Manage TDR Hosts and Host Sensors

In Threat Detection and Response, the Devices / Users > Hosts page includes a list of all hosts for your account, and the Host Sensor status for each host. Only Administrators and Analysts can remove or install a Host Sensor on a host.

Hosts are added to your Threat Detection and Response account through AD Helper or through manual Host Sensor installation.

AD Helper

You can use AD Helper to automatically get the list of Windows hosts in an Active Directory domain on your network, and automatically install or remove Windows Host Sensors. For more information about how to set up AD Helper, see Install and Configure AD Helper.

Manual Host Sensor Installation

You can download a Host Sensor and manually install it on a host. The first time the Host Sensor sends a heartbeat to your Threat Detection and Response account, the host is added to the list of hosts for your TDR account, which you can see in the Devices / Users > Hosts list in WatchGuard Cloud.

For more information, see TDR Host Sensor Manual Installation.

You can also uninstall Host Sensors from the TDR Hosts page. For more information, see Uninstall TDR Host Sensors.

Manage Host Sensors

From the Devices / Users > Hosts page, Administrators and Analysts can complete these actions:

  • Download Host Sensor installers
  • Install or uninstall Windows and Mac Host Sensors
  • Change the Host Group for a Host Sensor
  • Edit or remove a host
  • Export the hosts list to a file

To see the Hosts page in WatchGuard Cloud:

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. Select Devices / Users > Hosts.
    The Hosts page opens.

Screen shot of the Hosts page

Manage Filters

You can filter the information seen on the page at the top of each column. You can save a filter setting so the page defaults to the specified information each time you open it.

  1. Select the column settings you want to save.
  2. In the far left column heading, click .
  3. Select Save.
  1. In the far left column heading, click .
  2. Select Apply.
  1. In the far left column heading, click .
  2. Select Clear.
  1. In the far left column heading, click .
  2. Select Remove.

Host Management Actions

You can complete these actions for hosts:

  • Change Host Group — Change the Host Group the host is a member of
  • Install Sensor — Use AD Helper to install a Host Sensor on a Windows host
  • Restart Sensor — Restart a Host Sensor on a host
  • Remove Sensor — Uninstall a Host Sensor from a host
  • Acknowledge Manually Removed — Acknowledge that a Host Sensor has been manually uninstalled from a host
  • Update Host — Update a Host Sensor to the latest version of TDR
  • Contain Host — Contain the host so that it cannot communicate over the network
  • Release Host — Release the host from containment
  • Pause Host Protection — Temporarily pause TDR on a host
  • Request Baseline — Perform a new baseline scan after making changes on a host

Change the Host Group

A host can be a member of only one Host Group.

To change the Host Group for one or more Hosts:

  1. Select Devices / Users > Hosts.
  2. Select the check box next to one or more hosts in the list.
  3. Select Actions > Change Host Group.
    The Change Host Group dialog box opens.

  1. Start to type the name of the group. This can be an existing group or a new group.
    As you type. the names of existing groups and the option to add a new group appear below the text box.
  2. Select the group, or select the option to add the new group with the name you typed.
    The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.

To remove one or more Host Sensors from a Host Group.

  1. Select the check box next to one or more hosts in the list.
  2. Select Actions > Change Host Group.
    The Change Host Group dialog box opens.
  3. Select No Group.
    Each selected host is removed from the Host Group it was previously a member of.

Install or Remove a Host Sensor

The Windows Host Sensor installer generates an install log file when you install or uninstall the Host Sensor. The installer log is saved in the Host Sensor installation folder. The default folder is C:\Program Files (x86)\WatchGuard\Threat Detection and Response.

To install or remove a Host Sensor from one or more hosts:

  1. Select the check box next to one or more hosts in the list.
  2. Select Actions.
    The drop-down list shows the number of selected hosts each available action applies to.
  3. To install a Host Sensor, select Install Sensor. To remove a Host Sensor, select Remove Sensor.
    The Confirm Action dialog box opens with the list of hosts the action applies to.

Screen shot of the Confirm Action dialog box

  1. Click Execute Action.

To install or remove a Host Sensor from a single host:

  • To remove a host sensor from a host, in the Install State column, click .
  • To install a host sensor on a host, in the Install State column, click .
  • To manually install a host sensor on a host that is not in the Hosts list, click Download Host Sensor.
    For more information, see TDR Host Sensor Manual Installation.

Restart a Host Sensor

To restart a Host Sensor in WatchGuard Cloud

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. In the Devices / Users > Hosts list, select the check box next to one or more hosts in the list.
  4. Select Actions > Restart Sensor.
    The Confirm Action - Restart Sensor dialog box opens.
  5. Click Execute Action.

Update a Host

When Host Sensor Auto-Update is enabled in the General Settings page, Host Sensors are updated automatically when a new version of TDR is available. For more information, see TDR General Settings.

You can also choose to update specific Host Sensors manually when a new version is available. An icon appears in the Install State column if a Host Sensor can be updated manually.

To update a specific host:

In the Install State column, next to the Host Sensor install state, click .
The Host Sensor updates to the new version.

To update multiple hosts:

  1. Select the check box next to one or more hosts in the list.
  2. Select Actions > Update.
    The Host Sensor updates to the new version.

Contain a Host

To prevent the spread of threats on your network, you can contain a host. Containment shuts down network connections on a specific host and prevents new connections so that threats cannot spread through the network. For more information, see Configure TDR Containment.

To contain hosts, the Enable Kernel Host Containment Action must be enabled in the Host Sensor settings. For more information, see Configure TDR Host Sensor Settings.

To contain a host:

  1. Select the check box next to the host you want to contain.
  2. Select Actions > Contain Host.
    The Confirm Action - Contain Host dialog box opens.
  3. Click Execute Action.
    The host is contained and a containment icon is shown in the Sensor Status column.

Screen shot of the Install State and Sensor status columns for a contained host

Release a Contained Host

Contained hosts are isolated and cannot connect over the network. When a threat is remediated, you can release a host from containment.

To manually release a host from containment:

  1. Select the check box next to the host you want to release.
  2. Select Actions > Release Host.
    The Confirm Action – Release Host dialog box opens.
  3. Click Execute Action.
    The host is released from containment.

Host and Host Sensor Status

For each host, the Hosts page includes this information:

  • Host — The name of the host
  • FQDN — The fully qualified domain name for the domain where the host is installed
  • IP — The IPv4 address most recently reported by the host
  • Type — The type of host (Windows, Linux, or Mac)
  • Operating System — The operating system installed on the host
  • Install State — The install state of the Host Sensor on the host
  • Sensor Status — The Host Sensor Status, described in the next section
  • Sensor Version — The version of the installed Host Sensor
  • Last Seen — The last time a heartbeat was received from an installed Host Sensor. An installed Host Sensor sends a heartbeat to your TDR account every 30 seconds.
  • Host Group — The Host Group a host is a member of

Click Choose Columns to select which columns are visible.

You can filter and sort the Hosts list on any of the columns. To clear column filters, click and select Clear.

The date and time the Host list was last synchronized appears at the top of the page. To synchronize the Host list with AD Helper, click Sync Now.

Install State

The Install State column indicates the installation status of the Host Sensor. It can also indicate that the Host Sensor license is expired.

  • Installed — Host Sensor is installed
  • Installing — Host Sensor installation is in progress
  • Pending Install — The Install Sensor action was requested, but the install has not started
  • Uninstalling — Host Sensor uninstall is in progress
  • Uninstallation Error — The Remove Sensor action was selected, but the Host Sensor uninstall failed
  • Pending Uninstall — The Remove Sensor action was selected, but the uninstall has not started
  • Not Installed — The Host Sensor is not installed
  • Expired — The Host Sensor license is expired

For more information about Host Sensor licensing and expiration, see TDR Licensing.

Host Sensor Status

The icon in the Sensor Status column indicates the status of the host sensor on each host.

  • — Host Sensor is installed and operational
  • — Host Sensor is installed but has a problem
  • — Host Sensor is not communicating
  • — Host Sensor has shut down correctly
  • Paused icon — Host Sensor has protection paused
  • Host Contained icon — Host Sensor has contained the host

Host and Sensor Status History

You can expand a host to see a history of the IP addresses and Host Sensor status for a host. From the Sensor history you can also update the sensor status to indicate that a sensor has been manually removed.

To see the host history in WatchGuard Cloud:

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. Select Devices / Users > Hosts.
  4. In the Hosts list, find the host.
  5. Next to the host name, click .
    The list of recent IP addresses assigned to this host appears.

Screen shot of the IP History for a host

  1. To see the history of the Host Sensor status, select the Sensor tab.
    The history of recent changes to the Host Sensor status appears.

Screen shot of the Sensor tab

  1. To see older entries in the Sensor History list, click Load More.
  2. To see logged in users, select the Users tab.

Acknowledge Manual Host Sensor Uninstall

If you manually uninstall a Host Sensor, you can reset the Host Sensor status for that host so that the host does not continue to use a Host Sensor license.

To acknowledge that you manually uninstalled the Host Sensor:

  1. Next to the host name, click .
    The Host Sensor history appears.
  2. Select the Sensor tab.
  3. Click Acknowledge.
  4. Click Refresh.
    The Host page is refreshed. If the host was added by AD Helper, the Install Status changes to Uninstalled. If the host was not added to the Hosts list by AD Helper, it is removed from the Hosts list.

For information about how to manually uninstall a Host Sensor, see Uninstall TDR Host Sensors.

Edit or Remove a Host

From the Hosts page, you can edit a host. For any host, you can specify that the host is a DNS server or a proxy server on your network. Threat Detection and Response does not take actions based on network events detected for hosts that you identify as a proxy server or DNS server because these hosts might not be the actual origin of the potentially malicious activity. You can also remove a host that was manually installed.

  1. Next to the host, click .
  2. Select Edit Device.
    The Edit Device dialog box opens.

Screen shot of the Edit Device dialog box

  1. If this host is a DNS server on your network, select the DNS check box.
  2. If this host is a proxy server on your network, select the Proxy check box.
  3. If the host was not added by AD Helper, you can edit the Device Details, which include the host Name and Domain, and information about the installed operating system.
  4. Click Save & Close.
  1. Next to the host, click .
  2. Select Remove Device.
    A confirmation dialog box opens.
  3. Click Yes, Delete.

Pause Protection for a Host

Users with an Administrator or Analyst role can remotely pause protection for Hosts for a minimum of 5 minutes and a maximum of 120 minutes. You would pause protection if you need to install a system update that would conflict with TDR.

When protection is paused, the Host Sensor does not scan files, processes, or registry entries, and does not send events to the cloud. Host Ransomware Protection is also disabled temporarily.

Status messages appear in the Sensor history. You can determine if protection was paused remotely or locally by the status message.

On the Windows machine, users will be notified through the system tray icon and a pop-up notification. Users cannot resume protection from their computer.

  1. Select Devices / Users > Hosts.
  2. In the Hosts list, find the hosts.
  3. Select the check box next to one or more hosts in the list.
  4. Select Actions > Pause Protection for Host.
    The Pause Hosts dialog box appears.
  5. Type the amount of time in minutes to pause the protection.
    The minimum amount of time is 5 minutes and the maximum time is 120 minutes.
  6. Click Accept.
  1. Select Devices / Users > Hosts.
  2. In the Hosts list, find the hosts.
  3. Select the check box next to one or more hosts in the list.
  4. Select Actions > Resume Protection for Host.
    The Confirm Action - Resume Protection for Host dialog box opens.
  5. Click Execute Action.

Export the Hosts List

You can export the hosts list from your TDR account to a text file. In the text file, the column headings and values for each host are enclosed in quotation marks. You can open this file in a text editor or import it into a spreadsheet program, such as Microsoft Excel.

To export the hosts list, at the top of the Hosts page, click Export.

See Also

TDR Host Sensor System Tray Icon

TDR WatchGuard Cloud UI Navigation, Filters, and Common Features