Contents

Configure TDR Policies

TDR policies define the actions that a Host Sensor can take automatically when it detects a threat. Your TDR account includes default policies with recommended settings. You can edit the default policies and configure additional TDR policies that apply to different hosts and host groups at different Cybercon levels.

For information about the default policies and policy recommendations, see Recommended TDR Policies.

TDR policies are ranked to show their relative priority. TDR evaluates the policies in rank order. More than one TDR policy can apply to the same host at the same time. All active policies for the target are evaluated in rank order to determine which actions a Host Sensor is allowed to perform. If two or more active policies could allow or prevent an action for the same target host, the highest rank (lowest number) policy has priority.

As part of your network security procedures, you define the Cybercon levels to have specific meaning to your organization. After you define the meaning of Cybercon levels, you can configure TDR policies for each level. For more information, see About TDR Cybercon Levels.

TDR Policy Types

In TDR, you can configure three types of policies:

Remediation Policy

A Remediation policy defines actions that Host Sensors can take automatically in response to threats detected on a host.

APT Blocker Policy

An APT Blocker policy defines when Host Sensors can automatically upload suspicious files for analysis in a secure sandbox environment. For more information, see TDR Sandbox Analysis by APT Blocker.

Before you can add an APT Blocker policy you must enable the APT Blocker feature on the General Settings page. For more information, see TDR General Settings.

Containment Policy

A Containment Policy defines when Windows hosts will be contained and released from containment automatically based on an incident threat score threshold. Containment shuts down network connections on a host so that threats cannot spread through the network. For more information, see Configure TDR Containment.

About Active TDR Policies

The policies active in your TDR account depend on the Cybercon level and on the Cybercon Threshold and rank configured in your TDR policies. If the active policies change, either because of a change to the Cybercon level or a change to policy configuration, the active policies apply immediately to new indicators that meet the criteria in the policies. After a change to policies or Cybercon level, TDR also reevaluates existing indicators that have one of these prior outcomes:

  • No Policy — there was no active policy to take the requested remediation action
  • Blocked by policy — a remediation policy blocked the requested remediation action

Because you might make several changes to TDR policies in a short period of time, TDR waits five minutes after the last change to policy or Cybercon level before it reevaluates existing indicators.

APT Blocker policies can apply only to new indicators. TDR does not reevaluate existing indicators when the Cybercon level or active APT Blocker policies change.

Policy Rules, Actions, and Targets

For each TDR policy, you configure Rules, Actions, and Targets.

Rules

Rules define when Host Sensors execute the TDR policy. For a Remediation policy or Containment policy you configure two thresholds that control when Host Sensors execute the actions in the policy:

  • Cybercon Threshold — The maximum Cybercon level required to execute the policy.
  • Threat Score Threshold — The maximum indicator or incident Threat Score detected on a host that is required to execute the policy. For a Remediation policy, if the CYBERCON threshold rule is met, the policy applies to new indicators on target hosts when the indicator score is equal to or greater than the threshold enabled in the policy. For a Containment policy, if the CYBERCON threshold rule is met, the policy applies to new incidents on target hosts when the incident score is equal to or greater than the threshold enabled in the policy.

For an APT Blocker policy, you configure only a Cybercon Threshold.

Actions

Actions define what the Host Sensor does when the policy executes.

Policy actions apply only to new indicators that match policy rules. Policies do not apply to indicators that existed before the policy was active.

For each policy, you define whether the policy allows or denies actions.

  • Perform — The policy allows the Host Sensor to perform the specified actions for new indicators that match the policy rules.
  • Not Perform — The policy does not allow the Host Sensor to perform the specified actions if they are allowed by a lower ranked policy that applies to the same target host. A policy with the Not Perform action does not prevent an operator from manually executing an action.

For a Remediation policy, select one or more of these actions:

  • Kill Process — Applies to Process or Host Ransomware Prevention indicators. After the Host Sensor identifies the communication port, the Host Sensor ends the process that supports communication to the network port.
  • Quarantine File — XOR encrypts the content of a file identified in an indicator so the file is not executable.
  • Delete Registry Value — Deletes the registry value that references a malicious file.

The Kill Process action by itself does not remediate a threat. To automatically remediate threats, we recommend that you allow all actions. For more information, see TDR Remediation Actions and Threat Scores.

For an APT Blocker policy, there is only one action:

Sandbox File — Sends suspicious files to the sandbox for APT Blocker analysis

For a Containment policy, there is only one action:

Contain Host — Shuts down network connections on the hosts.

To contain hosts, the Enable Kernel Host Containment Action must be enabled in the Host Sensor settings. For more information, see Configure TDR Host Sensor Settings.

Targets

Targets define which hosts the action applies to. In each policy, you can add individual hosts or groups of hosts as targets. A policy without a target does not affect any hosts. If you want a policy to apply to all hosts that have a Host Sensor installed, you can use the built-in group All Hosts.

For information about groups, see Manage TDR Groups.

See and Manage Policies

To manage policies:

  1. Log In to the TDR Web UI as an Analyst.
  2. Select Configuration > Policy.
    The Policy page appears.

Screen shot of the Policy page

  1. To search for specific policies, from the filter drop-down lists and in the search text boxes, specify the policy details.

Add a Policy

You can add a combination of policies to automatically take action against threats on your network. For information about recommended policies, see Recommended TDR Policies.

Change Policy Rank

The Policy page includes all currently defined policies in order of precedence, numbered from the highest rank (1) to the lowest rank. When you add a new policy, it is automatically added to the top of the Policy list, at the highest rank. Policies do not change rank automatically based on the target of the policy. You must manually change the rank of each policy.

For example, if you configure a policy to not perform an action for a single host, and then add a new policy to perform actions for a group that the host is a member of, the policy that you added last (the new policy for the group) has the highest rank and takes precedence. If you want the policy for the single host to take precedence, you must manually change the rank of that policy to a higher position in the list than the policy for the group that host is a member of.

To change the rank of a policy, you can:

  • In the Rank column, to increase or decrease the rank of a policy, adjacent to that policy, click or .
  • In the Rank column, change the number in the text box.
  • Drag-and-drop a policy to a different position in the list .

When you change the rank of a policy, the numbers assigned to all other policies in the list are automatically updated to show their new rank.

If the APT Blocker feature is disabled in the General Settings page, all APT Blocker policies are hidden and the numbers assigned to those policies are skipped in the Rank column.

Policy Rank and Action Precedence

More than one active TDR policy can apply to the same target host at the same time. This is different from how policy precedence works in Fireware. If multiple active TDR policies apply to the same target host, the action in the highest ranked policy applies for each action. For example if the highest ranked policy for a target specifies that Host Sensors cannot perform the Delete Registry Value action, and a lower ranked policy for the same target allows Host Sensors to perform the Kill Process, Quarantine File, and Delete Registry Value actions, the Host Sensor performs only the Kill Process and Quarantine File actions because the action that specifies that the Host Sensor should not perform the Delete Registry Value action has higher precedence.

Back Up or Import Policies

You can save a backup of all policies to an .XML file. To add the policies to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy policies configured in one managed customer account to another managed account. To avoid duplicate policies, the imported policies are merged with the current list of policies.

If the name of a policy in an imported backup file matches the name of an existing policy, the imported policy replaces the existing policy.

To save the policies to a backup file:

  1. Select Configuration > Policy.
    The list of currently configured policies appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the policy backup file includes the current date and time. For example: 

WatchGuardTDR_Policies_2017-01-25_22-39-43.xml

To import policies from a saved policies .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The policies from the file are added to the Policy list.

Edit, Duplicate, or Remove a Policy

To edit a policy, from the Policy page:

  1. To expand the details of a policy, click .
  2. Edit the settings as described in the previous section.
  3. Click Save & Close.

To duplicate a policy, from the Policy page:

  1. Adjacent to the policy to duplicate, click .
  2. Select Duplicate Policy.

To remove a policy, from the Policy page:

  1. Adjacent to the policy to remove, click .
  2. Select Remove Policy.

See Also

Recommended TDR Policies

TDR Sandbox Analysis by APT Blocker

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search