Monitor TDR Users

Some TDR features described in this version of Fireware Help are available only to participants in the WatchGuard Beta program. If a feature described in this section is not available in your TDR account, it is a beta-only feature. For information about how to enable beta features, see Enable TDR Beta Features.

In the Threat Detection and Response web UI, two User pages enable you to monitor your users:

  • ThreatSync > Users page — Includes a list of all users for your account and shows a combined score for a user, based on the indicators attributed to that user. For more information, see View Incidents by User.
  • Devices / Users > Users page — Shows all users detected by ThreatSync and their login status. For more information, see Monitor User Devices.

View Incidents by User

The ThreatSync > Users page shows this information:

  • Status — The status of the user. Green indicates the user is logged in to a computer with a Host Sensor installed, and red means the user is inactive.
  • User — The user name and domain of the user.
  • Score — The threat score. By default, this column is filtered to show scores of six or higher.
    For more information, see About TDR Threat Scores.
  • Source — The source of the indicator: Host Sensor (), Firebox (Network) (), or both if the indicator is correlated.
  • Indicators — The number of indicators associated with a user.
  • Outcomes — Indicates the status of the action.
  • Manual Actions — Opens the Indicators page filtered by user.
  • Last Seen — The last time the indicator was received from the Host Sensor. By default, this column is filtered to show indicators last seen in the last 24 hours.
  • Oldest Indicator — The oldest day or time the indicator was received from the Host Sensor.

By default, the ThreatSync > Users page shows incidents with a threat score of six or higher.

To view current incidents by user:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select ThreatSync > Users.
    The Users page opens with the filter set to show all incidents with a score of 6 or higher identified in the last 24 hours.

Screen shot of the Users page in the ThreatSync section

  1. To increase the date range, in the Last Seen column heading, click and select a date range. Click Apply.

Screen shot of the date selection dialog box

  1. To view all indicators attributed to a user, next to the user name, click .
    The user details appear with the Indicators tab selected.

Screen shot of the User details dialog box

  1. To view additional details about an indicator, in the Indicator column, click Additional Info.
  2. To view a list of endpoint devices that a user is logged in to, select the Hosts tab.

Screen shot of the Hosts tab in the Devices/ Users menu

  1. To view indicators filtered to display incidents by user, in the Manual Actions column for the user, click Select actions.
    The Indicators page opens in a new browser tab.
  2. From the Indicators page filtered by user, you can view additional details about an indicator:
  • To see additional details about an indicator, in the Indicator column, click Additional Info. The indicator details provide more information about the indicator and the reason for the score.
  • To look up the MD5 value for this indicator on Google, VirusTotal, or MetaScan, in the For Further Investigation column, click one of the links.

For more information about indicator status, details, actions, and investigation, see Manage TDR Indicators.

Monitor User Devices

The Devices / Users page shows the login status of all user devices and additional details of active users.

To view all users and their status:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select Devices / Users > Users.
    The Users page opens.

Screen shot of the Users page in the Devices / Users section

  1. To change the date range, in the Last Login Time column heading, click and select a date range. Click Apply.

Screen shot of the date selection dialog box

  1. To view a list of endpoint devices that an active user is logged in to, next to the user name, click .
    The user details appear.

Screen shot of the User details dialog box

Endpoint device details are only available for active users.

You can filter users by any of the columns or for a specific time period. You can save a filter so it will persist across sessions and browsers.

Manage Filters

You can filter the information seen on the page at the top of each column. You can save a filter setting so the page defaults to the specified information each time you open it.

See Also

TDR Web UI Navigation, Filters, and Common Features

TDR Monitoring and Actions