About TDR Threat Scores

The end-of-life date for TDR is 30 September 2023. On this date, the TDR UI in WatchGuard Cloud will no longer be available. Host Sensors will continue to function, but remediation and report generation will be disabled. To upgrade your Host Sensors to Endpoint Security, go to the Host Sensor upgrade to Endpoint Security Knowledge Base article.

When TDR receives an event reported by a Host Sensor or Firebox, the analytics engine analyzes the event and assigns a Threat Score based on the severity of the event. A reported event that is assigned a threat score becomes an indicator. Higher scores indicate a higher likelihood that the observed event or object represents a threat.

Host Sensor Events

The Host Sensor monitors the host for changes to files, processes, and registry entries. The Host Sensor monitors these event types:

  • File creation and deletion — for files with a Portable Executable (PE) header
  • Process creation and termination
  • Registry changes

When events are received from a Host Sensor, TDR assigns indicator scores to the events with one of these methods:

  • Threat Feed — TDR compares the MD5 of an observed file or process to the MD5 value of known threats in the Threat Detection and Response threat feed.
  • Malware Verification Service — TDR can send the MD5 of an observed file or process to a cloud-based malware verification service to determine if it is a known threat.
  • Heuristics — The observed behavior or characteristics of a file or process can indicate that it is suspicious.
  • APT Blocker Analysis — The result of APT Blocker sandbox analysis can cause TDR to adjust the threat score for an event

For more information about sandbox analysis, go to TDR Sandbox Analysis by APT Blocker.

Network Events

The Firebox sends a network event when a threat is detected by Reputation Enabled Defense, Gateway AntiVirus, APT Blocker, WebBlocker, Botnet Detection, Blocked Sites, or other configured options on the Firebox. For the Firebox to identify and send network indicators, you must configure proxy policies and services on the Firebox, and you must enable logging so that the Firebox sends a report of the action to TDR as an indicator. For information about recommended proxy policy configuration go to Configure Proxy Policies for TDR.

TDR assigns indicator scores for network events reported by a Firebox only if the IP address of the host involved in the event is the same as the IP address of a host with a Host Sensor installed.

Correlated Events

When TDR receives events from both the Firebox and the Host Sensor for the same process, it creates a Process + Network indicator. The Firebox generates the event based on the Threat Feed and sends it to TDR. It is stored in TDR while the Host Sensor searches for the process on the host. If the Host Sensor finds the process, it creates an event for a malicious process. When both the Firebox and the Host Sensor report the malicious process, TDR creates a correlated indicator which is remediated based on policy.

To create Process + Network indicators and remediate threats, you must enable the Allow Host Sensors to Cache File Metadata setting in the Host Sensor settings and configure a remediation policy to search for the process and kill it on the host. For more information about how to configure policies, go to Configure TDR Policies.

Quarantine is not currently available as an option for the Process + Network indicator.

Indicator Threat Scores

Indicators are scored on a scale of 0 to 10. A score of 10 indicates the highest severity threat.

Score Description
10 Critical — Scored based on host indicator threat feed, Malware Verification Service confirmation, or both, and critical network alerts. This score can also indicate that Host Ransomware Prevention was triggered and the Host Sensor action to prevent it failed.
9 Critical — Scored based on the result of APT Blocker sandbox analysis.
8 Severe — Scored based on host Indicator threat feed, Malware Verification Service confirmation, or heuristics identification of multiple behaviors for the same object. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis.
7 High — Scored based on network activity, heuristics identification of multiple behaviors for the same object, or third-party network activity. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis.
6 High — Scored based on network activity or heuristics identification of multiple behaviors for the same object. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.
5 Investigation — Scored based on heuristics identification of multiple potential malicious process behaviors. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.
4 Medium — Medium priority ranked indicators, including third-party vendor scores, primarily network activity indicators. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat.
3 Low — Low priority ranked indicators, including WatchGuard and third-party vendor scores, primarily network indicators.
2 Suspect — Low fidelity file heuristics without other correlation. Indicators with this score do not appear on the Indicators page.
1 Remediated — Identified host indicator has been remediated on the host.
0 Known Good — Host does not have any detected indicators or the object is on the allowlist.

For more information about how TDR updates Threat Scores for remediated indicators, go to TDR Remediation Actions and Threat Scores.

For more information about how TDR assigns Threat Scores to Host Ransomware Prevention indicators, go to About TDR Host Ransomware Prevention.

For more information about how TDR assigns Threat Scores based on the result of sandbox analysis, go to TDR Sandbox Analysis by APT Blocker.

Incident Threat Scores

An incident is a group of active indicators on an endpoint. TDR correlates the scores of indicators on a host and assigns an overall score to the incident that reflects the overall severity of the threats to that host. The threat score for an incident is a combined threat score based on correlation of multiple indicators in the incident. On the Hosts page, in the list of incidents for an indicator, the symbol appears next to each indicator score that is used to calculate the combined threat score for an incident.

Screen shot of an expanded incident on the Hosts page

For more information about incidents, go to Manage TDR Incidents.

Related Topics

Manage TDR Indicators

Manage TDR Incidents