Contents

Configure TDR Notification Rules

In your Threat Detection and Response account, you can configure notification rules that enable TDR to generate email notifications about host containment, incidents, indicators, host protection, or remediations. Notification rules make it easier for you to respond to emerging threats on your network, and provide awareness of host status changes and threats that have been remediated.

TDR supports these notification types:

Containment

Sends notifications when a host is contained or released from containment

Incident

Sends notifications based on the threat score of an incident

Indicator

Sends notifications based on the threat score of an indicator

Protection

Sends notifications when protection is paused or resumed on a host

Remediation

Sends notifications when a remediation succeeds or fails, based on the original indicator threat score

Sensor Status

Sends notifications when a sensor is in the selected state for the specified period of time

For each notification rule, these settings determine when notifications are generated, and who receives them:

  • Threat Score threshold — For an Incident or Indicator notification rule, the minimum incident or indicator score that triggers the notification
  • Previous Threat Score threshold — For a Remediation notification rule, the previous score of an indicator that has been remediated
  • Containment changes — For a Containment notification rule, changes to the host containment status
  • Protection changes — For a Protection notification rule, changes to the host protection status
  • Remediation result — For a Remediation notification rule, the result of the remediation action
  • Timeframe Threshold — For a Sensor Status notification rule, specify the number of hours a sensor is in the specified state before a notification is sent
  • Sensor Status — For a Sensor Status notification rule, select one or more status to trigger a notification
  • Source — Select the source to trigger a notification
  • Hosts or host groups — Hosts and Host Groups to monitor for this notification
  • Notification recipients — The email addresses to send the notification to

When an incident, indicator, remediation, host containment change, host protection, or sensor status change matches a configured notification rule, TDR automatically sends a notification email to recipients. Indicator and remediation notification emails for the same event include the same ID. The recipient can click a link in the notification email to go directly to a TDR page that contains more information.

See and Manage Notification Rules

To receive email notification about TDR events, add notification rules.

To manage notification rules:

  1. Log In to the TDR Web UI as an Analyst.
  2. Select Configuration > Notification Rules.
    The Notification Rules page appears.

Screen shot of the Notification Rules page

  1. To search for notification rules related to a specific host or group, in the search criteria text box, type the name of the host or group.
  2. To filter the list based on other rule properties, in the column headings specify the filters.

From the Notification Rules page, you can add, edit, and modify notification rules, and you can back up and import rules.

Add a Notification Rule

To add a notification rule:

  1. From the Notification Rules page, click Add Notification.
  2. Select the notification type from the drop-down list.
    The notification rule settings appear.

Screen shof of a new Indicator notification rule

  1. In the Name text box, type a name for this rule.
  2. From the Language drop-down list, select the language for the notification email.
  3. In the Comments text box, type a description of this rule.
  4. Specify the thresholds or changes that you want to generate the notification.
    • For a Containment notification rule, select check boxes next to the host containment changes that you want to generate a notification. You can generate notifications when a host is contained and when a host is released from containment.
    • For an Incident or Indicator notification rule, from the Select a Threat Score Threshold drop-down list, select the indicator or threat score at which you want to send a notification.
      TDR sends a notification for an indicator or incident with a Threat Score equal to or higher than the value you select here.
      • For Indicator notification rules, you must specify which source reports the indicator. Select the check box for Host Sensor or Firebox. If you select both Host Sensor and Firebox, notification is sent when either reports an indicator.
    • For a Protection notification rule, select check boxes next to the host protection changes that you want to generate a notification. You can generate notifications when protection is paused and when protection is resumed on a host.
    • For a Remediation notification rule:
      • From the Select a Previous Threat Score Threshold drop-down list, select the previous threat score at which you want to send a notification. This is the previous score of an indicator before it was remediated.
      • Select check boxes next to the Remediation Result that you want to generate a notification. You can generate notifications when a remediation succeeds or fails.
    • For a Sensor Status notification:
      • In the Timeframe Threshold text box, type the number of hours the sensor persists in the selected status to trigger a notification.
      • Select one or more Sensor Status check box:
        • — Host Sensor is installed but has a problem
        • — Host Sensor has shut down correctly
        • — Host Sensor is not communicating
  5. Select the host or host group to monitor.
    1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!To specify all hosts, type "All Hosts". This is a built-in default group that includes all hosts that have a Host Sensor installed.
      Host names and group names that include the characters appear.
    2. Select the host or group name to add.
    3. To add other hosts or host groups, repeat the previous two steps.
  6. To specify a notification recipient, in the Add Email Address text box, type a valid email address and click Add.
  7. Repeat the previous step for each recipient of this notification.
  8. Click Save & Close.
    The notification rule is added to the Notification Rules list.

Send a Test Notification Email

After you add a notification rule, you can send a test notification email to the recipients specified in the rule.

To send a test email for a notification rule, from the Notification Rules page:

  1. Adjacent to the notification rule, click .
  2. Select Send Test Email.

Back Up or Import Notification Rules

You can save a backup of all notification rules to a backup file. The backup file is saved in JSON file format. To add the notification rules to any TDR account, you can import the saved .JSON file. This enables a TDR Service Provider to easily copy notification rules configured in one managed customer account to another managed account. To avoid duplicate notification rules, the imported notification rules are merged with the current list of rules.

If the name of a notification rule in an imported backup file matches the name of an existing rule, the imported rule replaces the existing rule.

To save the notification rules to a backup file:

  1. Select Configuration > Notification Rules.
    The list of currently configured notification rules appears.
  2. Click Backup.
    The backup file is saved to the downloads folder.

The name of the backup file includes the current date and time. For example: 

WatchGuardTDR_Notifications_2018-01-10_20-02-03.json

To import notification rules from a saved backup file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The notification rules from the file are added to the Notification Rules list.

Edit, Duplicate, or Remove a Notification Rule

To edit a notification rule, from the Notification Rules page:

  1. To expand the details of a notification rule, click .
  2. Edit the settings, as described in See and Manage Notification Rules.
  3. Click Save & Close.

To duplicate a notification rule, from the Notification Rules page:

  1. Adjacent to the notification rule to duplicate, click .
  2. Select Duplicate Notification Rule.

To remove a notification rule, from the Notification Rules page:

  1. Adjacent to the notification rule to remove, click .
  2. Select Remove Notification Rule.

See Also

TDR Remediation Actions and Threat Scores

About TDR Threat Scores

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search