Monitor TDR Remediations
To learn about the ThreatSync service in WatchGuard Cloud, go to About ThreatSync in WatchGuard Cloud Help. References to ThreatSync in this topic relate to the older TDR feature.
On the Remediations page, Administrators and Analysts can view a summary of all remediated indicators, create bar and pie charts, and complete manual actions for multiple hosts. To highlight the severity of remediated threats, the Remediations page shows the previous score, which is the original score of the indicator before it was remediated. Observers can only view the page.
From the TDR Dashboard, you can use the Indicator Timeline to view a timeline of resolved indicators. Click the bubble for a resolved indicator to go to a filtered view of the Remediations page. For more information about the Indicator Timeline, go to TDR Dashboard.
You can also select ThreatSync > Remediations to go directly to the Remediations page.
Remediated Threat Counts
By default, the top of the Remediations page shows Remediated Threat Counts. This chart is a visual summary of all remediated indicators in the system. Remediations are categorized based on the previous scores assigned to the indicators before remediation. The number and size of each bubble indicates the total number of remediated indicators with previous scores in each category.
- Critical — Scores of 8, 9, or 10
- High — Scores of 6 or 7
- Medium/Low — Scores of 3, 4, or 5
Remediated Threat Counts include all remediations in the system. These counts do not change based on the filters set on the Remediations page.
To show the Remediated Threat Counts summary after you generate another chart, click .
When you select ThreatSync > Remediations, the filters on the Remediations page are set to show indicators with a previous score of 6 or higher that were remediated within the last 24 hours. Use the column headings to clear or change the filters.
- To clear all filters, click and select Clear.
- To apply or change a filter, select the controls in the column headings.
To search for indicators, in the Search text box, type a word or value to search for. The search can find text in a file name, MD5 value, IP address, DNS name, or URL associated with an indicator.
The Remediations list shows a list of indicators with status information and requested actions. The same indicator can appear on the list multiple times, once for each action. This makes it easy to view all actions for each indicator.
For each indicator, the Remediations list includes this information:
- Previous Score — The previous score assigned to an indicator before a remediation action was completed.
For more information about threat scores, go to About TDR Threat Scores.
- Source — The source of the indicator: Host Sensor () or Firebox ().
- Indicator — The indicator details. You can filter this column by indicator type, as described in the next section. To view more details, click Additional Info. For information about indicator details, go to Manage TDR Indicators.
- Host/IP — The host name or IP address of the host system.
- User — The user name of the user.
- Action Requested — The action recommended by Threat Detection and Response for an indicator from a Host Sensor.
- Outcome — Indicates the remediation action taken, if any. To view the action log and remediation history click .
- Operator — Indicates which user completed a remediation action. If Threat Detection and Response completes an action, the user is System.
- Action Date — The date and time the action was completed.
- Remediation Date — The date and time the remediation action for this indicator was completed.
For information about which actions can remediate an indicator, go to TDR Remediation Actions and Threat Scores.
On the Remediations page, you can select these actions for selected indicators:
This action adds this indicator to the Allowlist as a known safe file or process. When you select this action, an allowlist signature override is created with the MD5 value of the indicator. For more information about the Allowlist, go to Configure TDR Signature Overrides.
This action removes a file from quarantine. When you remove a file from Quarantine, the file is automatically added to the Allowlist.
This action removes all files related to a Host Ransomware Prevention (HRP) action from quarantine. Files removed from Quarantine are automatically added to the Allowlist.
For more information about actions to remove a file from quarantine, go to Remove a File from Quarantine.
After you select one of these actions, the indicator is no longer considered a threat and is removed from the Remediations page.
Create and Export Remediation Charts
By default, the top of the Remediations page shows Remediated Threat Counts, which summarizes all remediated indicators in your account. From the Remediations page you can also generate charts based on the filtered list of remediated indicators.
To create a chart:
- Set the filters to show the remediated indicators you want to include in the chart.
- To select the chart type, click one of these icons:
Stacked Bar Chart
- Select chart options at the top of each chart.
The charts on the Remediations page are the same as the charts on the Indicators page. For more information about chart options and how to export a chart, go to Manage TDR Indicators.