Configure ThreatSync+ Policies

Applies To: ThreatSync+ NDR, ThreatSync+ SaaS This topic applies to ThreatSync and ThreatSync+ NDR.

ThreatSync+ policies continuously monitor your network for activity that violates the policies of your organization. Policies detect vulnerabilities and threats in your network and generate policy alerts if unauthorized activity is detected.

To minimize your response time and maximize your protection, it is important to configure and tune your policies to:

• Reflect the security policies of your organization.
• Apply policies only to parts of your network that your organizational policies govern.
• Reflect the appropriate severity for your organization.

To get started with ThreatSync+ policies, we recommend that you:

• Start with a small, manageable set of policies.
• Tune these policies so that you only receive alerts that are actionable — alerts that you can respond to and remediate so that the alert does not recur.
• Create additional policies that expand the protection of your network and tune them to prevent too many alerts.

For recommendations on how to tune your policies, go to Policy Tuning.

We recommend that you wait two to three days before you configure policies so ThreatSync+ can monitor and learn about your network.

Enable Default ThreatSync+ Policies

ThreatSync+ NDR includes over 100 default policies that you can enable. Because some default policies might not be appropriate for your network or your security policies, most default policies are disabled by default. Only a subset of Level 1 policies are enabled by default and automatically generate alerts. For a list of default policies, go to Default Policies and Zones.

Available default policies depend on your license. For information about ThreatSync+ SaaS policies, go to Level 1 Policies for ThreatSync+ SaaS — Microsoft 365.

If you enable a large number of default policies, you might receive more alerts than you can respond to. If you enable too few policies, you might miss important alerts about possible threats in your network.

To enable a default ThreatSync+ policy:

1. Log in to your WatchGuard Cloud account.
2. Select Configure > ThreatSync+ > Policies.
3. Next to the default policy you want to enable, click Not Active.
   The policy status changes to Live.

Add Custom ThreatSync+ Policies — ThreatSync+ NDR

You can create a new ThreatSync+ policy and customize policy definitions for your network. Each policy evaluates all traffic or event logs between a source zone and a destination zone and triggers an alert when specific conditions are met. These conditions are activity triggers.

For more information, go to Policy Evaluation.

To add a custom ThreatSync+ NDR policy:

1. Log in to your WatchGuard Cloud account.
2. Select Configure > ThreatSync+ > Policies.
3. On the Manage ThreatSync+ Policies page, click New Policy.
   The Create a New Policy page opens.

4. (Optional) In the Policy ID text box, enter a policy ID.

The policy ID uniquely identifies the policy. If you create a custom defense goal report with the Compliance Reporting license, you might want to reference a custom policy in one of the controls defined in the defense goal. Use this policy ID to uniquely identify the policy. If you do not enter a policy ID, ThreatSync+ assigns it for you. For more information about compliance reporting, go to About WatchGuard Compliance Reporting.

5. In the Policy Name text box, enter a name for your new policy.
6. (Optional) Enter a description.
7. In the Tags text box, select or create tags to apply to your policy.
8. Click Activity Triggers.
   The Activity Triggers section expands.
9. In the Activity Triggers section, select what type of activity you want to set the alert for: Traffic, Anomalies, or Service Events.
10. From the Importance drop-down list, select the importance to assign to your activity: Very Low, Low, Medium, High, or Very High.
11. If you only want to receive alerts for specific traffic, select Alert on Specific Traffic and specify the alert conditions.
12. If you only want to receive alerts for specific anomalies, select Alert on Specific Anomalies and specify the alert conditions.
13. If you only want to receive alerts for specific service events, select Alert on Specific Service Events and specify the alert conditions.
14. Click Remediation.
    The Remediation section expands.

15. Select the If this policy is violated, automatically block involved external IPs check box if you want to enable automatic remediation.

To enable or disable automatic remediation for an existing ThreatSync+ NDR policy, click next to the policy and, in the Remediation section, select or clear the If this policy is violated, automatically block involved external IPs check box.

16. Click Traffic Flow.
    The Traffic Flow section expands.
17. Configure the source and destination traffic flow settings. If you want to create a new zone, click Create a Zone to go to the Zones page. For more information, go to Manage ThreatSync+ Zones.
18. Review your policy details.
19. Activate your policy or save it as a draft to review later.

Add Custom ThreatSync+ Policies — ThreatSync+ SaaS

You can create a new ThreatSync+ policy and customize policy definitions for your network. Each policy evaluates user events and triggers an alert when specific conditions are met. These conditions are activity triggers.

To add a custom ThreatSync+ SaaS policy:

1. Log in to your WatchGuard Cloud account.
2. Select Configure > ThreatSync+ > Policies.
3. On the Manage ThreatSync+ Policies page, click New Policy.
   
   The Create a New Policy page opens.

4. (Optional) In the Policy ID text box, enter a policy ID.

The policy ID uniquely identifies the policy. If you create a custom defense goal report with the Compliance Reporting license, you might want to reference a custom policy in one of the controls defined in the defense goal. Use this policy ID to uniquely identify the policy. If you do not enter a policy ID, ThreatSync+ assigns it for you. For more information about compliance reporting, go to About WatchGuard Compliance Reporting.

5. In the Policy Name text box, enter a name for your new policy.
6. Enter a description.
7. In the Tags text box, select the Office 365 tag or create tags to apply to your policy.
8. Click Activity Triggers.
   The Activity Triggers section expands.
9. In the Activity Triggers section, select User Events.
10. From the Importance drop-down list, select the importance to assign to your activity: Very Low, Low, Medium, High, or Very High.
11. If you want to receive alerts for all user events, select Alert on any user events.
12. If you only want to receive alerts for specific user events, select Alert on specific user events and specify the alert conditions.
13. Click User Zone.
    The User Zone section expands.

14. Configure the User Zone settings. If you want to create a new zone, click Create a Zone to go to the Zones page. For more information, go to Manage ThreatSync+ Zones.

15. Click Remediation.
    The Remediation section expands.

16. Select the If this policy is violated, automatically disable associated zone users check box if you want to enable automatic remediation.

To enable or disable automatic remediation for an existing ThreatSync+ SaaS policy, click next to the policy and, in the Remediation section, select or clear the If this policy is violated, automatically disable associated zone users check box.

17. Review your policy details.
18. Activate your policy or save it as a draft to review later.

Activate or Deactivate ThreatSync+ Policies

On the Manage Policies page, you can activate or deactivate one or more policies. When you activate a policy, ThreatSync+ detects violations of the access policies of your organization and generates policy alerts to notify you about policy violations.

Default policies are similar to templates. When you activate or edit a default policy, ThreatSync+ saves a copy of the policy for you. If you delete your copy, any changes you made to the policy definition are discarded and the policy reverts back to the default policy definition. For more information, go to About ThreatSync+ Policies and Zones.

To activate or deactivate a ThreatSync+ policy, from the Manage Polices page:

1. Select one or more policies you want to edit.
2. Click .
3. Select Activate Selected or Deactivate Selected.

4. You can also click Live in the Status column to deactivate the policy and change the status to Not Active, or click Not Active to activate the policy and change the status to Live.

Edit the Policy Alert Severity Scale

For policy alerts that are based on machine learning, ThreatSync+ builds a baseline of activity and generate alerts only when traffic varies from this baseline. For example, an unexpected large volume of data sent to the Internet generates an alert because it varies substantially from the baseline activity.

If you want to generate fewer alerts, you can adjust the alert sensitivity to make the detection less sensitive.

To edit the Alert Severity Scale for a specific ThreatSync+ policy:

1. On the Manage ThreatSync+ Policies page, click next to the policy you want to edit.
   The Policy Details page opens.
2. In the Activity Triggers section, next to Alert Severity Scale, click .
   The Edit Alert Severity Scale dialog box opens.

3. To change the Alert Severity Scale, drag the slider to a new value. To generate fewer alerts, select a higher value. To generate more alerts, select a lower value.
4. Click Save.

You can also edit the Alert Severity Scale on the Traffic page when specific anomaly types are selected with the Events Data Source. For more information, go to Investigate ThreatSync+ Traffic.

Related Topics

About ThreatSync+ Policies and Zones

About Policy Alerts

Configure ThreatSync+