Manage TDR Indicators

To learn about the ThreatSync service in WatchGuard Cloud, go to About ThreatSync in WatchGuard Cloud Help. References to ThreatSync in this topic relate to the older TDR feature.

In Threat Detection and Response, indicators are events received from Host Sensors and Fireboxes on your network and scored by the analytics engine. On the Indicators page, you can view all indicators in the system, create quick bar and pie charts, and complete manual actions across hosts.

View Indicators

On the Dashboard page in TDR in WatchGuard Cloud, you can view a summary of the indicators, and quickly go to a filtered view of the Indicators page. For more information, go to TDR Dashboard. You can also go directly to the Indicators page and view all indicators.

  1. Select ThreatSync > Indicators.

Screen shot of the Indicators page

By default, the Indicators page shows indicators with a score of 6 or higher last seen in the last 24 hours.

  1. To search for indicators, in the Search text box type a word or value to search for. The search can match text in a file name, MD5 value, IP address, DNS name, or URL associated with an indicator.
  2. Use the column headings to change or clear the filters.
    • To apply a filter, select the controls in the column headings.
    • If you want the filter to persist across sessions and browsers, save the filter.

The Indicators list shows a list of indicators with status information and requested actions.

  • Score — The threat score for this indicator. By default, this column is filtered to show scores of 6 or higher.
    For more information, go to About TDR Threat Scores.
  • Source — The source of the indicator: Host Sensor (), Firebox (Network) () or both if the indicator is correlated.
  • Indicator — The indicator details. You can filter this column by indicator type, as described in the next section. To view more details, click Additional Info.
  • Last Seen — The last time the indicator was received from the Host Sensor. By default, this column is filtered to show indicators last seen in the last 24 hours.
  • Sensor Status — The status of the Host Sensor.
    For more information, go to Manage TDR Hosts and Host Sensors.
  • Host/IP — The host name or IP address of the host system.
  • Action Requested — The action recommended by Threat Detection and Response for an indicator from a Host Sensor.
  • Outcome — Indicates the status of the action listed in the Action Requested column.
  • No Policy indicates that there is no policy to take action on this threat.
  • Successful indicates that the action was successful and the threat was remediated.
  • Failure indicates that the action failed due to a permissions issue or because the threat was remediated by another action.
  • User — Shows the owner of the process or file that the indicator was created for.
  • File Indicators — Shows the owner of the file.
  • Process Indicators — Shows the owner of the process.
  • Registry Indicators — No user information is displayed.
  • Correlated Network Indicators — Shows the owner of the process that made the suspicious network connection.
  • Uncorrelated Network Indicators — No user information is displayed.
  • Action Date — The date and time that the remediation action occurred.
  • Previous Score — Shows the previous score assigned to an indicator before a remediation action was completed. This column is not visible by default.
  • For Further Investigation — Contains links you can click to search for the MD5 on Google, VirusTotal, and MetaScan.

Not all columns are visible by default. To select which columns are visible, click Choose Columns.

For a description of possible actions and outcomes, go to TDR Indicator Actions and Outcomes.

Indicator Filters

You can filter Indicators by any of the columns or for a specific time period. You can save a filter so it will persist across sessions and browsers.

Manage Filters

You can filter the information seen on the page at the top of each column. You can save a filter setting so the page defaults to the specified information each time you open it.

  1. Select the column settings you want to save.
  2. In the far left column heading, click .
  3. Select Save.
  1. In the far left column heading, click .
  2. Select Apply.
  1. In the far left column heading, click .
  2. Select Clear.
  1. In the far left column heading, click .
  2. Select Remove.

Filter Indicators by Date

  1. In the column heading, click .
    A date selection dialog box appears. The selected date range filter, if any, appears at the top.

Screen shot of the date selection dialog box

  1. Select the start and end date on the calendar, or select a date range shortcut. The available shortcuts are:
    • Last 24 hours
    • Last 3 days
    • Last 7 days
    • Last 30 days
  2. To apply the selected date range filter, click Apply.
  3. To clear the date range filter, click Clear.

You can apply a filter to the Indicator column to view indicators by the indicator type.

  • File — a suspicious or malicious file
  • Process — a suspicious or malicious process
  • Registry — a suspicious or malicious registry entry on a Windows host
  • Host Ransomware Prevention — processes and files with the characteristics of ransomware
  • Blocked Sites by Botnet
  • Blocked Sites by FQDN
  • Blocked Sites by IP
  • DNS Question Match
  • HTTP APT Blocked
  • HTTP APT Detected
  • HTTP Bad Reputation
  • HTTP Request Categories
  • HTTP Virus Found
  • SMTP APT Blocked
  • SMTP APT Detected
  • SMTP Virus Found
  • HTTP APT Detected and Found — APT Blocker response indicates the file is malicious and Host Sensor has returned the locations of the files for remediation.
  • Process + Network — Correlates network events from the Firebox to an individual process on the host. (Only available for Windows Host Sensors.)

You can also view the full log message generated by the Firebox for each network event on the Network Events page. For network indicators, each indicator corresponds to a different event type. For more information, go to View Network Events in TDR.

TDR analytics assigns each indicator a score based on the severity of the threat. 10 is the highest level threat, and 2 is the lowest. TDR assigns a score of 1 if an indicator was successfully remediated, and a score of 0 if an indicator is on the Allowlist.

For more information about indicator threat scores, go to About TDR Threat Scores.

For more information about remediation actions and threat scores, go to TDR Remediation Actions and Threat Scores

Actions

Each indicator is associated with a host. Indicators can be related to files or processes on a host, detected by a Host Sensor () or network events for traffic to or from a host, or detected by a Firebox () . For indicators reported by a Firebox, remediation actions are completed by the Firebox, based on the settings in the Firebox configuration. For example, APT Blocker, IPS, or Gateway AntiVirus could block access to a file, or WebBlocker could block access to a website. For indicators reported by a Host Sensor, the remediation action can be taken automatically by the Host Sensor, based on configured TDR policies, or you can take the requested action to remediate the threat from the Indicators page.

Action Log and Remediation History

For each indicator, the Action Log shows list of actions for that indicator. For a remediated indicator, the Action Log also includes the Remediation History, which shows the original score of the indicator before it was successfully remediated

  1. On the Indicators page, find the indicator.
  2. In the Outcome column for the indicator, click .

Screen shot of the Action Log for a successfully remediated indicator

  1. Click Close to close the Action Log.

Indicator Details

  1. Select ThreatSync > Indicators.
  2. In the Indicator column, click Additional info.
    The Additional Information dialog box opens.

Screen shot of the Additional Info dialog box for an indicator from a Host Sensor

The additional information that appears depends on the source of the indicator. The source could be a Host Sensor, a Firebox, or both.

Indicators from a Host Sensor —

For an indicator reported by a Host Sensor, the Additional Information dialog box shows information about how analytics calculated the indicator score. It shows information about three components of the score: Threat Feed, Malware Verification Service, and Heuristics. The status for each indicator is highlighted.

Threat Feed status options:

  • Not Matched — The file or process is not the same as anything in the Threat Feed
  • Matched — The file or process is the same as something in the Threat Feed

Malware Verification Service (MVS) status options:

  • Benign — MVS identified that the file or process is known to not be a threat
  • Unseen — MVS does not have information about the file or process
  • Potential — MVS identified that the file or process is a known potential threat
  • Malicious — MVS identified that the file or process is a known threat

Heuristics status options:

  • Below Threshold — The observed behavior of this file or process is not known to be suspicious
  • Suspicious — The observed behavior of this file or process is suspicious. If machine learning was used to determine the status, (ML) appears next to the Suspicious label.

To view more information about the suspicious event, click Details.

If the hash for this indicator was found on other hosts, the top-right corner of the Additional Information dialog box shows the number of other host sensors that identified this indicator. To view a list of all hosts that identify this indicator, click Hash found on other host(s).

If the Host Sensor requests the Sandbox File action, the Additional Information dialog box also includes information about the status of Sandbox Analysis by APT Blocker.

Screen shot of the Additional Information dialog box for an indicator with Sandbox Analysis status

For more information, go to TDR Sandbox Analysis by APT Blocker.

Indicators from a Firebox (Network) —

For an indicator reported by a Firebox, the Additional Information dialog box shows information about the threat reported by the Firebox.

Screen shot of the Additional Info dialog box for an indicator from a Firebox

You can view more details about network events identified by a Firebox on the Network Events page. For more information, go to View Network Events in TDR.

Correlated Indicators

Correlated indicators are created when suspicious process activity is detected by one device is confirmed by a secondary source, such as the Host Sensor or APT Blocker.

To enable correlated indicators, you must enable the Allow Host Sensors to Cache File Metadata setting on the Host Sensor Settings page. Go to Configure TDR Host Sensor Settings for more information.

Process + Network Indicator

Process + Network Indicators are triggered when suspicious process activity is detected by the Firebox then confirmed on the Host Sensor. When the Firebox reports a malicious connection to TDR, a Network Indicator is created. TDR stores the information while the Host Sensor searches for the malicious process on the host based on source IP address / port and destination IP address / port.

  • If the process is located on the host, a Process + Network Indicator is created and both the and the appear in the source column.
  • If the process is not located on the host, the regular Network Indicator will remain.

The threat is remediated according to policy based on the Threat Score. If the process has stopped, the indicator is automatically externally remediated. Usually, a correlated score will be high enough to qualify for the Kill Process action. Quarantine is not an available action for Process + Network Indicators.

If the Host Sensor finds the process, the Additional Information dialog box shows information about the Network Event and the Process Information as well as the Threat Details.

Screenshot of the Additional Information dialog box

HTTP(S) Proxy APT Zero-Day Mitigation

This feature is only compatible with Fireware v12.1.3 Update 2 for XTMv or Fireware v12.4 or higher for Firebox M Series and T Series models.

When suspicious files are sent to APT Blocker for analysis, it can take several minutes to receive a response from the APT Blocker cloud-based data center. If the file is malicious, it could propagate on your network before APT Blocker responds. TDR continues to track the location of the file, as well as any copies of the file, for up to 20 minutes. If the response from APT Blocker is that the file is malicious, TDR will implement the appropriate file remediation policy for all copies of the file.

An HttpAPTDetected event is triggered when a suspicious file is reported as malicious by APT Blocker. A request is sent to the Host Sensor for the locations of the file.

When the Host Sensor returns the information, an HTTP APT Detected and Found Indicator is generated for each file copy. Click on the Additional Info link for the indicator to open the Additional APT Detected and Found Information dialog box.

Screenshot of APT Detected and Found Information

Further Investigation

To further investigate an indicator, you can look up the MD5 value of the indicator on Google, VirusTotal, or MetaScan.

To look up the MD5 value for an indicator, in the For Further Investigation column click one of these links:

  • Search MD5 on Google
  • Search MD5 on VirusTotal
  • Search MD5 on MetaScan

Create and Export Indicator Charts

You can view the indicators as a bar chart, pie chart, or stacked time series chart. You can export the chart to a .PNG, .JPB, .GIF, or .PDF file.

  1. Click the type of chart to generate:
    • — Bar Chart
    • — Pie Chart
    • — Stacked Bar Chart

The selected chart appears

Screen shot of an indicator pie chart

  1. To change the date range shown in the chart, select a date range at the top.
  2. From the Group By drop-down list, select how to group the data in the chart.
  3. From the Show drop-down list, select how many indicators to show in the chart.
  4. To export the chart, click and select the export file format: .PNG, .JPG, .GIF, or .PDF.
    The file is downloaded in the selected format.

Execute a Manual Action

You can manually select actions to remediate indicators. The Action Requested column shows the recommended action to remediate an indicator reported by a Host Sensor. When you take the requested action, this is categorized as a Manual remediation in the Remediations widget on the TDR Dashboard page.

For a list of actions and their outcomes, go to TDR Indicator Actions and Outcomes.

  1. Select the check box for one or more indicators.
  2. From the Actions drop-down list, select the action to complete.
    A confirmation dialog box opens, with a list of the indicators the selected action applies to.

Screen shot of the Confirm Action dialog box

  1. Click Execute Action.

After the Host Sensor successfully executes a remediation action, the score of the indicator is lowered to 1, and the Outcome column on the Indicators page shows that the action was successful.

Related Topics

TDR Indicator Actions and Outcomes

TDR Host Sensor Manual Installation

TDR Host Sensor CLI and GPO Installation