Quick Start — Set Up ThreatSync+ NDR

Applies To: ThreatSync+ NDR

This feature is only available to participants in the ThreatSync+ NDR Beta program.

This quick start topic outlines the general steps to set up and configure ThreatSync+ NDR in WatchGuard Cloud:

Before You Begin

Before you can use ThreatSync+ NDR, make sure that:

  • You have a cloud-managed Firebox or a locally-managed Firebox added to WatchGuard Cloud for cloud reporting.
  • Your Firebox runs Fireware v12.10.3 or higher.
  • You enable the Send log message for reports check box in each policy on your locally-managed Firebox that is configured to send log data to WatchGuard Cloud. For more information, go to Set Logging and Notification Preferences in Fireware Help.

Enable the Beta Toggles

Enable the beta toggles for ThreatSync+ NDR and WatchGuard Compliance Reporting.

To enable the beta toggles:

  1. Log in to your WatchGuard Cloud account.
  2. Select the account you want to enable ThreatSync+ NDR for.
  3. Select Administration > Beta Features.
    The Beta Features page opens.
  4. Enable the ThreatSync+ NDR feature.
  5. Enable the WatchGuard Compliance Reporting feature.

Start a Trial

To participate in the ThreatSync+ NDR beta, you must start a ThreatSync+ NDR trial. When your trial license becomes available, 250 users are available for the account. To get access to additional defense goal reports, you can also start a WatchGuard Compliance Reporting trial for the same number of users.

To start a ThreatSync+ NDR trial, from a Service Provider account in WatchGuard Cloud:

  1. From Account Manager, select Overview.
  2. Select Administration > Trials.
  3. Select ThreatSync+ NDR.
  4. In the Account Name column, next to the account you want to start the trial for, enable the toggle to start the trial.
  5. From the Product list, select ThreatSync+ NDR.
  6. Click Add.
    The trial can take up to five minutes to become available. It is not necessary to activate a license to start a ThreatSync+ NDR trial.
  7. Repeat these steps for the Compliance Reporting trial.

To start a trial, from a Subscriber account in WatchGuard Cloud:

  1. Select Administration > Trials.
  2. Select ThreatSync+ NDR.
  3. Enable the toggle to start the trial for this account.
  4. From the Product list, select ThreatSync+ NDR.
  5. Click Add.
    The trial can take up to five minutes to become available. It is not necessary to activate a license to start a ThreatSync+ NDR trial.
  6. Repeat these steps for the Compliance Reporting trial.

To verify that your trial is active, confirm that the ThreatSync+ NDR option shows in the Monitor and Configure menus for your account. It can take up to five minutes for these menu items to become available after you start a trial. When the Compliance Reporting trial is active, you can schedule compliance reports for ThreatSync+ NDR from the Administration > Scheduled Reports page.

Verify Firebox Network Traffic

After you start your ThreatSync+ NDR trial, the service automatically starts to monitor and analyze Firebox traffic logs from all Fireboxes associated with the account that are managed in WatchGuard Cloud or are configured to send log and report data to WatchGuard Cloud for visibility.

ThreatSync+ NDR analyzes traffic log messages in 30 minute blocks, and uses machine learning and other advanced analytics to identify threats. You can expect to see data in the ThreatSync+ NDR user interface (from the Monitor menu) approximately one hour after you start your trial.

On the Network Summary page, make sure the Total Devices and Total Traffic widgets show non-zero values.

Screenshot of the traffic on the Network Summary page in ThreatSync+ NDR

Download and Install the Agents to Collect Network Traffic

In addition to data collected by the Firebox, you can also install agent-based collectors to collect data from third-party switches and firewalls. These agent-based collectors relay NetFlow, sFlow, VPN, and logs from Active Directory and DHCP servers to WatchGuard Cloud through a secure IPSec tunnel.

To add and configure a collector, you must first download the WatchGuard Agent installer and run the installation wizard on the Windows endpoints you want to configure as collectors.

When you install the WatchGuard Agent, it installs the ThreatSync+ NDR Collection Agent and the Windows Log Agent.

  • The ThreatSync+ NDR Collection Agent receives log data from switches and routers in your network and sends the data to WatchGuard Cloud.
  • The Windows Log Agent is a collection agent that reads Windows DHCP server logs and then forwards them to the ThreatSync+ NDR Collection Agent. The ThreatSync+ NDR Collection Agent then forwards the DHCP logs to WatchGuard Cloud.

The ThreatSync+ NDR Collector diagram

Requirements

Before you download the WatchGuard Agent, make sure that you have Administrator permissions and are logged in to the Windows computer that you want to install the WatchGuard Agent on.

The Windows installer is compatible with computers with an x86 or ARM processor. Make sure that virtualization is enabled in the BIOS. For ThreatSync+ NDR, Windows computers and servers must meet these requirements:

  • ThreatSync+ NDR Collection Agent — Windows 10 and Windows 11 with two CPUs and a minimum of 8 GB RAM and 150 GB of disk space. For networks with a netflow rate greater than 500,000 per minute, more CPUs, RAM, and disk space are required.
  • Windows Log Agent — Windows Server 2019 or Windows Server 2022.

The ThreatSync+ NDR Collection Agent listens on:

  • Port 2055 for NetFlow log data from endpoints.
  • Port 6343 for sFlow log data from endpoints.
  • Port 514 for DHCP log data from the Windows Log Agent.

Install the WatchGuard Agent

Download and install the WatchGuard Agent on each Windows computer that you want to configure as a collector. You can configure more than one ThreatSync+ NDR Collection Agent in your account. Typically, only one ThreatSync+ NDR Collection Agent is required for each physical location in your network. We recommend that you add and configure the Windows Log Agent on all DHCP servers.

To install the WatchGuard Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select Collectors.
  5. Click Download WatchGuard Agent.
    The Windows WatchGuard_Agent.msi file downloads.
  6. Copy the .MSI file to the Windows computer or server you want to receive logs from.
  7. Double-click the WatchGuard_Agent.msi file and complete the steps in the wizard.
    A progress bar shows during the installation process. The agent opens a Ubuntu console window during installation. You should not close this window. The Windows computer or server will restart to complete installation.

Add a ThreatSync+ NDR Collection Agent

The ThreatSync+ NDR Collection Agent receives log message data from endpoints in your network and sends the data to WatchGuard Cloud. This can include DHCP log messages from Windows Log Agents, which the ThreatSync+ NDR Collection Agent then forwards to WatchGuard Cloud.

Typically, you only have to install the ThreatSync+ NDR Collection Agent on one endpoint for each physical location in your network. If you want to collect DHCP data log messages from a DHCP server, make sure to install the ThreatSync+ NDR Collection Agent on a Windows computer that has a static IP address.

To add a ThreatSync+ NDR Collection Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select Collectors.
  5. On the ThreatSync+ NDR Collection Agents tab, click Add Collector.

Screenshot of Configure > ThreatSync, add ThreatSync+ NDR collectors page

  1. From the Host drop-down list, select the Windows computer that you want to use as a ThreatSync+ NDR Collection Agent.
    This list includes all Windows computers with the WatchGuard Agent installed. Click to refresh the list of available computers and servers.
  2. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page. For more information, go to About the ThreatSync+ NDR Summary Page.

Add a Windows Log Agent

The Windows Log Agent sends DHCP log messages to the ThreatSync+ NDR Collection Agent. Before you add a Windows Log Agent to your DHCP server or Active Directory server, make sure that:

  • You have installed the WatchGuard Agent on a DHCP server or Active Directory server that runs Windows Server 2016, 2019, or 2022. For more information, go to Install the WatchGuard Agent.
  • You have added a ThreatSync+ NDR Collection Agent on a Windows computer that has a static IP address. For more information, go to Add a ThreatSync+ NDR Collection Agent.

Screenshot of the Windows Log Agents tab on the Collectors page

To add a Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
  4. Select Collectors.
  5. On the Windows Log Agent tab, click Add Collector.

Screen shot of Configure > ThreatSync, add Windows log collector page

  1. From the Host drop-down list, select the Windows server that you want to use as a Windows Log Agent.
    This list includes all Windows servers with the WatchGuard Agent installed. Click to refresh the list of available computers and servers.
  2. In the ThreatSync+ NDR Collection Agent IP Address text box, enter the IP address of the Windows computer you configured the ThreatSync+ NDR Collection Agent for.
    You can see the IP address on the ThreatSync+ NDR Collection Agents tab.
  3. Click Save.
    The collection agent starts to report data to ThreatSync+ NDR. You can see reported traffic information on the Network Summary page. For more information, go to About the ThreatSync+ NDR Summary Page.

After you add a device as a Windows Log Agent collector, make sure to configure your managed switches to send NetFlow log data to the Windows Log Agent. For information on how to do this, refer to the firewall or switch product documentation.

Configure Notifications and Alerts

You can configure WatchGuard Cloud to send email notifications when ThreatSync+ NDR detects a threat or vulnerability. To set up email notifications, you specify which policy alerts and Smart Alerts generate a notification when they are created or updated.

Configure Policy and Smart Alerts

On the Alerts page in the ThreatSync+ NDR UI, you specify which ThreatSync+ NDR policies and Smart Alert types to include in the notification rules you configure in WatchGuard Cloud to generate alerts and send email notifications.

To configure ThreatSync+ NDR Alerts, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ NDR > Alerts.
    The Alerts page opens.

Screenshot of the Alerts page in the Configure menu in ThreatSync+ NDR

  1. In the Policies section, select the check boxes next to the policies that you want to generate policy alerts.
  2. In the Smart Alerts section, for each Smart Alert type that you want to generate alerts, select one or both of the Created and Updated check boxes.

Configure Notification Rules

In WatchGuard Cloud, you can configure notification rules to generate alerts and send email notifications for ThreatSync+ NDR activity. Notification rules make it easier for you to respond to emerging threats on your network.

Delivery Methods

For each notification rule, you can select one of these delivery methods:

  • None — The rule generates an alert that appears on the Alerts page in WatchGuard Cloud.
  • Email — The rule generates an alert that appears on the Alerts page in WatchGuard Cloud and also sends a notification email to the specified recipients.

Add a ThreatSync+ NDR Notification Rule

To add a new ThreatSync+ NDR notification rule:

  1. Select Administration > Notifications.
  2. Select the Rules tab.
  3. Click Add Rule.
    The Add Rule page opens.

Screenshot of the Add Rule page in WatchGuard Cloud

  1. On the Add Rule page, in the Name text box, enter a name for your rule.
  2. From the Notification Source drop-down list, select ThreatSync+ NDR.
  3. From the Notification Type drop-down list, select one of these ThreatSync+ NDR notification types:
    • Policy Alert — Generates an alert when a new policy alert is generated for your account.
    • Smart Alert Created — Generates an alert when a Smart Alert is created.
    • Smart Alert Updated — Generates an alert when a Smart Alert is updated.
  4. (Optional) Type a Description for your rule.
  5. To send an email message when the rule generates an alert:
    1. From the Delivery Method drop-down list, select Email.

      Screen shot of the Delivery Method section on the Add Rule page in WatchGuard Cloud

    2. From the Frequency drop-down list, configure how many emails the rule can send each day:
      • To send an email message for each alert the rule generates, select Send All Alerts.
      • To restrict how many email messages the rule sends each day, select Send At Most. In the Alerts Per Day text box, enter the maximum number of email messages this rule can send each day. You can specify a value up to 20,000 alerts per day.
    3. In the Subject text box, enter the subject line for the email message this rule sends when it generates an alert.
    4. In the Recipients section, enter one or more email addresses. Press Enter after each email address, or separate the email addresses with a space, comma, or semicolon.
  6. Click Add Rule.

Configure Scheduled Reports

You can schedule different ThreatSync+ NDR reports to run in WatchGuard Cloud. Each scheduled report can contain multiple reports. WatchGuard Cloud sends scheduled reports as a zipped .PDF email attachment to the recipients you specify. Recently generated reports are also available for download in WatchGuard Cloud.

Add a Scheduled Report

You can schedule reports to run daily, weekly, monthly, or immediately. For daily, weekly, and monthly reports, the report frequency also determines the date range for data included in the report. For example, a weekly report includes data collected from 00:00 UTC to 23:59 UTC for the specified time period.

To add a scheduled report:

  1. Click Add Scheduled Report.
    The Create Schedule wizard opens with the Report Description step selected.

Add a Scheduled Report Wizard, Step 1 - Report Description

  1. In the Schedule Name text box, type a name for the report.
  2. In the Description text box, type a description for the report.
  3. In the Product or Application section, select ThreatSync+ NDR.
  4. Click Next.
    The Add Reports page opens.

Screenshot of the Add Reports page in the Add a Scheduled Report Wizard, step 2

Available ThreatSync+ NDR reports depend on your license type. The Executive Summary and Ransomware Prevention reports are included by default with ThreatSync+ NDR. To add more reports, and the ability to generate custom reports, we recommend you add a WatchGuard Compliance Reporting license. For more information, go to About WatchGuard Compliance Reporting.

  1. In the Reports section, select the check box for each report to include in your scheduled report. To include all available reports, click Select All .
  2. Click Next.
    The Schedule Report step opens.

Screenshot of the Schedule Report page, Step 3, in the Add a Scheduled Report Wizard

  1. From the Frequency drop-down list, select one of these options to specify how often to run the report:
    • Daily — Runs daily and contains data for the past 24 hours (includes 00:00 until 23:59, adjusted to the timezone)
    • Weekly — Runs weekly and contains data for the past week (includes Sunday 00:00 to Saturday 23:59)
    • Monthly — Runs monthly and contains data for the past month (includes the first day 00:00 to the last day 23:59)
    • Run Now — Queues the report to run for the date range you specify

      • The time required to generate and send the report depends on the types of selected reports, and position of the request in the processing queue.

  2. To select the time the report starts to run, in the Start Time text box, click Screenshot of the clock icon.
    Or, in the Start Time text box, type the hour and minute of the day to start the report, in 24-hour format HH:MM.
  3. For a Weekly report, specify the day of the week to run the report.
  4. For a Monthly report, specify the day of the month to run the report.
  5. Specify the Time Zone for the scheduled report.
  6. Select the Language for the report.
  7. Click Next.
    The Add Recipients step opens.

Screenshot of the Add Recipients page, Step 4, in the Add a Scheduled Report Wizard

  1. In the Report Recipients text box, type the email address for each report recipient. To separate multiple addresses, use a space, comma, or semicolon. Press Enter to add the specified addresses to the recipient list.
    Reports must be smaller than 10 MB to be emailed.
  2. To add yourself as a recipient, click Add me as a recipient.
    The email address associated with your WatchGuard Cloud account shows in the list.
  3. Click Next.
    The Finish page opens, with a summary of the scheduled report settings.
  4. Click Save Report.
    The report is added to the list of scheduled reports.

Respond to Smart Alerts

ThreatSync+ NDR uses artificial intelligence (AI) to consolidate data related to a large volume of network traffic into Smart Alerts. A Smart Alert indicates that a potential attack is in progress on your network and guides you to focus on emerging threats that pose the greatest risk and organizational impact.

To view Smart Alerts for your account, from WatchGuard Cloud:

  1. Select Monitor > ThreatSync+ NDR > Smart Alerts.
    The Smart Alerts page opens and shows a list of open Smart Alerts.

Screenshot of the Smart Alerts page

  1. Click the Smart Alert you want to review.
    The Smart Alert Details page opens.
  2. Review the What to Look For section for remediation recommendations.
  3. When you are ready, click Close this Smart Alert and select a reason. This provides feedback that helps the ThreatSync+ NDR AI better understand your network and generate future Smart Alerts.

Review Policy Alerts

Policy alerts notify you of activity on your network that is unauthorized or unexpected. When you configure ThreatSync+ NDR policies to reflect the network access policies of your organization, each policy alert you receive indicates a policy violation that might be a threat to your organization.

When you first set up ThreatSync+ NDR, a subset of policies are activated by default. These are identified by the Level 1 tag and they automatically generate policy alerts. About 30 of the more than 75 available policies are included in Level 1. These default policy alerts reflect the threats and vulnerabilities that are most common and easiest to remediate.

We recommend you wait at least two days after ThreatSync+ NDR is enabled to review your policy alerts.

To review policy alerts:

  1. Select Monitor > ThreatSync+ NDR > Policy Alerts.
  2. To view only alerts from active policies, from the Status Types drop-down list, clear the Not Active check box.
  3. To view detailed information about each policy alert, click a policy name to go to the Policy Alert Details page.

Screenshot of the Policy Alert Details page for an External Server Disruption

The Policy Alert Details page shows a summary of zone information, importance, the threat score, and tags associated with the policy.

You can modify policy configuration details from the Refine Policy Options drop-down list:

  • Refine Activity Triggers
  • Refine Source Zones
  • Refine Destination Zones

For more information, go to Configure ThreatSync+ NDR Policies.

Review Reports for Compliance

The Executive Summary Report and the Ransomware Prevention Defense Goal Report are both included with ThreatSync+ NDR by default. To view additional reports for compliance reporting, and to generate custom reports, you can add a Compliance Reporting license. For more information, go to About WatchGuard Compliance Reporting.

Review the Executive Summary Report

After ThreatSync+ NDR collects data for several days, you can generate the Executive Summary Report to get a high-level overview of the threats and vulnerabilities that ThreatSync+ NDR detected. The report includes an overall network threat score and shows you changes in the trend of the threat score over time. Lower scores indicate that your network might not be fully protected.

The metrics included in the report reflect the range of detection and response capabilities provided by ThreatSync+ NDR. The overall threat score weighs these metrics evenly across three key areas of protection:

Threat Detection

Threat Detection metrics encourage you to review and respond to ThreatSync+ NDR Smart Alerts. The metrics track how many Smart Alerts are open, how promptly you address them, and how much time ThreatSync+ NDR saves by monitoring potential threats so you do not have to.

Network Visibility

Network Visibility metrics help you to keep up with the identification of the important subnets and devices in your network. When you tell ThreatSync+ NDR which assets and subnets are most important to you, ThreatSync+ NDR can provide more effective threat information. When you label the assets and specify their roles, ThreatSync+ NDR can automatically detect policy violations for those types of systems. ThreatSync+ NDR also uses subnet labels to more effectively identify rogue devices and unknown threats.

Policy Assurance

The Policy Violation metric tracks how many violations ThreatSync+ NDR detects in your network. The polices that you enable help to identify traffic that represents unauthorized activity. Enable policies that help you to identify errors and misconfiguration in your other security tools, such as firewalls, EDR, and asset management systems. This helps you to quickly identify when these tools do not block unauthorized traffic.

Screenshot of the Executive Summary report main page

To customize the Executive Summary report, you can configure these report settings:

Set Threat Score Calculation Weights

To control how ThreatSync+ NDR calculates the overall threat score, you can specify weighting factors for each key area of protection. You can also completely exclude an area if you do not want to measure your progress in that area.

Select Metrics to Include

To control which metrics show in the report, you can exclude specific metrics from any of the three areas of protection. Metrics you exclude do not appear in the report and are not included in the overall threat score.

Set Threat Score Calculation Weights

To set the threat score calculation weights, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ NDR > Executive Summary Report Settings.
    The Executive Summary Report Settings page opens.

Screenshot of the Executive Summary Report Configuration page in ThreatSync+ NDR

  1. In the Set Threat Score Calculation Weights section, enter your preferred values for Threat Detection, Network Visibility, and Policy Assurance weights.
  2. Click Save.

Select Metrics to Include

Some metrics might not be important or applicable to your network security policies. You can customize which metrics to include in your Executive Summary report and your overall threat score calculation.

To select metrics to include, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ NDR > Executive Summary Report Settings.
    The Executive Summary Report Settings page opens.
  2. In the Select Metrics to Include section, select or clear the check box next to each metric to include or exclude.
  3. Click Save

Follow the recommendations in the report to protect your network and improve your threat score. For more information, go to ThreatSync+ NDR Executive Summary Report.

To generate an Executive Summary report, go to Configure Scheduled Reports.

Review the Ransomware Prevention Defense Goal Report

The Ransomware Prevention Defense Goal Report monitors your network for vulnerabilities that can make you more susceptible to ransomware. This report presents a summary of the controls ThreatSync+ NDR monitors to help you prevent the spread of ransomware. Each control included in the report is based on a ThreatSync+ NDR policy.

The Ransomware Prevention Defense Goal Report provides you with a network defense overview and shows whether you are in compliance with the objectives and controls for a specified time period. This report, in addition to continuous monitoring of your policy alerts and closing your Smart Alerts, can prove compliance for audit or cyber insurance purposes.

Screenshot of the Ransomware Prevention Defense Goal report

To generate a Ransomware Prevention Defense Goal report, go to Configure Scheduled Reports.

For more information, go to Ransomware Prevention Defense Goal Report.

Related Topics

About ThreatSync+ NDR

Configure ThreatSync+ NDR

Monitor ThreatSync+ NDR

ThreatSync+ NDR Reports

About ThreatSync+ NDR Policies and Zones

Configure ThreatSync+ NDR Alerts and Notification Rules