hosts to Group.
    The Add Hosts to Group dialog box opens.

Screen shot of the Add Hosts to Group dialog box.

  1. Select the check boxes next to the host names to add.
  2. Click Add Selected Hosts.
    The hosts are added to the Add Group dialog box.
  3. To remove a host, select the check box adjacent to the host name, and click Remove Selected Hosts.
  4. Click Save & Close.

You can only manage Host Sensors from the Host Groups.

  1. On the Groups page, click Add Group.
    The Add Group dialog box opens.

Screen shot of the Add Group dialog box for an IP Subnet group

  1. In the Group Name text box, type a name for this group.
  2. From the Type drop-down list, select IP Subnet.
  3. In the Network Address text box, type the IP address of a host or network.
  4. In the Subnet Mask text box, type the subnet mask for the IP address.
  5. Click Save & Close.

Edit or Remove a Group

To edit or remove an IP Subnet or Host group, you must log in to TDR as an Analyst.

To edit a group:

  1. In the Groups list, adjacent to the group to edit, click .
  2. Select Edit Group.
    The Edit Group dialog box opens.
  3. Edit the group information as described in the previous procedure.
  4. Click Save & Close.

To remove a group:

  1. In the Groups list, adjacent to the group to remove, click .
  2. Select Remove Group.
    A confirmation message appears.
  3. Click Yes, Delete.

When you remove a group, the group is automatically removed from all policies that included it.

Manage Hosts In a Group

From the Groups page, you can see information about the hosts in a group and manage the Host Sensors and Host Sensor settings for the group. You can expand any group that includes at least one host.

To manage Hosts in a group, next to that group, click .

The group information appears on two tabs:

  • Hosts — Shows the hosts in the group and includes network, OS, and the Host Sensor status for each host
  • Host Sensor Configuration — Host Sensor settings for hosts in the group; you can configure Host Sensor settings for the group that take precedence over the global Host Sensor settings specified by the Administrator

On the Hosts tab, you can see information about the hosts in this group, add hosts to the groups, and manage Hosts Sensors and group membership.

You can complete these actions for hosts:

  • Change Host Group — Change the Host Group the host is a member of
  • Install Sensor — Use AD Helper to install a Host Sensor on a Windows host
  • Restart Sensor — Restart a Host Sensor on a host
  • Remove Sensor — Uninstall a Host Sensor from a host
  • Acknowledge Manually Removed — Acknowledge that a Host Sensor has been manually uninstalled from a host
  • Update Host — Update a Host Sensor to the latest version of TDR
  • Contain Host — Contain the host so that it cannot communicate over the network
  • Release Host — Release the host from containment
  • Pause Host Protection — Temporarily pause TDR on a host
  • Request Baseline — Perform a new baseline scan after making changes on a host

To add hosts to a group:

  1. Click Actions > Add Hosts.

    The Add Hosts to Group dialog box opens.

Screen shot of the Add Hosts to Group dialog box.

  1. Select the check boxes next to the host names to add.
  2. Click Add Selected Hosts.
    The hosts are added to the group.

To install or remove Host Sensors for one or more hosts in a group:

  1. On the Groups page, next to the group to manage click .
    The host information dialog box for that group opens.

Screen shot of the Groups page with the Hosts information expanded for a group

  1. On the Hosts tab, select the check box next to one or more hosts.
  2. From the Actions drop-down list, select an option.
    The drop-down list shows the number of selected hosts each available action applies to.
    The Confirm Action dialog box opens with the list of hosts the action applies to.

Screen shot of the Confirm Action dialog box

  1. To confirm the action, click Execute Action.

To remove a Host Sensor from a single host, in the Install State column, click .

For information about how to manually uninstall a Host Sensor from a host, see Uninstall TDR Host Sensors.

When Host Sensor Auto-Update is enabled in the General Settings page, Host Sensors are updated automatically when a new version of TDR is available. For more information, see TDR General Settings.

You can choose to update specific Host Sensors manually when a new version is available. An icon appears in the Install State column if a Host Sensor can be updated manually.

To update a specific host:

In the Install State column, next to the Host Sensor install state, click .

The Host Sensor updates to the new version.

To update multiple hosts:

  1. Select the check box next to one or more hosts in the list.
  2. Click Actions > Update.
    The Host Sensor updates to the new version.

Contained hosts cannot communicate over the network.

To contain hosts, the Enable Kernel Host Containment Action must be enabled in the Host Sensor settings. For more information, see Configure TDR Host Sensor Settings.

To contain a host:

  1. Select the check box next to the host you want to contain.
  2. Select Actions > Contain Host.

    The Confirm Action – Contain Host dialog box opens.
  3. Click Execute Action

    The host is contained and a containment icon is shown in the Sensor Status column.

Screen shot of containment icon

To release a host from containment:

  1. Select the check box next to the host you want to release.
  2. Select Actions > Release Host.
    The Confirm Action – Release Host dialog box opens.
  3. Click Execute Action
    The host is released from containment.

From the list of hosts within a group you can change the Host Group a Host is a member of. This removes the host from the current group and adds it to another group. You can also remove a Host from all groups.

To change the Host Group for one or more Hosts:

  1. Select Devices / Users > Hosts.
  2. Select the check box next to one or more hosts in the list.
  3. Select Actions > Change Host Group.
    The Change Host Group dialog box opens.

  1. Start to type the name of the group. This can be an existing group or a new group.
    As you type. the names of existing groups and the option to add a new group appear below the text box.
  2. Select the group, or select the option to add the new group with the name you typed.
    The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.

To remove one or more Host Sensors from a Host Group.

  1. Select the check box next to one or more hosts in the list.
  2. Select Actions > Change Host Group.
    The Change Host Group dialog box opens.
  3. Select No Group.
    Each selected host is removed from the Host Group it was previously a member of.

In the group configuration, you can specify Host Sensor settings that apply to only the group. The settings you specify for a group take precedence over the global Host Sensor settings configured by the Administrator.

The Host Sensor configuration includes these settings:

  • Host Sensor Settings — Specify the allowed actions of the Host Sensor.
  • Host Sensor Tamper Prevention Settings — Specify whether users can modify or uninstall the Threat Detection and Response service.
  • Host Sensor Driver Configuration Settings — Enable and disable settings for the Host Sensor driver. We recommend you keep the default settings unless you have first tested any changes with group-specific Host Sensor Configuration override settings.
  • Host Sensor Icon Settings — Enable and disable settings for the Host Sensor system tray icon.

For more information about recommended Host Sensor settings, see TDR Deployment Best Practices.

To see more information about each setting, click .

For most Host Sensor settings, a slider shows whether the setting is enabled or disabled.

— The feature is enabled

— The feature is disabled

To change each setting, click the slider. Your changes take effect immediately.

You do not need to click Save to save changes to settings that are enabled and disabled with a slider. Click Save if you made changes to other types of settings, such as the Baselines Maximum Delay Minutes text box.

To specify the Host Sensor settings for a group:

  1. On the Groups page, next to the group to manage, click .
    The host information dialog box for that group opens.
  2. Select the Host Sensor Configuration tab.

Screen shot of the Host Sensor Configuration tab

  1. To enable the Host Sensor settings for this group, click the Override Host Sensor settings for this group switch.
  2. Configure the Host Sensor settings for this group.
    For more information about these settings, see Configure TDR Host Sensor Settings.
  3. Click Save.

See Also

Manage TDR Hosts and Host Sensors

About TDR Host Ransomware Prevention