When TDR receives an event reported by a Host Sensor or Firebox, the ThreatSync analytics engine analyzes the event and assigns a Threat Score based on the severity of the event. A reported event that is assigned a threat score becomes an indicator. Higher scores indicate a higher likelihood that the observed event or object represents a threat.
Host Sensor Events
The Host Sensor monitors the host for changes to files, processes, and registry entries. The Host Sensor monitors these event types:
- File creation and deletion — for files with a Portable Executable (PE) header
- Process creation and termination
- Registry changes
When events are received from a Host Sensor, ThreatSync assigns indicator scores to the events with one of these methods:
- Threat Feed — ThreatSync compares the MD5 of an observed file or process to the MD5 value of known threats in the Threat Detection and Response threat feed.
- Malware Verification Service — ThreatSync can send the MD5 of an observed file or process to a cloud-based malware verification service to determine if it is a known threat.
- Heuristics — The observed behavior or characteristics of a file or process can indicate that it is suspicious.
- APT Blocker Analysis — The result of APT Blocker sandbox analysis can cause ThreatSync to adjust the threat score for an event
For more information about sandbox analysis, see TDR Sandbox Analysis by APT Blocker.
The Firebox sends a network event when a threat is detected by Reputation Enabled Defense, Gateway AntiVirus, APT Blocker, WebBlocker, Botnet Detection, Blocked Sites, or other configured options on the Firebox. For the Firebox to identify and send network indicators, you must configure proxy policies and services on the Firebox, and you must enable logging so that the Firebox sends a report of the action to TDR as an indicator. For information about recommended proxy policy configuration see Configure Proxy Policies for TDR.
ThreatSync assigns indicator scores for network events reported by a Firebox only if the IP address of the host involved in the event is the same as the IP address of a host with a Host Sensor installed.
When TDR receives events from both the Firebox and the Host Sensor for the same process, it creates a Process + Network indicator. The Firebox generates the event based on the Threat Feed and sends it to TDR. It is stored in TDR while the Host Sensor searches for the process on the host. If the Host Sensor finds the process, it creates an event for a malicious process. When both the Firebox and the Host Sensor report the malicious process, TDR creates a correlated indicator which is remediated based on policy.
To create Process + Network indicators and remediate threats, you must enable the Allow Host Sensors to Cache File Metadata setting in the Host Sensor settings and configure a remediation policy to search for the process and kill it on the host. For more information about how to configure policies, see Configure TDR Policies.
Quarantine is not currently available as an option for the Process + Network indicator.
Indicator Threat Scores
Indicators are scored on a scale of 0 to 10. A score of 10 indicates the highest severity threat.
|10||Critical — Scored based on host indicator threat feed, Malware Verification Service confirmation, or both, and critical network alerts. This score can also indicate that Host Ransomware Prevention was triggered and the Host Sensor action to prevent it failed.|
|9||Critical — Scored based on the result of APT Blocker sandbox analysis.|
|8||Severe — Scored based on host Indicator threat feed, Malware Verification Service confirmation, or heuristics identification of multiple behaviors for the same object. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis.|
|7||High — Scored based on network activity, heuristics identification of multiple behaviors for the same object, or third-party network activity. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis.|
|6||High — Scored based on network activity or heuristics identification of multiple behaviors for the same object. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.|
|5||Investigation — Scored based on heuristics identification of multiple potential malicious process behaviors. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.|
|4||Medium — Medium priority ranked indicators, including third-party vendor scores, primarily network activity indicators. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.|
|3||Low — Low priority ranked indicators, including WatchGuard and third-party vendor scores, primarily network indicators.|
|2||Suspect — Low fidelity file heuristics without other correlation. Indicators with this score do not appear on the Indicators page.|
|1||Remediated — Identified host indicator has been remediated on the host.|
|0||Known Good — Host does not have any detected indicators or the object is on the whitelist.|
For more information about how TDR updates Threat Scores for remediated indicators, see TDR Remediation Actions and Threat Scores.
For more information about how TDR assigns Threat Scores to Host Ransomware Prevention indicators, see About TDR Host Ransomware Prevention.
For more information about how TDR assigns Threat Scores based on the result of sandbox analysis, see TDR Sandbox Analysis by APT Blocker.
Incident Threat Scores
An incident is a group of active indicators on an endpoint. ThreatSync correlates the scores of indicators on a host and assigns an overall score to the incident that reflects the overall severity of the threats to that host. The threat score for an incident is a combined threat score based on correlation of multiple indicators in the incident. On the ThreatSync > Hosts page, in the list of incidents for an indicator, the symbol appears next to each indicator score that is used to calculate the combined threat score for an incident.
For more information about incidents, see Manage TDR Incidents.