Manage TDR Indicators

To learn about the ThreatSync service in WatchGuard Cloud, go to About ThreatSync in WatchGuard Cloud Help. References to ThreatSync in this topic relate to the older TDR feature.

In Threat Detection and Response, indicators are events received from Host Sensors and Fireboxes on your network and scored by the analytics engine. On the Indicators page, you can view all indicators in the system, create quick bar and pie charts, and complete manual actions across hosts.

View Indicators

On the Dashboard page in TDR in WatchGuard Cloud, you can view a summary of the indicators, and quickly go to a filtered view of the Indicators page. For more information, go to TDR Dashboard. You can also go directly to the Indicators page and view all indicators.

  1. Select ThreatSync > Indicators.

Screen shot of the Indicators page

By default, the Indicators page shows indicators with a score of 6 or higher last seen in the last 24 hours.

  1. To search for indicators, in the Search text box type a word or value to search for. The search can match text in a file name, MD5 value, IP address, DNS name, or URL associated with an indicator.
  2. Use the column headings to change or clear the filters.
    • To apply a filter, select the controls in the column headings.
    • If you want the filter to persist across sessions and browsers, save the filter.

The Indicators list shows a list of indicators with status information and requested actions.

Not all columns are visible by default. To select which columns are visible, click Choose Columns.

For a description of possible actions and outcomes, go to TDR Indicator Actions and Outcomes.

Indicator Filters

You can filter Indicators by any of the columns or for a specific time period. You can save a filter so it will persist across sessions and browsers.

Manage Filters

You can filter the information seen on the page at the top of each column. You can save a filter setting so the page defaults to the specified information each time you open it.

Filter Indicators by Date


Each indicator is associated with a host. Indicators can be related to files or processes on a host, detected by a Host Sensor () or network events for traffic to or from a host, or detected by a Firebox () . For indicators reported by a Firebox, remediation actions are completed by the Firebox, based on the settings in the Firebox configuration. For example, APT Blocker, IPS, or Gateway AntiVirus could block access to a file, or WebBlocker could block access to a website. For indicators reported by a Host Sensor, the remediation action can be taken automatically by the Host Sensor, based on configured TDR policies, or you can take the requested action to remediate the threat from the Indicators page.

Action Log and Remediation History

For each indicator, the Action Log shows list of actions for that indicator. For a remediated indicator, the Action Log also includes the Remediation History, which shows the original score of the indicator before it was successfully remediated

Indicator Details

Correlated Indicators

Correlated indicators are created when suspicious process activity is detected by one device is confirmed by a secondary source, such as the Host Sensor or APT Blocker.

To enable correlated indicators, you must enable the Allow Host Sensors to Cache File Metadata setting on the Host Sensor Settings page. Go to Configure TDR Host Sensor Settings for more information.

Process + Network Indicator

Process + Network Indicators are triggered when suspicious process activity is detected by the Firebox then confirmed on the Host Sensor. When the Firebox reports a malicious connection to TDR, a Network Indicator is created. TDR stores the information while the Host Sensor searches for the malicious process on the host based on source IP address / port and destination IP address / port.

  • If the process is located on the host, a Process + Network Indicator is created and both the and the appear in the source column.
  • If the process is not located on the host, the regular Network Indicator will remain.

The threat is remediated according to policy based on the Threat Score. If the process has stopped, the indicator is automatically externally remediated. Usually, a correlated score will be high enough to qualify for the Kill Process action. Quarantine is not an available action for Process + Network Indicators.

If the Host Sensor finds the process, the Additional Information dialog box shows information about the Network Event and the Process Information as well as the Threat Details.

Screenshot of the Additional Information dialog box

HTTP(S) Proxy APT Zero-Day Mitigation

This feature is only compatible with Fireware v12.1.3 Update 2 for XTMv or Fireware v12.4 or higher for Firebox M Series and T Series models.

When suspicious files are sent to APT Blocker for analysis, it can take several minutes to receive a response from the APT Blocker cloud-based data center. If the file is malicious, it could propagate on your network before APT Blocker responds. TDR continues to track the location of the file, as well as any copies of the file, for up to 20 minutes. If the response from APT Blocker is that the file is malicious, TDR will implement the appropriate file remediation policy for all copies of the file.

An HttpAPTDetected event is triggered when a suspicious file is reported as malicious by APT Blocker. A request is sent to the Host Sensor for the locations of the file.

When the Host Sensor returns the information, an HTTP APT Detected and Found Indicator is generated for each file copy. Click on the Additional Info link for the indicator to open the Additional APT Detected and Found Information dialog box.

Screenshot of APT Detected and Found Information

Further Investigation

To further investigate an indicator, you can look up the MD5 value of the indicator on Google, VirusTotal, or MetaScan.

To look up the MD5 value for an indicator, in the For Further Investigation column click one of these links:

  • Search MD5 on Google
  • Search MD5 on VirusTotal
  • Search MD5 on MetaScan

Create and Export Indicator Charts

You can view the indicators as a bar chart, pie chart, or stacked time series chart. You can export the chart to a .PNG, .JPB, .GIF, or .PDF file.

Execute a Manual Action

You can manually select actions to remediate indicators. The Action Requested column shows the recommended action to remediate an indicator reported by a Host Sensor. When you take the requested action, this is categorized as a Manual remediation in the Remediations widget on the TDR Dashboard page.

For a list of actions and their outcomes, go to TDR Indicator Actions and Outcomes.

After the Host Sensor successfully executes a remediation action, the score of the indicator is lowered to 1, and the Outcome column on the Indicators page shows that the action was successful.

Related Topics

TDR Indicator Actions and Outcomes

TDR Host Sensor Manual Installation

TDR Host Sensor CLI and GPO Installation