About ThreatSync Automation Policies

ThreatSync automation policies define the actions that ThreatSync takes automatically when a threat is detected.

Automation policies enable Incident Responders to automatically respond to specific types of incidents so they can focus on the most important incidents that might require manual investigation and remediation. For example, you might create an automation policy to automatically archive specific types of incidents that have a low risk score.

You can manually remediate any incidents not covered by an automation policy. For more information, go to Perform Actions to Remediate Incidents.

To learn more about automation policies, go to these sections:

We recommend that you do not add automation policies other than those in ThreatSync Best Practices until you are familiar with the different types of incidents that can occur in your environment and the remediation actions you can perform.

ThreatSync Automation Policy Types

In ThreatSync, you can configure two types of automation policies:

Remediation Policy

A Remediation automation policy performs the specified remediation actions for incidents that meet the policy conditions.

Archive Policy

An Archive automation policy changes the status of incidents that meet the policy conditions to Archived.

ThreatSync Automation Policy Conditions and Actions

For each ThreatSync automation policy, you configure conditions and actions.

Conditions

Conditions define when ThreatSync executes a policy. If an incident meets the conditions of a policy, ThreatSync performs the specified actions.

For each policy, you can specify these conditions.

  • Risk Range — Specify a range of incident risk levels. For more information, go to ThreatSync Incident Risk Levels and Scores.
  • Incident Type — Select one or more incident types.
  • Device Type — Select Firebox or Endpoint.
  • Actions Performed — Select one or more of these actions performed on an incident (Archive policy only).

The Actions Performed condition is only available for the Archive policy type. Remediation policies have a separate section to select remediation actions.

Actions

Actions define what ThreatSync does when the policy executes.

For each policy, you must specify whether the policy performs or prevents actions.

  • Perform — ThreatSync performs the specified actions for new incidents that meet the policy conditions.
  • Prevent — ThreatSync prevents the specified actions. To create an exception to a broader Perform policy, you can add a policy with the Prevent action and rank it higher than the other policy in the policy list. A policy with the Prevent action does not prevent the manual execution of an action by an operator.

For a Remediation policy, select one or more of these remediation actions to perform:

  • Block Threat Origin IP (only external IPs) — Blocks the external IP address associated with the incident. When you select this action, all Fireboxes with ThreatSync enabled in the WatchGuard Cloud account block connections to and from the IP address.
  • Delete File — Deletes the flagged file associated with the incident.
  • Isolate Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data.
  • Kill Malicious Process — Terminates a process that exhibited malicious behavior associated with the incident.

For an Archive policy, there is only one action:

  • Archive — Changes the incident status to Archived. This action is selected automatically and you cannot change it.

ThreatSync Automation Policy Precedence

You rank ThreatSync policies in order of relative priority from top to bottom. If an incident matches the conditions configured in multiple policies, ThreatSync performs the action specified in the highest priority policy that applies.

Screen shot of the Automation Policies page in ThreatSync

Each recommended action in an incident is evaluated individually against a policy. If an incident does not have a recommended action that matches an action specified in the policy, that policy is skipped.

Automation policies assigned through a template appear at the top of the policies list in the Subscriber account. To change the order of your automation policies and templates, go to Manage ThreatSync Automation Policies (Subscribers).

ThreatSync Automation Policy Templates

You can create automation policies at the Subscriber account level. To add an automation policy for a Subscriber account, go to Manage ThreatSync Automation Policies (Subscribers).

In addition, Service Providers can create automation policy templates that include multiple automation policies, then assign the templates to the accounts or account groups they manage. This enables Service Providers to apply automation policies consistently across managed accounts, and save time when they set up ThreatSync for new accounts.

To set up automation policy templates for your managed accounts or account groups, go to Manage ThreatSync Automation Policy Templates (Service Providers).

Related Topics

Manage ThreatSync Automation Policies (Subscribers)

Manage ThreatSync Automation Policy Templates (Service Providers)

Configure ThreatSync Device Settings

Manage IP Addresses Blocked by ThreatSync

Configure ThreatSync

About ThreatSync